Abstract
PurposeThe expertise of a system administrator is believed to be important for effective use of intrusion detection systems (IDS). This paper examines two hypotheses concerning the system administrators' ability to filter alarms produced by an IDS by comparing the performance of an IDS to the performance of a system administrator using the IDS.Design/methodology/approachAn experiment was constructed where five computer networks are attacked during four days. The experiment assessed difference made between the output of a system administrator using an IDS and the output of the IDS alone. The administrator's analysis process was also investigated through interviews.FindingsThe experiment shows that the system administrator analysing the output from the IDS significantly improves the portion of alarms corresponding to attacks, without decreasing the probability that an attack is detected significantly. In addition, an analysis is made of the types of expertise that is used when output from the IDS is processed by the administrator.Originality/valuePrevious work, based on interviews with system administrators, has suggested that competent system administrators are important in order to achieve effective IDS solutions. This paper presents a quantitative test of the value system administrators add to the intrusion detection solution.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
