Thor

One problem in intrusion detection is that the methods used are not perfect and intrusion detection systems (IDS) might miss attacks or report false alarms.

To analyze IDSes, the Thor project specified, designed, and implemented a tool that automatically launches attacks and collects the alarms reported by the IDSes under testing. Thor uses variations of attacks to make more precise statements about the detection capabilities of an IDS. An important feature of Thor is the autonomous attempt to evade IDSes by varying attacks.

To more reliably detect attacks and increase the coverage of detected attacks, more than one IDS can be installed in a production environment. Multiple heterogeneous systems will more adequately detect possible attacks. To correlate the alarms from the different IDSes is an important issue in ongoing research and presents some interesting problems. One of them is to understand the reaction of different IDSes to a given attack. For this purpose, Thor can be used to generate so-called correlation tables.

There are two other scenarios in which Thor can be used: First, network devices can be analyzed in terms of their influence on the reception of an IDS. Attacks are routed through network devices and the generated alarms are compared to the case without such devices. Second, the tool can be used to assess IDSes in a production environment to see whether they are tuned correctly for that specific environment.

About IBM | Privacy | Terms of use | Contact