ATTACKS CLASSIFICATION FOR EVALUATING INTRUSION DETECTION SYSTEM Mohammed Saber, Toumi Bouchentouf, Abdelhamid Benazzi and Mostafa Azizi Laboratory MATSI (ENSAO) Laboratory Mathematics Applied, Treatment of the Signal and Computer Science, Department of Computer Science National School of Sciences Applied Oujda, Mohammed First University ESTO BP 473 Complex academic Al Qods Oujda 60000 (Morocco) ABSTRACT This paper describes the amelioration of the GadElrab and al. taxonomy for both testing and evaluating IDS. This new taxonomy generates reduced number of cases test by applying the classification tree method (CTM). KEYWORDS Attack Classification, Classification Tree Method, IDS, Evaluation. 1. INTRODUCTION The number and complexity of computer attacks against information systems has increased during the recent years. This has caused several problems to the IDS evaluators. So, for a given IDS, how would it behave against intrusions or attack attempts. Besides, there is another problem which occurs during an IDS assessment. It is that of attack classification [1] because it is hard to examine exhaustively all attacks. A possible solution of this problem is to use of the class equivalence technique which is used for a software test [2] in order to reduce the number of test cases. Yet, we notice that some cases, which belong to the same class, stimulate the same software parts in the same conditions, and this should produce some equivalent results. This approach has been used to set up the test cases of different attack classes for both testing and evaluating IDS. In this paper, we are interested on the attacks classifications and not on the attacks methods detection, we will adopt Webster’s [3] suggestion which considers “taxonomy” and “classification” as two synonyms even if the classification is defined as the systematic arrangement inside the groups or the categories according to some established criteria while the taxonomy is defined as the study of the general principles of the scientific classification. Since the attacks exploit the vulnerabilities of a computer system, several attempts have been carried out to classify the vulnerabilities during the last years. This has led to the building of vulnerability databases such as the Common Vulnerability Exposition [4] of the MITRE or the Open Source Vulnerability Data Base [5]. Several research works have tried to classify the attacks; for instance, [6], [1], [7], [8], [9], [10], [11], [12], [13], [14] and [15]. However, classifications techniques do not share the same objectives; no full and largely admitted technique of classification has been set up. Besides, a remarkable work has been done in [16] it is about a classification which takes into account the different suggestions of past classifications. In this paper, we study this last technique of classification, and we suggest improving it by reducing the number of generated tests per class. We used here the Classification Tree Method (CTM) [17] (Classification Tree Editor) [17] and [18] to get an easy and semi-automatic choice of attack test cases by using the CTE tool which uses the CTM. This paper is composed as follows, in the second section; we give a broad view on the different existing classifications and discuss in details the classification. In the third section, we present our improvement of the ISBN: 978-972-8939-19-9 © 2010 IADIS 166