Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 20275-2013 English PDF (GBT20275-2013)

GB/T 20275-2013 English PDF (GBT20275-2013)

Regular price $150.00 USD
Regular price Sale price $150.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: 24-hr self-service. Click GB/T 20275-2013
See Chinese contents: GB/T 20275-2013

GB/T 20275-2013: Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system

This Standard specifies the technical requirements and testing-evaluation approaches for network-based intrusion detection system, including security function requirements, self-security functional requirements, security assurance requirements and testingevaluation approaches; and it proposes the level classification requirements for network-based intrusion detection system.
GB/T 20275-2013
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20275-2006
Information Security Technology ?€?
Technical Requirements and Testing and
Evaluation Approach for Network-Based
Intrusion Detection System
ISSUED ON. DECEMBER 31, 2013
IMPLEMENTED ON. JULY 15, 2014
Issued by.
General Administration of Quality Supervision, Inspection
and Quarantine of the PEOPLE Republic of China;
Standardization Administration of the PEOPLE Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Abbreviations ... 7
5 Level Classification of Network-Based Intrusion Detection System ... 8 5.1 Level Classification ... 8
5.2 Level Classification Table ... 8
6 Technical Requirements for Network-Based Intrusion Detection System ... 12 6.1 Level-1 ... 12
6.2 Level-2 ... 19
6.3 Level-3 ... 30
7 Testing-evaluation approaches for Network-Based Intrusion Detection System . 44 7.1 Testing Environment ... 44
7.2 Testing Tool ... 45
7.3 Level-1 ... 45
7.4 Level-2 ... 69
7.5 Level-3 ... 105
Reference... 150
Foreword
This Standard is drafted according to the rules of GB/T 1.1-2009.
This Standard replaces GB/T 20275-2006 Information Security Technology
Techniques Requirements and Testing-evaluation approaches for Intrusion Detection System.
Compared with GB/T 20275-2006, this Standard has the main changes as follows. ?€? The standard name is revised as Information Security Technology - Technical Requirements and Testing-evaluation approaches for Network-Based
Intrusion Detection System.
?€? Technical requirements and testing-evaluation approaches for host intrusion detection system as describe in GB/T 20275-2006 are deleted;
?€? "Analysis mode" in GB/T 20275-2006 is deleted (see 6.1.1.2.2, 2006 edition); ?€? "Window definition" in GB/T 20275-2006 is deleted (see 6.2.1.4.1, 2006 edition);
?€? Performance requirements for "maximum monitored traffic", "maximum
monitored concurrent connections" and "maximum monitored new TCP
connection rate" are added;
?€? Security function requirements and testing-evaluation approaches for
"hardware failure processing" and "double-machine hot-standby" are added; ?€? Self-security functional requirements and testing-evaluation approaches of "console authentication" and "identification uniqueness" are added;
?€? Grade of "blocking capacity", "system upgrade", "report customizing" and "response customizing" in GB/T 20275-2006 is adjusted.
This Standard was proposed by and shall be under the jurisdiction of National Technical Committee on Information Technology Security of Standardization Administration of China (SAC/TC 260).
Certain content of this document may involve patents. The issuing organization of this Standard shall not undertake the responsibility of identifying these patents. Drafting organizations of this Standard. Ministry of Public Security Computer Information System Security Product Quality Supervision Testing Center, Venustech Co., Ltd. AND Bureau for Network Security of Ministry of Public Security. Main drafters of this Standard. Song Haohao, Gu Jian, Zhang Xiaoxiao, Li Yi, Wu Qicong and Zhang Yan.
Information Security Technology - Technical
Requirements and Testing and Evaluation Approach
for Network-Based Intrusion Detection System
1 Scope
This Standard specifies the technical requirements and testing-evaluation approaches for network-based intrusion detection system, including security function requirements, self-security functional requirements, security assurance requirements and testing- evaluation approaches; and it proposes the level classification requirements for network-based intrusion detection system.
This Standard is applicable to design, development, testing-evaluation of network- based intrusion detection system.
2 Normative References
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this document.
GB/T 18336.1-2008 Information Technology - Security Techniques - Evaluation Criteria For IT Security - Part 1. Introduction and General Model
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
For the purposes of this document, the following terms and definitions AND those established in GB/T 18336.1-2008 and GB/T 25069-2010 apply.
3.1
Event
A record of occurrence or modification of system, service or network state; it may be acted as a basis of security event analysis.
3.2
Incident
Occurrence of a system, service or network state that is identified by the analysis and process of event which indicates one possible breach of security rules or failure of some protective measures or indicates one case likely to be security-related but used not to be known, such case is very likely to harm the business operation and threat the information security.
3.3
Intrusion
Any behavior that harms or possibly harms the resource integrity, confidentiality or availability.
3.4
Intrusion detection
The indication that the behaviors in breach of security policy and attack in the network or system are found by collecting and analyzing several key points in computer network or computer system.
3.5
Network-based intrusion detection system
An intrusion detection system that takes the network data package as data source to monitor and analyze all the data packets within the protective networks and find the abnormal behavior.
3.6
Sensor
A module of intrusion detection system that is used to collect real-time event that likely indicates the intrusion behavior or misuse information system resource and makes a preliminary analysis on the information collected.
3.7
Alert
Urgent notice that is sent from the network-based intrusion detection system to the authorized administrator in case of attacks or intrusion.
3.8
Response
The behavior that is aimed to protect information system and stored data, and restores them to normal operation environment, in case of attack or intrusion.
3.9
False positives
The network-based intrusion detection system alarms when the attacks do not occur or sends false alarms.
3.10
False negative
Network-based intrusion detection system fails to alarm, in case of attack. 4 Abbreviations
For the purpose of this document, the following abbreviations apply.
ARP. Address Resolution Protocol
DNS. Domain Name System
FTP. File Transfer Protocol
HTML. Hypertext Markup Language
HTTP. Hypertext Transfer Protocol
ICMP. Internet Control Message Protocol
IMAP. Internet Message Access Protocol
IP. Internet Protocol
NFS. Network File System
POP3. Post Office Protocol 3
RIP. Routing Information Protocol
RPC. Remote Procedure Call
SMTP. Simple Mail Transfer Protocol
SNMP. Simple Network Management Protocol
TCP. Transport Control Protocol
TELNET. Telecommunication Network
TFTP. Trivial File Transfer Protocol
UDP. User Datagram Protocol
5 Level Classification of Network-Based Intrusion
Detection System
5.1 Level Classification
5.1.1 Level-1
This level specifies minimum security requirements of network-based intrusion detection system. In this level, the administrator is simply identified and authenticated to limit the functional configuration of system and control over the data access. The administrator is capable of autonomous safety protection and preventing illegal user from harming the system and protecting the normal operation of intrusion detection system.
5.1.2 Level-2
This level consists of different security management roles to detail the management of intrusion detection system. The additional audit function makes the behavior of authorized administrator traceable. In this level, the system is required to have capacity of distributed deployment and centralized management. The protection system data and the measures of system security operation are added.
5.1.3 Level-3
This level provides a stronger protection for th...

View full details