Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 20275-2021 English PDF (GBT20275-2021)

GB/T 20275-2021 English PDF (GBT20275-2021)

Regular price $1,205.00 USD
Regular price Sale price $1,205.00 USD
Sale Sold out
Shipping calculated at checkout.
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 20275-2021
Historical versions: GB/T 20275-2021
Preview True-PDF (Reload/Scroll if blank)

GB/T 20275-2021: Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system
GB/T 20275-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Replacing GB/T 20275-2013
Information Security Technology - Technical Requirements
and Testing and Evaluation Approaches for Network-based
Intrusion Detection System
ISSUED ON: OCTOBER 11, 2021
IMPLEMENTED ON: MAY 1, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Abbreviations ... 6
5 Network-based Intrusion Detection System ... 6
6 Security Technology Requirements ... 6
6.1 Classification and Level Division of Requirements ... 6
6.2 Basic-level Security Requirements ... 10
6.3 Enhanced-level Security Requirements ... 19
7 Testing and Evaluation Approaches ... 34
7.1 Test environment ... 34
7.2 Test Tools ... 34
7.3 Basic Level ... 35
7.4 Enhanced Level ... 69
Bibliography ... 120
Information Security Technology - Technical Requirements
and Testing and Evaluation Approaches for Network-based
Intrusion Detection System
1 Scope
This document specifies the security technology requirements, testing and evaluation
approaches for network-based intrusion detection system.
This document is applicable to the design, development, testing and evaluation of network-
based intrusion detection system.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 25069 Information Security Techniques - Terminology
3 Terms and Definitions
What is defined in GB/T 25069, and the following terms and definitions are applicable to this
document.
3.1 security incident
Security incident refers to an incident that causes harm to networks and information systems,
or the data contained therein.
3.2 alert
Alert refers to a message sent by the network-based intrusion detection system to the authorized
administrator when an attack or intrusion occurs.
3.3 supporting system
Supporting system refers to an operating system that supports the operation of the network-
based intrusion detection system.
6.2 Basic-level Security Requirements
6.2.1 Security function requirements
6.2.1.1 Data detection function requirements
6.2.1.1.1 Data collection
When the system performs detection and analysis, it shall have the capability of obtaining data
packets in the protected network segment in real time.
6.2.1.1.2 Protocol analysis
The system shall perform protocol analysis on the collected data packets.
6.2.1.1.3 Attack behavior monitoring
The system shall at least monitor the following attack behaviors: port scanning, brute force
attack, malicious code attack, denial of service attack, buffer overflow attack and weak
vulnerability attack, etc.
6.2.1.1.4 Traffic monitoring
The system shall monitor the message traffic and byte traffic of the entire network or a specific
protocol, address or port.
6.2.1.2 Intrusion analysis function requirements
6.2.1.2.1 Data analysis
The system shall analyze the collected data packets and find security incidents.
6.2.1.2.2 Incident merging
The system shall have the capability of combining alarms for the same security incidents that
frequently occur to avoid alarm storms. High frequency thresholds shall be set by authorized
administrators.
6.2.1.3 Intrusion response function requirements
6.2.1.3.1 Customized response
The system shall allow the administrator to customize different response modes for the specific
destination host in the detected network segment.
6.2.1.3.2 Security alert
When the system detects an intrusion, it shall automatically take corresponding actions to issue
security warnings.
6.2.1.3.3 Alert mode
One or multiple modes, such as: real-time screen prompts and E-mail alerts, shall be adopted
for the alert.
6.2.1.4 Management control function requirements
6.2.1.4.1 Graphic interface
The system shall provide the administrator with a graphic interface to administrate and
configure the intrusion detection system. The administrative configuration interface shall
contain all the functions needed to configure and administrate the system.
6.2.1.4.2 Security incident library
The content in the system security incident library shall include the definition and analysis of
incidents, detailed vulnerability repair schemes and countermeasures that can be taken.
6.2.1.4.3 Incident level division
The system shall divide the incidents in accordance with their severity, so that the authorized
administrators can capture hazardous incidents from a large amount of information.
6.2.1.4.4 Policy configuration
The system shall provide a convenient and fast method and means for the policy configuration
of the intrusion detection system, and be equipped with policy templates, and support for policy
import and export.
6.2.1.4.5 Incident library upgrade
The system shall have the capability of upgrading the incident library.
6.2.1.4.6 System upgrade
The system shall have the capability of upgrading system programs.
6.2.1.4.7 Hardware failure handling
For hardware products, when the hardware fails, the administrator shall be notified in time.
6.2.1.4.8 Port separation
The detectors of the system shall be equipped with different ports, which are respectively used
for system administration and network data monitoring.
6.2.1.4.9 Clock synchronization
The system shall provide a clock synchronization function to ensure the time consistency
between each component of the system and the clock server.
6.2.1.5 Detection result processing requirements
6.2.1.5.1 Incident record
The system shall save the detected security incidents and record the security incident
information.
The security incident information shall at least include the following contents: occurrence time,
source address, destination address, incident level, incident type, incident name, incident
definition, detailed incident process analysis and solution recommendations, etc.
6.2.1.5.2 Incident visualization
The administrator shall be able to clearly check security incidents in real time through the
administration interface.
6.2.1.5.3 Report generation
The system shall be able to generate detailed detection result reports.
6.2.1.5.4 Report review
The system shall have the function of browsing the detection result reports.
6.2.1.5.5 Report output
The detection result reports shall be able to be output in a text format that is easy for the
administrator to read, including but not limited to WORD files, HTML files, PDF files, WPS
files or OFD files.
6.2.1.6 Performance requirements
6.2.1.6.1 False alarm rate
The system shall control the false alarm rate within 15% and shall not have a great impact on
the normal application of the system. The false alarm rate of the system that supports operation
under the IPv6 network environment shall satisfy the above-mentioned indicators.
6.2.1.6.2 Missing report rate
The system shall control the missing report rate within 15% and shall not have a great impact
on the normal ...
View full details