Powered by Google www.ChineseStandard.net Database: 189760 (25 May 2024)

GB/T 20275-2013 PDF in English

GB/T 20275-2013 (GB/T20275-2013, GBT 20275-2013, GBT20275-2013)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20275-2013English150 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Technical requirements and testing and evaluation approaches for network-based intrusion detection system Obsolete

Standards related to: GB/T 20275-2013

GB/T 20275-2013: PDF in English (GBT 20275-2013)

GB/T 20275-2013
ICS 35.040
L 80
Replacing GB/T 20275-2006
Information Security Technology –
Technical Requirements and Testing and
Evaluation Approach for Network-Based
Intrusion Detection System
Issued by.
General Administration of Quality Supervision, Inspection
and Quarantine of the People’s Republic of China;
Standardization Administration of the People’s Republic of
Table of Contents
Foreword ... 3 
1 Scope ... 5 
2 Normative References ... 5 
3 Terms and Definitions ... 5 
4 Abbreviations ... 7 
5 Level Classification of Network-Based Intrusion Detection System ... 8 
5.1 Level Classification ... 8 
5.2 Level Classification Table ... 8 
6 Technical Requirements for Network-Based Intrusion Detection System ... 12 
6.1 Level-1 ... 12 
6.2 Level-2 ... 19 
6.3 Level-3 ... 30 
7 Testing-evaluation approaches for Network-Based Intrusion Detection System . 44 
7.1 Testing Environment ... 44 
7.2 Testing Tool ... 45 
7.3 Level-1 ... 45 
7.4 Level-2 ... 69 
7.5 Level-3 ... 105 
Reference... 150 
This Standard is drafted according to the rules of GB/T 1.1-2009.
This Standard replaces GB/T 20275-2006 Information Security Technology
Techniques Requirements and Testing-evaluation approaches for Intrusion Detection
Compared with GB/T 20275-2006, this Standard has the main changes as follows.
— The standard name is revised as Information Security Technology - Technical
Requirements and Testing-evaluation approaches for Network-Based
Intrusion Detection System.
— Technical requirements and testing-evaluation approaches for host intrusion
detection system as describe in GB/T 20275-2006 are deleted;
— "Analysis mode" in GB/T 20275-2006 is deleted (see, 2006 edition);
— "Window definition" in GB/T 20275-2006 is deleted (see, 2006
— Performance requirements for "maximum monitored traffic", "maximum
monitored concurrent connections" and "maximum monitored new TCP
connection rate" are added;
— Security function requirements and testing-evaluation approaches for
"hardware failure processing" and "double-machine hot-standby" are added;
— Self-security functional requirements and testing-evaluation approaches of
"console authentication" and "identification uniqueness" are added;
— Grade of "blocking capacity", "system upgrade", "report customizing" and
"response customizing" in GB/T 20275-2006 is adjusted.
This Standard was proposed by and shall be under the jurisdiction of National
Technical Committee on Information Technology Security of Standardization
Administration of China (SAC/TC 260).
Certain content of this document may involve patents. The issuing organization of this
Standard shall not undertake the responsibility of identifying these patents.
Drafting organizations of this Standard. Ministry of Public Security Computer
Information System Security Product Quality Supervision Testing Center, Venustech
Co., Ltd. AND Bureau for Network Security of Ministry of Public Security.
Main drafters of this Standard. Song Haohao, Gu Jian, Zhang Xiaoxiao, Li Yi, Wu
Qicong and Zhang Yan.
Information Security Technology - Technical
Requirements and Testing and Evaluation Approach
for Network-Based Intrusion Detection System
1 Scope
This Standard specifies the technical requirements and testing-evaluation approaches
for network-based intrusion detection system, including security function requirements,
self-security functional requirements, security assurance requirements and testing-
evaluation approaches; and it proposes the level classification requirements for
network-based intrusion detection system.
This Standard is applicable to design, development, testing-evaluation of network-
based intrusion detection system.
2 Normative References
The following documents are essential to the application of this document. For the
dated documents, only the versions with the dates indicated are applicable to this
document; for the undated documents, only the latest version (including all the
amendments) are applicable to this document.
GB/T 18336.1-2008 Information Technology - Security Techniques - Evaluation
Criteria For IT Security - Part 1. Introduction and General Model
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
For the purposes of this document, the following terms and definitions AND those
established in GB/T 18336.1-2008 and GB/T 25069-2010 apply.
A record of occurrence or modification of system, service or network state; it may be
acted as a basis of security event analysis.
Occurrence of a system, service or network state that is identified by the analysis and
process of event which indicates one possible breach of security rules or failure of
some protective measures or indicates one case likely to be security-related but used
not to be known, such case is very likely to harm the business operation and threat the
information security.
Any behavior that harms or possibly harms the resource integrity, confidentiality or
Intrusion detection
The indication that the behaviors in breach of security policy and attack in the network
or system are found by collecting and analyzing several key points in computer network
or computer system.
Network-based intrusion detection system
An intrusion detection system that takes the network data package as data source to
monitor and analyze all the data packets within the protective networks and find the
abnormal behavior.
A module of intrusion detection system that is used to collect real-time event that likely
indicates the intrusion behavior or misuse information system resource and makes a
preliminary analysis on the information collected.
Urgent notice that is sent from the network-based intrusion detection system to the
authorized administrator in case of attacks or intrusion.
The behavior that is aimed to protect information system and stored data, and restores
them to normal operation environment, in case of attack or intrusion.
False positives
The network-based intrusion detection system alarms when the attacks do not occur
or sends false alarms.
False negative
Network-based intrusion detection system fails to alarm, in case of attack.
4 Abbreviations
For the purpose of this document, the following abbreviations apply.
ARP. Address Resolution Protocol
DNS. Domain Name System
FTP. File Transfer Protocol
HTML. Hypertext Markup Language
HTTP. Hypertext Transfer Protocol
ICMP. Internet Control Message Protocol
IMAP. Internet Message Access Protocol
IP. Internet Protocol
NFS. Network File System
POP3. Post Office Protocol 3
RIP. Routing Information Protocol
RPC. Remote Procedure Call
SMTP. Simple Mail Transfer Protocol
SNMP. Simple Network Management Protocol
TCP. Transport Control Protocol
TELNET. Telecommunication Network
TFTP. Trivial File Transfer Protocol
UDP. User Datagram Protocol
5 Level Classification of Network-Based Intrusion
Detection System
5.1 Level Classification
5.1.1 Level-1
This level specifies minimum security requirements of network-based intrusion
detection system. In this level, the administrator is simply identified and authenticated
to limit the functional configuration of system and control over the data access. The
administrator is capable of autonomous safety protection and preventing illegal user
from harming the system and protecting the normal operation of intrusion detection
5.1.2 Level-2
This level consists of different security management roles to detail the management of
intrusion detection system. The additional audit function makes the behavior of
authorized administrator traceable. In this level, the system is required to have capacity
of distributed deployment and centralized management. The protection system data
and the measures of system security operation are added.
5.1.3 Level-3
This level provides a stronger protection for th...
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.