I. Comparative effectiveness can be achieved by the following:
• Thresholds
• Blacklists
• Whitelists
• Alert Settings
II. Direct students to the point that once implemented, IDPSs are evaluated using two dominant metrics: administrators evaluate the number of attacks detected in a known collection of probes and examine the level of use at which the IDPSs fail.
III. Explain that since developing this collection can be tedious, most IDPS vendors provide testing mechanisms that verify that their systems are performing as expected. Some of these testing processes will enable the administrator to do the following:
• Record and retransmit packets from a real virus or worm scan.
• Record and retransmit packets from a real virus or worm scan with incomplete TCP/IP session connections (missing SYN packets).
• Conduct a real virus or worm attack against a hardened or sacrificial system.