On the self-similarity of synthetic traffic for the evaluation of intrusion detection systems

The difficulty of quantifying the accuracy of intrusion detection tools against real network data mandates that researchers use simulated attack data for the partial evaluation of such tools. In 1998 and 1999 researchers at MIT Lincoln Labs produced datasets both with and without attack data specifically for use by those interested in developing intrusion detection tools. Because self-similarity has been shown to be a statistical property of real network traffic, this paper examines the attack-free datasets for the presence of self-similarity in various time periods. The results offer insight for researchers who may wish to use specific subsets of the data for testing. Where the results indicate a lack of self-similarity in the data, the likely cause was determined to be either a low activity level or traffic that was dominated by a single protocol, thus forcing the overall distribution to match its own.

[1]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[2]  Walter Willinger,et al.  Long-range dependence in variable-bit-rate video traffic , 1995, IEEE Trans. Commun..

[3]  Richard P. Lippmann,et al.  1999 DARPA Intrusion Detection Evaluation: Design and Procedures , 2001 .

[4]  David A. Nash,et al.  Simulation of self-similarity in network utilization patterns as a precursor to automated testing of intrusion detection systems , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[5]  Ming Li,et al.  Decision analysis of network-based intrusion detection systems for denial-of-service attacks , 2001, 2001 International Conferences on Info-Tech and Info-Net. Proceedings (Cat. No.01EX479).

[6]  B. Ravichandran,et al.  Statistical traffic modeling for network intrusion detection , 2000, Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No.PR00728).

[7]  Vern Paxson,et al.  Fast approximation of self-similar network traffic , 1995, SIGCOMM 1995.

[8]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[9]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[10]  A. Erramilli,et al.  Self-similar traffic generation: the random midpoint displacement algorithm and its properties , 1995, Proceedings IEEE International Conference on Communications ICC '95.

[11]  F. Neri,et al.  Comparing local search with respect to genetic evolution to detect intrusions in computer networks , 2000, Proceedings of the 2000 Congress on Evolutionary Computation. CEC00 (Cat. No.00TH8512).

[12]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[13]  Jan Beran,et al.  Statistics for long-memory processes , 1994 .

[14]  Lee M. Rossey,et al.  Extending the DARPA off-line intrusion detection evaluations , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[15]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.