Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation

An intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100's of users on 1000's of hosts. More than 300 instances of 38 different automated attacks were launched against victim UNIX hosts in seven weeks of training data and two weeks of test data. Six research groups participated in a blind evaluation and results were analyzed for probe, denial-of-service (DoS) remote-to-local (R2L), and user to root (U2R) attacks. The best systems detected old attacks included in the training data, at moderate detection rates ranging from 63% to 93% at a false alarm rate of 10 false alarms per day. Detection rates were much worse for new and novel R2L and DoS attacks included only in the test data. The best systems failed to detect roughly half these new attacks which included damaging access to root-level privileges by remote users. These results suggest that further research should focus on developing techniques to find new attacks instead of extending existing rule-based approaches.

[1]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[2]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[3]  Steven Cheung,et al.  The threat from the net [Internet security] , 1997 .

[4]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[5]  Robert Tibshirani,et al.  An Introduction to the Bootstrap , 1994 .

[6]  Robert K. Cunningham,et al.  Results of the DARPA 1998 Offline Intrusion Detection Evaluation , 1999, Recent Advances in Intrusion Detection.

[7]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[8]  BishopMatt,et al.  The threat from the net , 1997 .

[9]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[10]  James P. Egan,et al.  Signal detection theory and ROC analysis , 1975 .

[11]  J. Swets The Relative Operating Characteristic in Psychology , 1973, Science.

[12]  Biswanath Mukherjee,et al.  A Methodology for Testing Intrusion Detection Systems , 1996, IEEE Trans. Software Eng..

[13]  Varol Akman Book Review--Ronald Cole (editor-in-chief), Joseph Mariani, Hans Uszkoreit, Annie Zaenen, and Victor Zue, eds., Survey of the State of the Art in Human Language Technology , 1999 .

[14]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[15]  Salvatore J. Stolfo,et al.  Mining in a data-flow environment: experience in network intrusion detection , 1999, KDD '99.

[16]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[17]  R. Lippmann,et al.  Coronary artery bypass risk prediction using neural networks. , 1997, Annals of Thoracic Surgery.

[18]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[19]  Greg Shipley,et al.  ISS RealSecure pushes past newer IDS players , 1999 .

[20]  Alvin F. Martin,et al.  The DET curve in assessment of detection task performance , 1997, EUROSPEECH.