How to Test an IDS?: GENESIDS: An Automated System for Generating Attack Traffic

Evaluating the attack coverage of signature-based Network Intrusion Detection System (NIDS) is a necessary but difficult task. Often, live or recorded real-world traffic is used. However, firstly, real-world network traffic is hard to come by at larger scale and the few available traces usually do not contain application layer payload. Secondly and more importantly, it contains only very few realistic attacks. So, the question remains how to test a NIDS? We propose GENESIDS, a system that automatically generates user definable HTTP attacks and, thus, allows for straightforward creation of network traces (or live traffic) where the number of different detectable events is only confined by the given attack definitions. By using an input format that follows the Snort syntax, the system can take advantage of thousands of realistic attack definitions. Our system can be used in combination with traffic generators to maintain typical load patterns as background traffic. Our evaluation shows that GENESIDS is able to reliably produce a very broad variation of HTTP attacks. GENESIDS is available as Open Source softtware.

[1]  Elizabeth B. Lennon Testing Intrusion Detection Systems , 2003 .

[2]  Falko Dressler,et al.  FIXIDS: A high-speed signature-based flow intrusion detection system , 2018, NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium.

[3]  Daniel Raumer,et al.  MoonGen: A Scriptable High-Speed Packet Generator , 2014, Internet Measurement Conference.

[4]  Felix C. Freiling,et al.  Cleaning up Web 2.0's Security Mess-at Least Partly , 2016, IEEE Security & Privacy.

[5]  Shi-Jinn Horng,et al.  A novel intrusion detection system based on hierarchical clustering and support vector machines , 2011, Expert Syst. Appl..

[6]  Falko Dressler,et al.  High Performance Intrusion Detection Using HTTP-Based Payload Aggregation , 2017, 2017 IEEE 42nd Conference on Local Computer Networks (LCN).

[7]  Samuel Kounev,et al.  Evaluating Computer Intrusion Detection Systems , 2015, ACM Comput. Surv..

[8]  Jill Slay,et al.  The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set , 2016, Inf. Secur. J. A Glob. Perspect..

[9]  Ali A. Ghorbani,et al.  Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization , 2018, ICISSP.

[10]  Gregory J. Conti,et al.  Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets , 2009, CSET.

[11]  Igor V. Kotenko,et al.  Network Attack Detection Based on Combination of Neural, Immune and Neuro-Fuzzy Classifiers , 2015, 2015 IEEE 18th International Conference on Computational Science and Engineering.

[12]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[13]  Anja Feldmann,et al.  Distilling the Internet's Application Mix from Packet-Sampled Traffic , 2015, PAM.

[14]  Samuel Patton,et al.  An Achilles Heel in Signature-Based IDS : Squealing False Positives in SNORT , 2001 .

[15]  Kensuke Fukuda,et al.  MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking , 2010, CoNEXT.

[16]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[17]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[18]  Roy T. Fielding,et al.  Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[19]  Christian Fraboul,et al.  Performance Analysis of Wireless Intrusion Detection Systems , 2012, IDCS.

[20]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[21]  Yvan Labiche,et al.  An analysis of signature overlaps in Intrusion Detection Systems , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[22]  Anne E. James,et al.  Improving network intrusion detection system performance through quality of service configuration and parallel technology , 2015, J. Comput. Syst. Sci..

[23]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.