论文信息 - Remodeling and Simulation of Intrusion Detection Evaluation Dataset

Remodeling and Simulation of Intrusion Detection Evaluation Dataset

Although the intrusion detection system (IDS) industry is rapidly maturing, the state of intrusion detection system evaluation is not. Although the off-line dataset evaluation proposed by MIT Lincoln Lab represents a significant undertaking, there remain several issues unsolved in design and modeling of the resulting dataset which may make the evaluation results biased. In this paper we present our efforts to improve on the traffic simulation. Unlike the existing model, our model takes advantage of user-level web mining, automatic user profiling and Enron email dataset etc, which is more reasonable for traffic modeling and simulation. The high fidelity of simulated traffic is shown in experiment. Moreover, different kinds of attacker personalities are profiled and more than 300 instances of 62 different automated attacks are launched against victim hosts and servers. All our efforts try to make the dataset more “real” and therefore be fairer for IDS evaluation.

Chao Xu | Jun Qian | Meilin Shi

[1] John McHugh,et al. Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[2] R. Sekar,et al. Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[3] Yiming Yang,et al. The Enron Corpus: A New Dataset for Email Classi(cid:12)cation Research , 2004 .

[4] Salvatore J. Stolfo,et al. A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[5] Philip K. Chan,et al. Learning nonstationary models of normal network traffic for detecting novel attacks , 2002, KDD.

[6] Peng Ning,et al. An Intrusion Alert Correlator Based on Prerequisites of Intrusions , 2002 .

[7] R.K. Cunningham,et al. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.