Extending the DARPA off-line intrusion detection evaluations

The 1998 and 1999 DARPA off-line intrusion detection evaluations assessed the performance of intrusion detection systems using realistic background traffic and many examples of realistic attacks. This paper discusses three extensions to these evaluations. First, the Lincoln Adaptable Real-time Information Assurance Testbed (LARIAT) has been developed to simplify intrusion detection development and evaluation. LARIAT allows researchers and operational users to rapidly configure and run real-time intrusion detection and correlation tests with robust background traffic and attacks in their laboratories. Second, "Scenario Datasets" have been crafted to provide examples of multiple component attack scenarios instead of the atomic attacks as found in past evaluations. Third, extensive analysis of the 1999 evaluation data and results has provided understanding of many attacks, their manifestations, and the features used to detect them. This analysis is used to develop models of attacks, intrusion detection systems, and intrusion detection system alerts. Successful models could reduce the need for expensive experimentation, allow proof-of-concept analysis and simulations, and form the foundation of a theory of intrusion detection.

[1]  B.J. Wood,et al.  Red Teaming of advanced information assurance concepts , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2]  Jonathan Korba Windows NT Attacks for the Evaluation of Intrusion Detection Systems , 2000 .

[3]  Biswanath Mukherjee,et al.  A Methodology for Testing Intrusion Detection Systems , 1996, IEEE Trans. Software Eng..

[4]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[5]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[6]  Biswanath Mukherjee,et al.  A Software Platform for Testing Intrusion Detection Systems , 1997, IEEE Softw..

[7]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[8]  Dominique Alessandri,et al.  Using Rule-Based Activity Descriptions to Evaluate Intrusion-Detection Systems , 2000, Recent Advances in Intrusion Detection.

[9]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[10]  Distinguished Member of the Technical Staff , 2022 .

[11]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[12]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.