Why we don't know how to simulate the Internet
Proceedings of the 29th conference on Winter simulation
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
ACM Transactions on Information and System Security (TISSEC)
Practical automated detection of stealthy portscans
Journal of Computer Security
Benchmarking Anomaly-Based Detection Systems
DSN '00 Proceedings of the 2000 International Conference on Dependable Systems and Networks (formerly FTCS-30 and DCCA-8)
Intrusion Detection Testing and Benchmarking Methodologies
IEEE-IWIA '03 Proceedings of the First IEEE International Workshop on Information Assurance (IWIA'03)
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
More Netflow Tools for Performance and Security
LISA '04 Proceedings of the 18th USENIX conference on System administration
An integrated experimental environment for distributed systems and networks
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Scan Detection on Very Large Networks Using Logistic Regression Modeling
ISCC '06 Proceedings of the 11th IEEE Symposium on Computers and Communications
Co-ordinated port scans: a model, a detector and an evaluation methodology
Co-ordinated port scans: a model, a detector and an evaluation methodology
Plug & execute framework for network traffic generation
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Classification of UDP traffic for DDoS detection
LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
Hi-index | 0.00 |
Several difficulties arise when testing network security algorithms. First, using network data captured at a router does not guarantee that any instances of the security event of interest will be captured. Similarly, if the event of interest is not detected, this does not guarantee that it does not exist in the captured data. Further, such network data is often not publicly available, making comparisons with other detectors difficult. On the other extreme, purely simulated data can be made publicly available and can provide guarantees that the event of interest exists in the data set. However, simulated data often has unintended artifacts and may also incorporate the biases of the particular simulator. In this paper I describe an emulation approach that takes advantage of captured data while using the DETER network to generate realistic traffic for the event of interest. The problem domain was described in terms of seven variables, where the DETER network provided a flexible medium for examining the complete problem domain. The results of a set of experiments using this approach are provided, along with regression equations that describe the expected true and false positive rates.