Analysis of the 1999 DARPA/Lincoln laboratory IDS evaluation data with NetADHICT

Authors:
Carson Brown;Alex Cowperthwaite;Abdulrahman Hijazi;Anil Somayaji
Affiliations:
Carleton Computer Security Lab, School of Computer Science, Carleton University, Ottawa, Ontario, Canada;Carleton Computer Security Lab, School of Computer Science, Carleton University, Ottawa, Ontario, Canada;Carleton Computer Security Lab, School of Computer Science, Carleton University, Ottawa, Ontario, Canada;Carleton Computer Security Lab, School of Computer Science, Carleton University, Ottawa, Ontario, Canada
Venue:
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Year:
2009

Citing 4
Cited 2

The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
An Active Splitter Architecture for Intrusion Detection and Prevention

IEEE Transactions on Dependable and Secure Computing
NetADHICT: a tool for understanding network traffic

LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference

Detecting, validating and characterizing computer infections in the wild

Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
A methodological overview on anomaly detection

DataTraffic Monitoring and Analysis

Quantified Score

Hi-index	0.00

Visualization

Abstract

The 1999 DARPA/Lincoln Laboratory IDS Evaluation Data has been widely used in the intrusion detection and networking community, even though it is known to have a number of artifacts. Here we show that many of these artifacts, including the lack of damaged or unusual background packets and uniform host distribution, can be easily extracted using NetADHICT, a tool we developed for understanding networks. In addition, using NetADHICT we were able to identify extreme temporal variation in the data, a characteristic that was not identified in past analyses. These results illustrate the utility of NetADHICT in characterizing network traces for experimental purposes.