A database of anomalous traffic for assessing profile based IDS

Authors:
Philippe Owezarski
Affiliations:
CNRS/ LAAS/, 7 Avenue du colonel Roche, F-31077 Toulouse, France, Université/ de Toulouse/, UPS, INSA, INP, ISAE/ LAAS/F-31077 Toulouse, France
Venue:
TMA'10 Proceedings of the Second international conference on Traffic Monitoring and Analysis
Year:
2010

Citing 10
Cited 2

Experimental queueing analysis with long-range dependent packet traffic

IEEE/ACM Transactions on Networking (TON)
Data networks as cascades: investigating the multifractal nature of Internet WAN traffic

Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Testing and evaluating computer intrusion detection systems

Communications of the ACM
Mining in a data-flow environment: experience in network intrusion detection

KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
On the relationship between file sizes, transport protocols, and self-similar network traffic

ICNP '96 Proceedings of the 1996 International Conference on Network Protocols (ICNP '96)
Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies

IEEE Transactions on Dependable and Secure Computing
The need for simulation in evaluating anomaly detectors

ACM SIGCOMM Computer Communication Review
LaasNetExp: a generic polymorphic platform for network emulation and experiments

Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities
NADA - network anomaly detection algorithm

DSOM'07 Proceedings of the Distributed systems: operations and management 18th IFIP/IEEE international conference on Managing virtualization of networks and services

MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking

Proceedings of the 6th International COnference
Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

Proceedings of the Asian Internet Engineeering Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper aims at proposing a methodology for evaluating current IDS capabilities of detecting attacks targeting the networks and their services. This methodology tries to be as realistic as possible and reproducible, i.e. it works with real attacks and real traffic in controlled environments. It especially relies on a database containing attack traces specifically created for that evaluation purpose. By confronting IDS to these attack traces, it is possible to get a statistical evaluation of IDS, and to rank them according to their detection capabilities without false alarms. For illustration purposes, this paper shows the results obtained with 3 public IDS. It also shows how the attack traces database impacts the results got for the same IDS.