Article

Generating realistic workloads for network intrusion detection systems

Authors:

Spyros Antonatos,

Kostas G. Anagnostakis,

Evangelos P. MarkatosAuthors Info & Claims

WOSP '04: Proceedings of the 4th international workshop on Software and performance

Pages 207 - 215

https://doi.org/10.1145/974044.974078

Published: 01 January 2004 Publication History

Abstract

While the use of network intrusion detection systems (nIDS) is becoming pervasive, evaluating nIDS performance has been found to be challenging. The goal of this study is to determine how to generate realistic workloads for nIDS performance evaluation. We develop a workload model that appears to provide reasonably accurate estimates compared to real workloads. The model attempts to emulate a traffic mix of different applications, reflecting characteristics of each application and the way these interact with the system. We have implemented this model as part of a traffic generator that can be extended and tuned to reflect the needs of different scenarios. We also present an approach to measuring the capacity of a nIDS that does not require the setup of a full network testbed.

References

[1]

Nlanr/dast: Iperf - the tcp/udp bandwidth measurement tool. http://dast.nlanr.net/Projects/Iperf/.

[2]

K. G. Anagnostakis, E. P. Markatos, S. Antonatos, and M. Polychronakis.: A domain-specific string matching algorithm for intrusion detection. In Proceedings of the 18th IFIP International Information Security Conference (SEC2003), May 2003.

[3]

S. Antonatos, K. G. Anagnostakis, M. Polychronakis, and E. P. Markatos. Performance analysis of content matching intrusion detection systems. In Proceedings of the 4th IEEE/IPSJ Symposium on Applications and the Internet (SAINT 2004), January 2004.

[4]

N. Athanasiades, R. Abler, J. Levine, H. Owen, and G. Riley. Intrusion detection testing and benchmarking methodologies. In Proceedings of the IEEE Information Assurance Workshop, pages 63--72, March 2003.

Digital Library

[5]

R. Boyer and J. Moore. A fast string searching algorithm. Commun. ACM, 20(10):762--772, October 1977.

Digital Library

[6]

C. J. Coit, S. Staniford, and J. McAlerney. Towards faster pattern matching for intrusion detection, or exceeding the speed of snort. In Proceedings of the 2nd DARPA Information Survivability Conference and Exposition (DISCEX II), June 2002.

[7]

C. Courcoubetis and V. A. Siris. Measurement and analysis of real network traffic. In Proceedings of the 7th Hellenic Conference on Informatics (HCI'99), August 1999.

[8]

M. Fisk and G. Varghese. An analysis of fast string matching applied to content-based forwarding and intrusion detection. Technical Report CS2001-0670 (updated version), University of California - San Diego, 2002.

Digital Library

[9]

M. Hall and K. Wiley. Capacity verification for high speed network intrusion detection systems. In Proceedings of Recent Advances in Intrusion Detection (RAID), 2002.

Digital Library

[10]

R. Horspool. Practical fast searching in strings. Software - Practice and Experience, 10(6):501--506, 1980.

[11]

Lawrence Berkeley National Laboratory. The internet traffic archive, http://ita.ee.lbl.gov/.

[12]

R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579--595, October 2000.

Digital Library

[13]

C. Liu, S. V. Wiel, and J. Yang. A nonstationary traffic train model for fine scale inference from coarse scale counts. IEEE Journal on Selected Areas in Communications: Internet and WWW Measurement, Mapping and Modeling, 21:895--907, August 2003.

Digital Library

[14]

E. P. Markatos, S. Antonatos, M. Polychronakis, and K. G. Anagnostakis. ExB: Exclusion-based signature matching for intrusion detection. In Proceedings of CCN'02, November 2002.

[15]

S. McCanne, C. Leres, and V. Jacobson. libpcap. Lawrence Berkeley Laboratory, Berkeley, CA, available via anonymous ftp to ftp.ee.lbl.gov.

[16]

J. McHugh. Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Transactions on Information and System Security, 4(3):262--294, November 2000.

Digital Library

[17]

P. Mell, V. Hu, and R. Lippmann. An overview of issues in testing intrusion detection systems. http://csrc, nist.gov/publications/nistir/nistir-7007.pdf

[18]

A. Moore, J. Hall, C. Kreibich, E. Harris, and I. Pratt. Architecture of a network monitor. In Proceedings of the Passive and Active Measurement Workshop (PAM), 2003.

[19]

P. Mueller and G. Shipley. Dragon claws its way to the top. Network Computing, pages 45--67, July 2001.

Digital Library

[20]

M. Muuss and T. Slattery. http://ftp.arl.mil/ftp/pub/ttcp.

[21]

NLANR Measurement and Operations Analysis Team. NLANR network traffic packet header traces. http://pma.nlanr.net/Traces/.

[22]

D. Robert, C. Terrence, W. Brian, M. Eric, and S. Luigi. Testing and evaluating computer intrusion detection systems. Communications of the ACM, 42(7):53--61, September 1999.

Digital Library

[23]

L. Schaelicke, T. Slabach, B. Moore, and C. Freeland. Characterizing the performance of network intrusion detection sensors. In Proceedings of Recent Advances in Intrusion Detection (RAID 2003), September 2003.

[24]

R. Sommer and V. Paxson. Enhancing byte-level network intrusion detection signatures with context. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2003.

Digital Library

[25]

Sourcefire. Snort 2.0 - Detection Revisited. http://www.snort.org/docs/Snort_20_v4.pdf, October 2002.

[26]

S. I. stress tool. http://www.eurocompton.net/stick.

[27]

The NSS Group. Intrusion detection systems group test, December 2001. http://www.nss.co.uk/ids.

[28]

The Shmoo Group. Capture the flag contest (defcon). Available at http://www.shmoo.com/cctff.

[29]

S. tool. http://www.stolenshoes.net/sniph/index.html.

[30]

D. Veitch, J.-A. Backar, J. Wall, J. Yates, and M. Roughan. On-line generation of fractal and multifractal traffic. In Proceedings of the Workshop on Passive and Active Measurement (PAM 2000), pages 117--126, April 2000.

[31]

S. Wu and U. Manber. A fast algorithm for multi-pattern searching. Technical Report TR-94-17, University of Arizona, 1994.

Cited By

Alars EKurnaz S(2024)Enhancing network intrusion detection systems with combined network and host traffic features using deep learning: deep learning and IoT perspectiveDiscover Computing10.1007/s10791-024-09480-327:1Online publication date: 4-Nov-2024
https://doi.org/10.1007/s10791-024-09480-3
Dhankani MRakesh KPatadia A(2024)Intrusion Detection System Using Machine LearningAdvances in Data-Driven Computing and Intelligent Systems10.1007/978-981-99-9518-9_28(387-400)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-981-99-9518-9_28
Wang SZhang MLi GLiu CWang ZLiu YXu M(2023)Bolt: Scalable and Cost-Efficient Multistring Pattern Matching With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2022.320252331:2(846-861)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3202523
Show More Cited By

Generating realistic workloads for network intrusion detection systems
1. Networks
  1. Network services

Recommendations

Generating realistic workloads for network intrusion detection systems

While the use of network intrusion detection systems (nIDS) is becoming pervasive, evaluating nIDS performance has been found to be challenging. The goal of this study is to determine how to generate realistic workloads for nIDS performance evaluation. ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WOSP '04: Proceedings of the 4th international workshop on Software and performance

January 2004

313 pages

ISBN:1581136730

DOI:10.1145/974044

General Chair:
Jozo Dujmović
San Francisco State University
,
Program Chairs:
Virgilio Almeida
Federal University of Minas Gerais
,
Doug Lea
State University of New York, Oswego

ACM SIGSOFT Software Engineering Notes Volume 29, Issue 1
January 2004
300 pages
ISSN:0163-5948
DOI:10.1145/974043
Issue’s Table of Contents

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 January 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

WOSP04

Sponsor:

WOSP04: Fourth International Workshop on Software and Performance 2004

January 14 - 16, 2004

California, Redwood Shores

Acceptance Rates

WOSP '04 Paper Acceptance Rate 38 of 70 submissions, 54%;

Overall Acceptance Rate 149 of 241 submissions, 62%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

128
Total Citations
View Citations
1,675
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)2

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alars EKurnaz S(2024)Enhancing network intrusion detection systems with combined network and host traffic features using deep learning: deep learning and IoT perspectiveDiscover Computing10.1007/s10791-024-09480-327:1Online publication date: 4-Nov-2024
https://doi.org/10.1007/s10791-024-09480-3
Dhankani MRakesh KPatadia A(2024)Intrusion Detection System Using Machine LearningAdvances in Data-Driven Computing and Intelligent Systems10.1007/978-981-99-9518-9_28(387-400)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-981-99-9518-9_28
Wang SZhang MLi GLiu CWang ZLiu YXu M(2023)Bolt: Scalable and Cost-Efficient Multistring Pattern Matching With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2022.320252331:2(846-861)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3202523
Xu HChang HZhu WHong YLangdale GQiu KZhao J(2023)Harry: A Scalable SIMD-based Multi-literal Pattern Matching Engine for Deep Packet InspectionIEEE INFOCOM 2023 - IEEE Conference on Computer Communications10.1109/INFOCOM53939.2023.10229022(1-10)Online publication date: 17-May-2023
https://doi.org/10.1109/INFOCOM53939.2023.10229022
Wang SZhang MLi GLiu CLiu YJia XXu M(2021)Making Multi-String Pattern Matching Scalable and Cost-Efficient with Programmable Switching ASICsIEEE INFOCOM 2021 - IEEE Conference on Computer Communications10.1109/INFOCOM42981.2021.9488796(1-10)Online publication date: 10-May-2021
https://doi.org/10.1109/INFOCOM42981.2021.9488796
El-Sayed OFawzy STolba SSalem RHassan YAhmed AKhattab A(2021)Deep Learning Framework for Accurate Network Intrusion Detection in ITSs2021 International Conference on Microelectronics (ICM)10.1109/ICM52667.2021.9664897(212-215)Online publication date: 19-Dec-2021
https://doi.org/10.1109/ICM52667.2021.9664897
Lin ZJain AWang CFanti GSekar V(2020)Using GANs for Sharing Networked Time Series DataProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423643(464-483)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423643
Lim CLee KWang HWeatherspoon HTang A(2019)Packet Clustering Introduced by RoutersACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/33450324:3(1-28)Online publication date: 30-Aug-2019
https://dl.acm.org/doi/10.1145/3345032
Bakhshaliyev KCanbaz MGunes M(2019)Investigating Characteristics of Internet PathsACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/33422864:3(1-24)Online publication date: 20-Aug-2019
https://dl.acm.org/doi/10.1145/3342286
Aldwairi MAlshboul MSeyam A(2018)Characterizing Realistic Signature-based Intrusion Detection BenchmarksProceedings of the 6th International Conference on Information Technology: IoT and Smart City10.1145/3301551.3301591(97-103)Online publication date: 29-Dec-2018
https://dl.acm.org/doi/10.1145/3301551.3301591
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents