• DocumentCode
    1591046
  • Title

    Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation

  • Author

    Lippmann, Richard P. ; Fried, David J. ; Graf, Isaac ; Haines, Joshua W. ; Kendall, Kristopher R. ; McClung, David ; Weber, Dan ; Webster, Seth E. ; Wyschogrod, Dan ; Cunningham, Robert K. ; Zissman, Marc A.

  • Author_Institution
    Lincoln Lab., MIT, Lexington, MA, USA
  • Volume
    2
  • fYear
    2000
  • fDate
    6/22/1905 12:00:00 AM
  • Firstpage
    12
  • Abstract
    An intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100´s of users on 1000´s of hosts. More than 300 instances of 38 different automated attacks were launched against victim UNIX hosts in seven weeks of training data and two weeks of test data. Six research groups participated in a blind evaluation and results were analyzed for probe, denial-of-service (DoS) remote-to-local (R2L), and user to root (U2R) attacks. The best systems detected old attacks included in the training data, at moderate detection rates ranging from 63% to 93% at a false alarm rate of 10 false alarms per day. Detection rates were much worse for new and novel R2L and DoS attacks included only in the test data. The best systems failed to detect roughly half these new attacks which included damaging access to root-level privileges by remote users. These results suggest that further research should focus on developing techniques to find new attacks instead of extending existing rule-based approaches
  • Keywords
    safety systems; security of data; DARPA off-line intrusion detection evaluation; automated attacks; denial-of-service; intrusion detection systems; remote-to-local; rule-based approaches; user to root; Arm; Automatic testing; Contracts; Electrical capacitance tomography; Government; Internet; Intrusion detection; Laboratories; Read only memory; Training data;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    DARPA Information Survivability Conference and Exposition, 2000. DISCEX '00. Proceedings
  • Conference_Location
    Hilton Head, SC
  • Print_ISBN
    0-7695-0490-6
  • Type

    conf

  • DOI
    10.1109/DISCEX.2000.821506
  • Filename
    821506