Recent Advances in Network Intrusion Detection System Tuning

We describe a traffic generation framework for online evaluation and tuning network intrusion detection systems over a wide range of realistic conditions. The framework integrates both benign and malicious traffic, enabling generation of IP packet streams with diverse characteristics from the perspective of (i) packet content (both header and payload), (ii) packet mix (order of packets in streams) and (iii) packet volume (arrival rate of packets in streams). We begin by describing a methodology for benign traffic generation that combines payload pools (possibly culled from traces of live traffic) with application-specific automata to generate streams with representative characteristics. Next, we describe a methodology for malicious traffic generation, and techniques for integration with benign traffic to produce a range of realistic workload compositions. We realize our traffic generation framework in a tool we call Trident, and demonstrate its utility through a series of laboratory-based experiments using traces collected from our departmental border router, the DARPA intrusion detection evaluation data sets provided by Lincoln Lab, and a suite of malicious traffic modules that reproduce a broad range of attacks commonly seen in today´s networks. Our experiments demonstrate the effects of varying packet content, mix, and volume on the performance of intrusion detection systems.