ON THE SELF-SIMILARITY OF THE 1999 DARPA/LINCOLN LABORATORY EVALUATION DATA

Kun Huang, Dafang Zhang

Abstract

While intrusion detection systems (IDSs) are becoming ubiquitous defence, no comprehensive and scientifically rigorous benchmark is available to evaluate their performances. In 1998 and again in 1999, the Lincoln Laboratory of MIT conducted a comprehensive evaluation of IDSs and produced the DARPA off-line evaluation data to train and test IDSs. However, there is the lack of detailed characteristics of the DARPA/Lincoln Laboratory evaluation data. This paper examines the self-similarity of the 1999 DARPA/Lincoln Laboratory evaluation data sets for training and indicates that the evaluation data clearly exhibits self-similarity during preceding tens of hours period, while not during other time periods. Also the likely causes failing self-similarity are explored. These finding results can help evaluators to understand and use the 1999 DARPA/Lincoln Laboratory evaluation data well to evaluate IDSs.

References

  1. Denning, D.E., 1987.An intrusion-detection model. IEEE Transactions on Software Engineering, Vol.13, pp.222-232
  2. Puketza, N., Zhang, K., Chung, M., et al, 1996. A methodology for testing intrusion detection systems. IEEE Transactions on Software Engineering, Vol.22, pp. 719-729
  3. Richard, P., Lippmann, R., Fried, D., et al, 2000. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. Proc. of the 2000 DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, pp.12-26
  4. Lippmann, R., Haines, J., Fried, D., et al, 2000.The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, Vol.34, pp.579-595
  5. Lippmann, R., Haines, J., Fried, D., et al, 2000.Analysis and results of the 1999 DARPA off-line intrusion detection evaluation, Proc. of Third International Workshop on Recent Advances in Intrusion Detection, Toulouse, France 162-182
  6. McHung, J., 2001.Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory. ACM Transactions on Information and System Security, Vol.3, ppt.262-294
  7. Leland, W., Taqqu, M., Willinger, W., et al, 1994.On the self-similar nature of Ethernet traffic. IEEE/ACM Transactions on Networking, Vol.2, pp.1-15
  8. Paxson, V., Floyd, S., 1995.Wide-area traffic: the failure of Poisson modeling. IEEE/ACM Transactions on Networking, Vol.3, pp.226-244
  9. Beran, J., Sherman, R., Taqqu, M., et al, 1995 .Long-range dependence in variable bit-rate video traffic. IEEE Transaction on Communications, Vol.43, pp.556-1579
  10. MIT Lincoln Laboratory, 2003.Intrusion detection evaluation web site. http://www.ll.mit.edu/IST/ideval
  11. Rose, O., 1996. Estimation of the hurst parameter of long-range dependent time series. Technical Report No.137, Institute of Computer Science, University of W├╝rzburg
  12. Park, K., Kim, G., Crovella, M., 1996.On the relationship between file sizes, transport protocols, and self-similar network traffic. In: Proc. of 4th International Conference on Network Protocol, pp.171-180
  13. Allen, W. H., Marin, G. A., 2003.On the self-similarity of synthetic traffic for the evaluation of intrusion detection. Proc. of the 2003 Symposium Applications and the Internet, pp.242-248
Download


Paper Citation


in Harvard Style

Huang K. and Zhang D. (2006). ON THE SELF-SIMILARITY OF THE 1999 DARPA/LINCOLN LABORATORY EVALUATION DATA . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 75-80. DOI: 10.5220/0002096900750080


in Bibtex Style

@conference{secrypt06,
author={Kun Huang and Dafang Zhang},
title={ON THE SELF-SIMILARITY OF THE 1999 DARPA/LINCOLN LABORATORY EVALUATION DATA},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={75-80},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002096900750080},
isbn={978-972-8865-63-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - ON THE SELF-SIMILARITY OF THE 1999 DARPA/LINCOLN LABORATORY EVALUATION DATA
SN - 978-972-8865-63-4
AU - Huang K.
AU - Zhang D.
PY - 2006
SP - 75
EP - 80
DO - 10.5220/0002096900750080