Research On The Self-similarity Of Evaluation Data For Intrusion Detection Systems

Intrusionn detection system is one of important components of computer network security defense system. With the widespread use of intrusion detection systems, research on evaluation of intrusion detection systems has been a hot focus. In 1998 and 1999, Lincoln Laboratory of Massachusetts Institute of Technology (MIT/LL) presented the most comprehensive approach and test bed for quantitative evaluation of intrusion detection systems, and it is more important that evaluation data set for intrusion detection systems benchmaking has been publically distributed. But the network traffic statistical characteristic of MIT/LL evaluation data has not been provided and there are some flaws in MIT/LL evaluation data, including unreasonable distribution of attack instances and so on.First, this paper presents the analysis of statistical charaterisitc of protocol distribution and data speed of background traffic of 1999 MIT evaluation data in week 1 and 3. The actual time of background traffic in week 1 and 3 is compared with what is provided by MIT/LL; the distribution of network layer protocol, transport layer protocol and application layer protocol of background traffic in week 1 and 3 is analyzed and the main protocols that affect network activity characteristic of background traffic are indicated; data speed and network bandwidth utilization rate of background traffic in week 1 and 3 are also analyzed.Second, Hurst parameter of frame arrivals process and ip arrivals process of background traffic of 1999 MIT evaluation data in week 1 and 3 is estimated with variance-time plots estimator, R/S analysis estimator, periodgram estimator, Whittle estimator and Wavelet-based Abry-Veitch estimator. Self-similarity that background traffic exhibits every day in week 1 and 3 is analyzed and it is indicated that self-similarity is exhibited in the period of fore more than 10 hours and not in the period of other some hours every day and self-similarity background traffic exhibits is different between in inside networks and in outside networks. The likely causes are explored that background traffic fails to exhibit self-similarity.Final, the principle and implementation of several probe scanning attacks and denial-of-services attacks are dicussed. Attack traffic of these attacks is aim to evaluating the capability of detecting evasion attacks.