An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection

Mahoney, Matthew V.; Chan, Philip K.

doi:10.1007/978-3-540-45248-5_13

Cited by 369 publications

(201 citation statements)

References 13 publications

Supporting

Mentioning

191

Contrasting

Unclassified

Order By: Relevance

“…McHugh [McH01] published a strong criticism on the procedures used when creating the KDD'99 database, especially on the lack of verification of the network realism compared to an actual one. It was followed in 2003 by Mahoney et Chan [MC03] who decided to review into detail the database. Mahoney et Chan showed that the traces were far from simulating realistic conditions, and therefore, that even a very simple IDS can exhibit very high performance results, performances that it could never reach in a real environment.…”

Section: I2 the Kdd'99 Traditional Evaluation Methodsmentioning

confidence: 99%

A Database of Anomalous Traffic for Assessing Profile Based IDS

Owezarski

2010

Traffic Monitoring and Analysis

View full text Add to dashboard Cite

Section: I2 the Kdd'99 Traditional Evaluation Methodsmentioning

confidence: 99%

A Database of Anomalous Traffic for Assessing Profile Based IDS

Owezarski

2010

Traffic Monitoring and Analysis

View full text Add to dashboard Cite

“…The DARPA corpus provides a widely-used benchmark for ID evaluation on network traffic at the packet level. Although some works have raised questions about the accuracy and reliability of this dataset [73,74], the DARPA dataset still is the standard corpus for evaluation of NIDSs.…”

Section: Darpa Datasetmentioning

confidence: 99%

Neural visualization of network traffic data for intrusion detection

Corchado

Herrero

2011

Applied Soft Computing

149

View full text Add to dashboard Cite

-This study introduces and describes a novel Intrusion Detection System (IDS) called MOVCIDS (MObile Visualization Connectionist IDS). This system applies neural projection architectures to detect anomalous situations taking place in a computer network. By its advanced visualization facilities, the proposed IDS allows providing an overview of the network traffic as well as identifying anomalous situations tackled by computer networks, responding to the challenges presented by volume, dynamics and diversity of the traffic, including novel (0-day) attacks. MOVCIDS provides a novel point of view in the field of IDSs by enabling the most interesting projections (based on the fourth order statistics; the kurtosis index) of a massive traffic dataset to be extracted. These projections are then depicted through a functional and mobile visualization interface, providing visual information of the internal structure of the traffic data. The interface makes MOVCIDS accessible from any mobile device to give more accessibility to network administrators, enabling continuous visualization, monitoring and supervision of computer networks. Additionally, a novel testing technique has been developed to evaluate MOVCIDS and other IDSs employing numerical datasets. To show the performance and validate the proposed IDS, it has been tested in different real domains containing several attacks and anomalous situations. In addition, the importance of the temporal dimension on intrusion detection, and the ability of this IDS to process it, are emphasized in this work.

show abstract

“…Presently the only (large) public data set for testing intrusion detection systems is the DARPA data set [17], dated back to 1999. Although this data set is still widely used (since public data sets are scarce), it presents significant shortcomings that make it unsuitable to test our system: E.g., only four attacks related to web (and most of them target web server's vulnerabilities) are available and traffic typology is outdated (see [18,19] for detailed explanations about its limitations). So, to carry out our experiments we collected three different data sets from three different sources:…”

Section: Benchmarksmentioning

confidence: 99%

Boosting Web Intrusion Detection Systems by Inferring Positive Signatures

Bolzoni

Etalle

2008

On the Move to Meaningful Internet Systems: OTM 2008

View full text Add to dashboard Cite

Abstract. We present a new approach to anomaly-based network intrusion detection for web applications. This approach is based on dividing the input parameters of the monitored web application in two groups: the "regular" and the "irregular" ones, and applying a new method for anomaly detection on the "regular" ones based on the inference of a regular language. We support our proposal by realizing Sphinx, an anomaly-based intrusion detection system based on it. Thorough benchmarks show that Sphinx performs better than current state-of-the-art systems, both in terms of false positives/false negatives as well as needing a shorter training period.

show abstract

An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection

Cited by 369 publications

References 13 publications

A Database of Anomalous Traffic for Assessing Profile Based IDS

A Database of Anomalous Traffic for Assessing Profile Based IDS

Neural visualization of network traffic data for intrusion detection

Boosting Web Intrusion Detection Systems by Inferring Positive Signatures

Contact Info

Product

Resources

About