Research Article
Simulating Content in Traffic for Benchmarking Intrusion Detection Systems
@INPROCEEDINGS{10.4108/icst.simutools.2011.245519, author={Victor Craig Valgenti and Min Kim}, title={Simulating Content in Traffic for Benchmarking Intrusion Detection Systems}, proceedings={4th International ICST Conference on Simulation Tools and Techniques}, publisher={ICST}, proceedings_a={SIMUTOOLS}, year={2012}, month={4}, keywords={Security Benchmarking Network Traffic Simulation}, doi={10.4108/icst.simutools.2011.245519} }- Victor Craig Valgenti
Min Kim
Year: 2012
Simulating Content in Traffic for Benchmarking Intrusion Detection Systems
SIMUTOOLS
ICST
DOI: 10.4108/icst.simutools.2011.245519
Abstract
Deep-packet inspection Intrusion Detection Systems (IDS) compare the headers and payload of network packets against a set of known malicious signatures. The composition of the packets combined with the number of known signatures determines the time required by the IDS for matching. Most IDS evaluation techniques employ on/off models where a packet is either malicious or not. Such evaluation ignores the case where the content of a benign packet partially intersects with one or many signatures, causing more processing for the IDS. To address this hole in evaluation we propose a traffic model that uses the target IDS signature set to create partially-matching traffic. This partially-matching traffic then allows the systematic examination of the IDS across multiple scenarios. Such evaluation provides insight into the idiosyncrasies of an IDS that would remain hidden if evaluated under current methodologies.