4th International ICST Conference on Simulation Tools and Techniques

Research Article

Simulating Content in Traffic for Benchmarking Intrusion Detection Systems

Download52 downloads
  • @INPROCEEDINGS{10.4108/icst.simutools.2011.245519,
        author={Victor Craig Valgenti and Min Kim},
        title={Simulating Content in Traffic for Benchmarking Intrusion Detection Systems},
        proceedings={4th International ICST Conference on Simulation Tools and Techniques},
        publisher={ICST},
        proceedings_a={SIMUTOOLS},
        year={2012},
        month={4},
        keywords={Security Benchmarking Network Traffic Simulation},
        doi={10.4108/icst.simutools.2011.245519}
    }
    
  • Victor Craig Valgenti
    Min Kim
    Year: 2012
    Simulating Content in Traffic for Benchmarking Intrusion Detection Systems
    SIMUTOOLS
    ICST
    DOI: 10.4108/icst.simutools.2011.245519
Victor Craig Valgenti1,*, Min Kim1
  • 1: Washington State University
*Contact email: vvalgent@eecs.wsu.edu

Abstract

Deep-packet inspection Intrusion Detection Systems (IDS) compare the headers and payload of network packets against a set of known malicious signatures. The composition of the packets combined with the number of known signatures determines the time required by the IDS for matching. Most IDS evaluation techniques employ on/off models where a packet is either malicious or not. Such evaluation ignores the case where the content of a benign packet partially intersects with one or many signatures, causing more processing for the IDS. To address this hole in evaluation we propose a traffic model that uses the target IDS signature set to create partially-matching traffic. This partially-matching traffic then allows the systematic examination of the IDS across multiple scenarios. Such evaluation provides insight into the idiosyncrasies of an IDS that would remain hidden if evaluated under current methodologies.