research-article

Free access

How to Test an IDS?: GENESIDS: An Automated System for Generating Attack Traffic

Authors:

Felix Erlacher,

Falko DresslerAuthors Info & Claims

WTMC '18: Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity

Pages 46 - 51

https://doi.org/10.1145/3229598.3229601

Published: 07 August 2018 Publication History

Abstract

Evaluating the attack coverage of signature-based Network Intrusion Detection System (NIDS) is a necessary but difficult task. Often, live or recorded real-world traffic is used. However, firstly, real-world network traffic is hard to come by at larger scale and the few available traces usually do not contain application layer payload. Secondly and more importantly, it contains only very few realistic attacks. So, the question remains how to test a NIDS? We propose GENESIDS, a system that automatically generates user definable HTTP attacks and, thus, allows for straightforward creation of network traces (or live traffic) where the number of different detectable events is only confined by the given attack definitions. By using an input format that follows the Snort syntax, the system can take advantage of thousands of realistic attack definitions. Our system can be used in combination with traffic generators to maintain typical load patterns as background traffic. Our evaluation shows that GENESIDS is able to reliably produce a very broad variation of HTTP attacks. GENESIDS is available as Open Source softtware.

References

[1]

Tim Berners-Lee, Roy Fielding, and Larry Masinter. 2005. Uniform Resource Identifier (URI): Generic Syntax. RFC 3986. IETF.

[2]

Monowar H Bhuyan, Dhruba Kumar Bhattacharyya, and Jugal K Kalita. 2014. Network Anomaly Detection: Methods, Systems and Tools. IEEE Communications Surveys & Tutorials 16, 1 (2014), 303--336.

[3]

Alexander Branitskiy and Igor Kotenko. 2015. Network Attack Detection based on Combination of Neural, Immune and Neuro-Fuzzy Classifiers. In 18th International Conference on Computational Science and Engineering (CSE 2015). IEEE, Porto, Portugal, 152--159.

Digital Library

[4]

Waleed Bul'ajoul, Anne James, and Mandeep Pannu. 2015. Improving Network Intrusion Detection System Performance through Quality of Service Configuration and Parallel Technology. Elsevier Journal of Computer and System Sciences 81, 6 (Sept. 2015), 981--999.

Digital Library

[5]

Hervé Debar, Marc Dacier, and Andreas Wespi. 1999. Towards a Taxonomy of Intrusion-Detection Systems. Elsevier Computer Networks 31, 8 (April 1999), 805--822.

Digital Library

[6]

Paul Emmerich, Sebastian Gallenmüller, Daniel Raumer, Florian Wohlfart, and Georg Carle. 2015. Moongen: A Scriptable High-Speed Packet Generator. In 15th Internet Measurement Conference (IMC 2015). ACM, Tokyo, Japan, 275--287.

Digital Library

[7]

Felix Erlacher and Falko Dressler. 2017. High Performance Intrusion Detection Using HTTP-Based Payload Aggregation. In 42nd IEEE Conference on Local Computer Networks (LCN 2017). IEEE, Singapore, 418--425.

[8]

Felix Erlacher and Falko Dressler. 2018. FIXIDS: A High-Speed Signature-based Flow Intrusion Detection System. In IEEE/IFIP Network Operations and Management Symposium (NOMS 2018). IEEE, Taipei, Taiwan.

[9]

Romain Fontugne, Pierre Borgnat, Patrice Abry, and Kensuke Fukuda. 2010. Mawilab: Combining Diverse Anomaly Detectors for Automated Anomaly Labeling and Performance Benchmarking. In 6th International Conference on emerging Networking Experiments and Technologies (CoNext 2010). ACM, Philadelphia, PA.

Digital Library

[10]

Shi-Jinn Horng, Ming-Yang Su, Yuan-Hsin Chen, Tzong-Wann Kao, Rong-Jian Chen, Jui-Lin Lai, and Citra Dwi Perkasa. 2011. A Novel Intrusion Detection System Based on Hierarchical Clustering and Support Vector Machines. Elsevier Expert Systems with Applications 38, 1 (Oct. 2011), 306--313.

Digital Library

[11]

Elizabeth B. Lennon. 2003. Testing Intrusion Detection Systems. Information Technology Laboratory Bulletin Jul2003. National Institute of Standards and Technology. 1--4 pages.

[12]

Frederic Massicotte and Yvan Labiche. 2011. An Analysis of Signature Overlaps in Intrusion Detection Systems. In 41st International Conference on Dependable Systems & Networks (DSN 2011). IEEE, Hong Kong, China, 109--120.

Digital Library

[13]

John McHugh. 2000. Testing Intrusion DetectionSystems: A Critique Of The 1998 And 1999 Darpa Intrusion Detection System Evaluations As Performed By Lincoln Laboratory. ACM Transactions on Information and System Security (TISSEC) 3, 4 (Nov. 2000), 262--294.

Digital Library

[14]

Aleksandar Milenkoski, Marco Vieira, Samuel Kounev, Alberto Avritzer, and Bryan D Payne. 2015. Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices. Comput. Surveys 48, 1 (Sept. 2015), 12.

Digital Library

[15]

Nour Moustafa and Jill Slay. 2016. The Evaluation of Network Anomaly Detection Systems: Statistical Analysis of the UNSW-NB15 Data Set and the Comparison with the KDD99 Data Set. ACM Information Security Journal: A Global Perspective 25, 1--3 (Jan. 2016), 18--31.

Digital Library

[16]

Khalid Nasr, Anas Abou-El Kalam, and Christian Fraboul. 2012. Performance Analysis of Wireless Intrusion Detection Systems. In 5th International Conference on Internet and Distributed Computing Systems (IDCS 2012). Springer, Fujian, China, 238--252.

Digital Library

[17]

Samuel Patton, William Yurcik, and David Doss. 2001. An Achilles' Heel in Signature-Based IDS: Squealing False Positives in SNORT. In 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001). Springer, Davis, CA.

[18]

Philipp Richter, Nikolaos Chatzis, Georgios Smaragdakis, Anja Feldmann, and Walter Willinger. 2015. Distilling the Internet's Application Mix from Packet-Sampled Traffic. In Passive and Active Measurement Conference (PAM 2015). Springer, New York City, NY.

[19]

Martin Roesch. 1999. Snort: Lightweight Intrusion Detection for Networks. In 13th USENIX Conference on System Administration (LISA 1999). Seattle, WA, 229--238.

Digital Library

[20]

Benjamin Sangster, TJ O'Connor, Thomas Cook, Robert Fanelli, Erik Dean, Christopher Morrell, and Gregory J Conti. 2009. Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets. In 2nd workshop on Cybersecurity and Test (CSET 2009). Usenix, Montreal, Canada.

Digital Library

[21]

Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. 2018. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In 4th International Conference on Information Systems Security and Privacy (ICISSP 2018). INSTICC, Funchal, Portugal, 108--116.

[22]

Benjamin Stritter, Felix Freiling, Hartmut König, Rene Rietz, Steffen Ullrich, Alexander von Gernler, Felix Erlacher, and Falko Dressler. 2016. Cleaning up Web 2.0's Security Mess - at Least Partly. IEEE Security & Privacy 14, 2 (March 2016), 48--57.

Digital Library

Cited By

Chandler JWick A(2023)Research Report: Synthesizing Intrusion Detection System Test Data from Open-Source Attack Signatures2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00023(198-208)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00023
Doroud HWiese TErlacher FDressler F(2023)Work Balancing vs. Load Balancing for Network IDS Parallelization2023 International Wireless Communications and Mobile Computing (IWCMC)10.1109/IWCMC58020.2023.10183026(488-493)Online publication date: 19-Jun-2023
https://doi.org/10.1109/IWCMC58020.2023.10183026
Casas PVanerio JUllrich JFindrik MBarlet-Ros P(2023)GRAPHSEC – Advancing the Application of AI/ML to Network Security Through Graph Neural NetworksMachine Learning for Networking10.1007/978-3-031-36183-8_5(56-71)Online publication date: 7-Jul-2023
https://doi.org/10.1007/978-3-031-36183-8_5
Show More Cited By

Index Terms

How to Test an IDS?: GENESIDS: An Automated System for Generating Attack Traffic
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Study of snort-based IDS
ICWET '10: Proceedings of the International Conference and Workshop on Emerging Trends in Technology

General trend in industry is a shift from Intrusion Detection Systems (IDS) to Intrusion Prevention Systems (IPS). In this paper, we have investigated the motivations behind this trend. In addition, we have surveyed some of the available IDS/IPS tools. ...
DTB-IDS: an intrusion detection system based on decision tree using behavior analysis for preventing APT attacks

Due to rapid growth of communications and networks, a cyber-attack with malicious codes has been coming as a new paradigm in information security area since last few years. In particular, an advanced persistent threats (APT) attack is bringing out big ...
Self Tuning IDS for Changing Environment
CICN '14: Proceedings of the 2014 International Conference on Computational Intelligence and Communication Networks

Intrusion detection is the problem of identifying unauthorized use, misuse, and abuse of computer systems or network resources by both system insiders and external penetrators. The proliferation of heterogeneous computer networks provides additional ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WTMC '18: Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity

August 2018

57 pages

ISBN:9781450359108

DOI:10.1145/3229598

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

SIGCOMM '18

Sponsor:

SIGCOMM

SIGCOMM '18: ACM SIGCOMM 2018 Conference

August 20, 2018

Budapest, Hungary

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
866
Total Downloads

Downloads (Last 12 months)130
Downloads (Last 6 weeks)22

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chandler JWick A(2023)Research Report: Synthesizing Intrusion Detection System Test Data from Open-Source Attack Signatures2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00023(198-208)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00023
Doroud HWiese TErlacher FDressler F(2023)Work Balancing vs. Load Balancing for Network IDS Parallelization2023 International Wireless Communications and Mobile Computing (IWCMC)10.1109/IWCMC58020.2023.10183026(488-493)Online publication date: 19-Jun-2023
https://doi.org/10.1109/IWCMC58020.2023.10183026
Casas PVanerio JUllrich JFindrik MBarlet-Ros P(2023)GRAPHSEC – Advancing the Application of AI/ML to Network Security Through Graph Neural NetworksMachine Learning for Networking10.1007/978-3-031-36183-8_5(56-71)Online publication date: 7-Jul-2023
https://doi.org/10.1007/978-3-031-36183-8_5
Nguyen-An HSilverston TYamazaki TMiyoshi T(2021)IoT Traffic: Modeling and Measurement ExperimentsIoT10.3390/iot20100082:1(140-162)Online publication date: 26-Feb-2021
https://doi.org/10.3390/iot2010008
Chouliaras NKittes GKantzavelou IMaglaras LPantziou GFerrag M(2021)Cyber Ranges and TestBeds for Education, Training, and ResearchApplied Sciences10.3390/app1104180911:4(1809)Online publication date: 18-Feb-2021
https://doi.org/10.3390/app11041809
Sommestad THolm HSteinvall D(2021)Variables influencing the effectiveness of signature-based network intrusion detection systemsInformation Security Journal: A Global Perspective10.1080/19393555.2021.197585331:6(711-728)Online publication date: 20-Sep-2021
https://doi.org/10.1080/19393555.2021.1975853
Drašar MMoskal SYang SZat'ko PVoznak MCalafate CDe Rango F(2020)Session-level adversary intent-driven cyberattack simulatorProceedings of the IEEE/ACM 24th International Symposium on Distributed Simulation and Real Time Applications10.5555/3451906.3451908(7-15)Online publication date: 14-Sep-2020
https://dl.acm.org/doi/10.5555/3451906.3451908
Erlacher FDressler F(2020)On High-Speed Flow-based Intrusion Detection using Snort-compatible SignaturesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.2973992(1-1)Online publication date: 2020
https://doi.org/10.1109/TDSC.2020.2973992
Nguyen-An HSilverston TYamazaki TMiyoshi T(2020)Generating IoT traffic: A Case Study on Anomaly Detection2020 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN10.1109/LANMAN49260.2020.9153235(1-6)Online publication date: Jul-2020
https://doi.org/10.1109/LANMAN49260.2020.9153235
Nakagawa YKazato YNakatani Y(2020)Inspecting Intrusion Prevention System Signatures for False Blocking using Set Theory2020 IEEE International Conference on Communications Workshops (ICC Workshops)10.1109/ICCWorkshops49005.2020.9145103(1-6)Online publication date: Jun-2020
https://doi.org/10.1109/ICCWorkshops49005.2020.9145103
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents