Real traffic logs creation for testing intrusion detection systems
Pages 1851 - 1864
Abstract
Port scanning is one of the most popular reconnaissance techniques that many attackers use to profile running services on a potential target before launching an attack. Many port scanning detection mechanisms have been suggested in literature. To test the proposed detection approaches, researchers use data sets that are available online or simulate their own. However, the available data sets do not provide complete logs and are usually outdated. Furthermore, the simulated data sets provide logs that do not resemble realï life scenarios. These deficiencies in the available data sets highly affect the performance of testing the intrusion detection systems IDSs and result in poor evaluations. Meanwhile, very little work has been done on generating port scanning benchmarks that researchers can use to test their detection methods. In this work, we suggest a simulation framework using OMNeT++ to generate benchmarks that resemble realï life traffic. We approach the problem by dividing it into three modules: 1 topology creation; 2 good traffic generation; and 3 bad traffic generation, each of which are made realistic, similar to deployed and usable networks. The benchmark is then tested using Snort and MalwareAnalysis. The tested IDSs were not able to catch many of the generated port scanning attacks, specifically the slow and distributed ones. We also measured the attack detection efficiency of the IDSs under different loads of background activities. Hence, the proposed framework and the annotated benchmarks will provide researchers and industry with an effective way of testing the power of IDSs' port scanning detection modules. Copyright © 2014 John Wiley & Sons, Ltd.
References
[1]
Gamer T, Mayer CP. Large-scale evaluation of distributed attack detection. In Proceedings of the 2nd International Workshop on OMNeT , Brussels, Belgium, 2009; Article No. 68.
[2]
Barry BI. Intrusion detection with OMNeT. In Proceedings of the 2nd International Conference on Simulation Tools and Techniques , Rome, Italy, 2009; Article No. 5.
[3]
Bhuyan MH, Bhattacharyya D, Kalita J. Surveying port scans and their detection methodologies. The Computer Journal 2011; Volume 54 Issue 10: pp.1565-1581.
[4]
Hacker Watch, Anti-hacker Community. Available at: "http://www.hackerwatch.org/" {Accessed on 01 March 2013}.
[5]
SNORT. Available at: "http://www.snort.org" {Accessed on 01 March 2013}.
[6]
Dokas P, Ertoz L, Kumar V, Lazarevic A, Srivastava J, Tan P. Data mining for network intrusion detection. In Proceedings of the NSF Workshop on Next Generation Data Mining , Baltimore, MD, 2002; pp.21-30.
[7]
Soniya B, Wiscy M. Detection of TCP SYN scanning using packet counts and neural network. In Proceedings of the IEEE International Conference on Signal Image Technology and Internet Based Systems SITIS , Bali, Indonesia, 2008; pp.646-649.
[8]
Verwoerd T, Hunt R. Intrusion detection techniques and approaches. Computer Communications 2002; Volume 25 Issue 16: pp.1356-1365.
[9]
Lippmann RP, Fried DJ, Graf I. et al. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In DARPA Information Survivability Conference and Exposition , 2000; pp.12-26.
[10]
The UCI KDD Archive. Information and Computer Science University of California, Irvine. Available at: "http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html" {accessed on 01 March 2013}.
[11]
Wan T, Yang XD. IntruDetector: a software platform for testing network intrusion detection algorithms. In Proceedings of the Computer Security Applications Conference ACSAC , New Orleans, Louisiana, USA, 2001; pp.3-11.
[12]
Zhou S, Zhang G, Zhang G, Zhuge Z. Towards a precise and complete internet topology generator. In Proceedings of the International Conference on Communications, Circuits and Systems , Guilin, Guangxi, China, 2006; pp.1830-1834.
[13]
Dietrich I. OMNeT++ Traffic Generator, Sept. 2006. Available at: "http://www7.informatik.unierlangen.de/~isabel/omnet/modules/TrafGen/".
[14]
Giruka V, Singhal M, Royalty J, Varanas S. Security in wireless sensor networks. Wireless Communications and Mobile Computing 2008; Volume 8 Issue 1: pp.1-24.
[15]
Fragkiadakis A, Siris V, Petroulakis N, Traganitis A. Anomaly based intrusion detection of jamming attacks, local versus collaborative detection. Wireless Communications and Mobile Computing 2013.
[16]
Hai TH, Huh EN, Jo M. A lightweight intrusion detection framework for wireless sensor networks. Wireless Communications and Mobile Computing 2010; Volume 10 Issue 2: pp.559-572.
[17]
Gamer T. Collaborative anomaly-based detection of large-scale internet attacks. Computer Networks 2012; Volume 56 Issue 1: pp.169-185.
[18]
The NSS Group 2003. Intrusion Detection System Group Test Edition 4. Available at: "http://www.nss.co.uk" {Accessed on 01 March 2013}.
[19]
National Laboratory for Applied Network Research, 2003. Network Traffic Packet Header Traces. Available at: "http://pma.nlanr.net" {Accessed on 01 March 2013}.
[20]
Roemer B. BonnTraffic: a modular framework for generating synthetic traffic for network simulations, Nov. 2005. Available at: "http://web.informatik.uni-bonn.de/IV/bomonet/BonnTraffic.htm" {Accessed on 01 March 2013}.
[21]
"http://www.ietf.org/rfc.html" {Accessed on 01 March 2013}.
[22]
Pang R, Allman M, Bennett M, Lee J, Paxson V, Tierney B. A first look at modern enterprise traffic. In Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement , Berkeley, CA, USA, 2005; pp.2-2.
[23]
Kim SK, Lee SH, Seo SW. An automatic portscan detection system with adaptive threshold setting. Journal of Communications and Networks 2010; Volume 12 Issue 1: pp.74-85.
[24]
Sommers J, Yegneswaran V, Barford P. Toward comprehensive traffic generation for online ids evaluation. Technical Report , University of Wisconsin, 2005.
[25]
Gates C. Coordinated scan detection. In Proceedings of the 16th Annual Network and Distributed System Security Symposium NDSS , San Diego, California, USA, 2009; pp.11-20.
[26]
White B, Lepreau J, Stoller L. et al. An integrated experimental environment for distributed systems and networks. ACM SIGOPS Operating Systems Review 2002; Volume 36: pp.255-270.
[27]
Anthraxx DR, Kolrabi BP. DScan Software. 2002. Available at: "http://www.u-n-f.com/dscan.html" {Accessed on 01 March 2013}.
[28]
Mixter. Network security analysis tools. Available at: "http://nsat.sourceforge.net/" {Accessed on 01 March 2013}.
[29]
Alon N, Moshkovitz D, Safra S. Algorithmic construction of sets for k-restrictions. ACM Transactions on Algorithms TALG 2006; Volume 2 Issue 2: pp.153-177.
[30]
Gamer T, Scharf M. Realistic simulation environments for IP-based networks. In Proceedings of the 1st International Conference on Simulation Tools and Techniques for Communications, Networks and Systems & Workshops , Marseille, France, 2008; Article No. 83.
[31]
Mayer CP, Gamer T. Integrating real world applications into OMNeT. Technical Report TM-2008-2 , Institute of Telematics, University of Karlsruhe, Karlsruhe, Germany, 2008.
[32]
University of Oregon. Route Views Project. Available at: "http://www.routeviews.org" {Accessed on 01 March 2013}.
[33]
Quoitin B, Van den Schrieck V, François P, Bonaventure O. IGen: generation of router-level internet topologies through network design heuristics. In Teletraffic Congress , Paris, France, 2009; pp.1-8.
[34]
Medina A, et al. Brite. Available at: "http://www.cs.bu.edu/brite" {Accessed on 01 March 2013}.
[35]
Benson T, Akella A, Maltz DA. Network traffic characteristics of data centers in the wild. In Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement , Melbourne, Australia, 2010; pp.267-280.
[36]
NTT Group. Available at: "http://www.nttdata.com/global/en/" {Accessed on 01 March 2013}.
[37]
Avallone S, Emma D, Pescap A, Ventre G. A practical demonstration of network traffic generation. In Proceedings of the Internet and Multimedia Systems and Applications IMSA , Kauai, Hawaii, USA, 2004; pp.138-143.
[38]
Willinger W, Taqqu MS, Sherman R, Wilson DV. Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level. IEEE Transactions on Networking 1997; Volume 5 Issue 1: pp.71-86.
[39]
Sager P. Does circuit emulation in metropolitan gigabit ethernets require service priority. Post Diploma Thesis NA-2005-02 , Swiss Federal Institute of Technology Zurich, 2005.
[40]
Park K, Willinger W. Self-similar Network Traffic and Performance Evaluation. Wiley Online Library: Malden, MA, USA, 2000.
[41]
Fras M, Mohorko J. Estimating the parameters of measured self similar traffic for modeling in OPNET. In Proceedings of the International Workshop on Systems, Signals and Image Processing , Maribor, Slovenia, June 2007; pp.78-81.
[42]
OPNET. Available at: "http://www.opnet.com/" {accessed on 01 March 2013}.
[43]
Choi H, Limb JO. A behavioral model of web traffic. In Proceedings of the International Conference on Network Protocols ICNP , Toronto, Canada, 1999; pp.327-334.
[44]
Wireshark. Available at: "http://www.wireshark.org/" {Accessed on 01 March 2013}.
[45]
OMNeT++. INET Framework. "http://inet.omnetpp.org/" {Accessed on 01 March 2013}.
[46]
Yuksel M. Traffic generator for an on-line simulator. Master's Thesis , Department of Computer Science, Rensselaer Polytechnic Institute, 1999.
[47]
Dabbagh M, Ghandour AJ, Fawaz K, Hajj W, Hajj H. Slow port scanning detection. In Proceedings of the International Conference on Information Assurance and Security IAS , Malacca, Malaysia, 2011; pp.228-233.
[48]
Botterill D. PCAP Analyzer. Available at: "http://www.cs.bham.ac.uk/~tpc/PCAP/" {Accessed on 01 March 2013}.
Recommendations
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
A Methodology for Testing Intrusion Detection Systems
Intrusion Detection Systems (IDSs) attempt to identify unauthorized use, misuse, and abuse of computer systems. In response to the growth in the use and development of IDSs, we have developed a methodology for testing IDSs. The methodology consists of ...
Evaluation of Intrusion Detection Systems Under a Resource Constraint
An intrusion detection system plays an important role in a firm's overall security protection. Its main purpose is to identify potentially intrusive events and alert the security personnel to the danger. A typical intrusion detection system, however, is ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Publisher
John Wiley and Sons Ltd.
United Kingdom
Publication History
Published: 10 October 2015
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 26 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in