Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling

Haider, Waqas; Hu, Jiankun; Slay, Jill; Turnbull, Benjamin; Xie, Yi

doi:10.1016/j.jnca.2017.03.018

Cited by 164 publications

(93 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Larger Cross-evaluation. We emphasize that comparing UNI-CORN with other existing IDS (most of which are syscallbased) is difficult for several reasons: A) many IDS are not open-source; B) existing public IDS datasets are either outdated [4], [85] or require a translation [28], [50], [51] from, e.g., syscall traces to data provenance, which is challenging and sometimes impossible (due to lack of information); C) systems that create their own private datasets only superficially describe their experimental procedures, making it difficult to fairly reproduce the experiments for provenance data. We believe that such a meta-study is a worthwhile endeavor that we plan to pursue in future work.…”

Section: Discussion and Limitationsmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

154

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: Discussion and Limitationsmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

154

111

View full text Add to dashboard Cite

show abstract

“…Other works similar to this one usually achieve high classification performance rates, although this is mainly motivated by the flaws found in KDDCup'99 dataset. This assumption is confirmed by comparing accuracy results obtained in [15] through classical ML algorithms against the ones obtained by using the same ML methods but, in this case, considering a recent and realistic dataset: NGIDS-DS [16]. Although the same ML algorithms were used for comparison, no specific details were mentioning the methodology followed by the authors.…”

Section: Recent Work and Methodsmentioning

confidence: 77%

Towards a Reliable Comparison and Evaluation of Network Intrusion Detection Systems Based on Machine Learning Approaches

et al. 2020

View full text Add to dashboard Cite

Presently, we are living in a hyper-connected world where millions of heterogeneous devices are continuously sharing information in different application contexts for wellness, improving communications, digital businesses, etc. However, the bigger the number of devices and connections are, the higher the risk of security threats in this scenario. To counteract against malicious behaviours and preserve essential security services, Network Intrusion Detection Systems (NIDSs) are the most widely used defence line in communications networks. Nevertheless, there is no standard methodology to evaluate and fairly compare NIDSs. Most of the proposals elude mentioning crucial steps regarding NIDSs validation that make their comparison hard or even impossible. This work firstly includes a comprehensive study of recent NIDSs based on machine learning approaches, concluding that almost all of them do not accomplish with what authors of this paper consider mandatory steps for a reliable comparison and evaluation of NIDSs. Secondly, a structured methodology is proposed and assessed on the UGR’16 dataset to test its suitability for addressing network attack detection problems. The guideline and steps recommended will definitively help the research community to fairly assess NIDSs, although the definitive framework is not a trivial task and, therefore, some extra effort should still be made to improve its understandability and usability further.

show abstract

“…ISOT was used for detecting P2P botnets [57]. The resulting data set is publicly available 19 and contains 11 GB of packet-based data in pcap format.…”

Section: Data Setmentioning

confidence: 99%

A survey of network-based intrusion detection data sets

Ring

Wunderlich

Scheuring

et al. 2019

Computers & Security

560

235

View full text Add to dashboard Cite

Labeled data sets are necessary to train and evaluate anomaly-based network intrusion detection systems. This work provides a focused literature survey of data sets for networkbased intrusion detection and describes the underlying packetand flow-based network data in detail. The paper identifies 15 different properties to assess the suitability of individual data sets for specific evaluation scenarios. These properties cover a wide range of criteria and are grouped into five categories such as data volume or recording environment for offering a structured search. Based on these properties, a comprehensive overview of existing data sets is given. This overview also highlights the peculiarities of each data set. Furthermore, this work briefly touches upon other sources for network-based data such as traffic generators and data repositories. Finally, we discuss our observations and provide some recommendations for the use and the creation of network-based data sets.

show abstract

Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling

Cited by 164 publications

References 18 publications

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Towards a Reliable Comparison and Evaluation of Network Intrusion Detection Systems Based on Machine Learning Approaches

A survey of network-based intrusion detection data sets

Contact Info

Product

Resources

About