A database of anomalous traffic for assessing profile based IDS

14 pagesInternational audienceThis paper aims at proposing a methodology and the required tools for evaluating current IDS (commercial ones, as well as prototypes resulting from advanced research projects) capabilities of detecting attacks targeting the networks and their services. This methodology tries to be as realistic as possible and reproducible, i.e. it works with real attacks and real traffic in controlled environments. It especially relies on a database containing attack traces specifically created for that evaluation purpose. By confronting IDS to these attack traces, it is possible to get a statistical evaluation of IDS, and to rank them according to their detection capabilities without false alarms. For illustration purposes, this paper shows the results obtained with 3 public IDS. It also shows how the attack traces database impacts the results got for the same IDS