Re: Intrusion Detection Evaluation Datasets

[Jamie Riden <jamie.riden () gmail com>]

2009/3/4 snort user <snort.user () gmail com>:
> Greetings to everyone.
>
> I have some questions regarding Intrusion detection evaluation datasets -
>
> Apart from the Darpa datasets and KDD datasets, are there other
> publicly available
> datasets?
> Are these datasets useful for evaluating a new IDS system or even a
> new detection
> technique?

Not the KDD '99 data set that I've played with - was categorised by
various things, but had no actual payloads if I remember correctly.

IMHO, the only way to evaluate an IDS is to plug it into your network
- no one else is going to share sensitive traffic of that kind, even
if they do it'll be different and the sheer volume of a continuous
100Mbs+ data feed is going to make such an exercise impractical. Also,
I have a degree in machine learning and I know how hard it is to
ensure that one data set (training data) is representative of your
actual problem (test data).

Find a friendly sysadmin and offer to trade: test your IDS in exchange
for supplying them with any useful information you might discover.

Sorry to be difficult :)

cheers,
 Jamie

PS: Not being anti-IDS. At my first security gig, I plugged snort into
my 100Mbs core switch - very enlightening, and I would not be without
an IDS sensor in any security role.
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
http://www.ukhoneynet.org/members/jamie/