An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection

  • Matthew V. Mahoney
  • Philip K. Chan
Conference paper

DOI: 10.1007/978-3-540-45248-5_13

Part of the Lecture Notes in Computer Science book series (LNCS, volume 2820)
Cite this paper as:
Mahoney M.V., Chan P.K. (2003) An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna G., Kruegel C., Jonsson E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg

Abstract

The DARPA/MIT Lincoln Laboratory off-line intrusion detection evaluation data set is the most widely used public benchmark for testing intrusion detection systems. Our investigation of the 1999 background network traffic suggests the presence of simulation artifacts that would lead to overoptimistic evaluation of network anomaly detection systems. The effect can be mitigated without knowledge of specific artifacts by mixing real traffic into the simulation, although the method requires that both the system and the real traffic be analyzed and possibly modified to ensure that the system does not model the simulated traffic independently of the real traffic.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Matthew V. Mahoney
    • 1
  • Philip K. Chan
    • 1
  1. 1.Computer Science DepartmentFlorida Institute of TechnologyMelbourne

Personalised recommendations