Analysis of Three Intrusion Detection System Benchmark Datasets Using Machine Learning Algorithms
In this paper, we employed two machine learning algorithms – namely, a clustering and a neural network algorithm – to analyze the network traffic recorded from three sources. Of the three sources, two of the traffic sources were synthetic, which means the traffic was generated in a controlled environment for intrusion detection benchmarking. The main objective of the analysis is to determine the differences between synthetic and real-world traffic, however the analysis methodology detailed in this paper can be employed for general network analysis purposes. Moreover the framework, which we employed to generate one of the two synthetic traffic sources, is briefly discussed.
KeywordsIntrusion Detection Network Traffic Test Dataset Intrusion Detection System Synthetic Dataset
Unable to display preview. Download preview PDF.
- 1.Kayacik, G.H., Zincir-Heywood, A.N.: Generating Representative Traffic for Intrusion Detection System Benchmarking. In: Proceedings of the IEEE CNSR 2005 Halifax, Canada (May 2005)Google Scholar
- 2.Odlyzko, A.: Internet traffic growth: Sources and implications (2003), http://www.dtc.umn.edu/~odlyzko/doc/itcom.internet.growth.pdf (last accessed November 2004)
- 4.Kayacik, G.H., Zincir-Heywood, A.N., Heywood, M.I.: On the capability of SOM based intrusion detection systems. In: Proceedings of the 2003 IEEE IJCNN, Portland, USA (July 2003)Google Scholar
- 5.MacQueen, J.B.: Some Methods for classification and Analysis of Multivariate Observations. In: Proceedings of 5th Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, pp. 281–297. University of California Press, Berkeley (1967)Google Scholar
- 6.Chambers, J., Cleveland, W., Kleiner, B., Tukey, P.: Graphical Methods for Data Analysis, Wadsworth (1983)Google Scholar
- 7.McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4) (November 2000)Google Scholar