IDS mailing list archives
RE: Hi, I want to study IPS
From: Chatprechakul Mr N <n.chatprechakul () cranfield ac uk>
Date: Fri, 16 Jul 2004 16:37:30 +0100
Hello, I think testing with dataset from place like Lincoln labs is still useful because other people use it. So it allow you to compare the performance with others. And the method of collecting proper traffic for testing is time consuming and as you might have to document each attack. Using available dataset provide quick and easy way to get your system tested. However, I agree that dataset can be consider very old (internet time), I wish they continue producing the dataset and keeping it up to date. regards, Nattapon Chatprechakul -----Original Message----- From: Anton A. Chuvakin [mailto:anton () chuvakin org] Sent: 15 July 2004 11:29 PM To: Chris Petersen Cc: '(infor) urko zurutuza'; focus-ids () securityfocus com Subject: RE: Hi, I want to study IPS Hello. Chris said:
In our experience developing technology of this type (albeit data-mining anomoly detection software), you will need data from real networks to test your algorithms/methods against.
It is even crazier to see a recent paper on NIDS "research" utilizing the so-called Lincoln labs IDS testing data set only and saying "in the future we will try it on a real network". Eeewh... the thing is centuries (eh, 5 years) old. And it is sooo easy to get real data, just sniff your University network (if a policy allows it, of course!) and/or setup a honeynet. The lab data also will not provide any real test for an IDS beyond very simple things, such as 'does it actully sniff traffic'.
Putting up a test network, with test data does not provide a good baseline against which to evaluate the
effectiveness
of your techniques. You need real data, with real anomalies.
Agreed 100% Best, -- Anton A. Chuvakin, Ph.D., GCIA, GCIH http://www.info-secure.org http://www.securitywarrior.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -- This message has been scanned for viruses and dangerous content by the Cranfield MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the Cranfield MailScanner, and is believed to be clean. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: Hi, I want to study IPS (infor) urko zurutuza (Jul 13)
- RE: Hi, I want to study IPS Chris Petersen (Jul 14)
- RE: Hi, I want to study IPS Mitchell Ashley (Jul 15)
- RE: Hi, I want to study IPS Anton A. Chuvakin (Jul 15)
- <Possible follow-ups>
- RE: Hi, I want to study IPS Vincent . Maes (Jul 20)
- RE: Hi, I want to study IPS Chatprechakul Mr N (Jul 20)
- RE: Hi, I want to study IPS Chris Petersen (Jul 14)