Characterizing HIDS workloads

["M. GAD" <masgad () gmail com>]

Hi everybody,
While I am working on the evaluation of intrusion detection systems. I
discovered a significant shortage in the material for evaluating HIDS
contrarily to NIDS evaluations. The later benefits from a large amount
of materials including datasets and papers especially created for NIDS
evaluations in addition to materials already available from the
intensive work in the networking area.
In order to promote the research and the development of Host-based
IDS, we need to elaborate such materials.
I think that the first step is to characterize HIDS workloads (Log
files, systems calls, windows registries, or any other type of data
analyzed by HIDS). This requires collecting a sufficient number of log
files, system call records. Moreover, a set of accompanying tools such
as anonymization, normalisation filtering and analysis tools.
What do you think?
Is there any existing datasets and tools for Testing HIDS that I have missed?
If you agree,  can we create a joint working group for this purpose?
Your suggestions are welcomed.

Best regards,
M. GAD

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------