Re: HTTP LOG files Labeling

[Stefano Zanero <zanero () elet polimi it>]

wangweifrequent () gmail com wrote:
> In fact, we have designed a (good) online and adaptive anomaly
> detection method for detecting HTTP attacks.

How do you know, if you don't have a testing dataset yet ?

> We have obtained the detection results with our methods but we have
> to know which lines are real attacks and which lines are not so that
> we can compute the true positive rates and false positive rates to
> evaluate our anomaly detection methods.

... so how do you know your method is good ? You haven't evaluated it yet...

> Ideally labeling the HTTP logs is to use a precise signature-based
> IDS (e.g., snort), but we didn't use it during data collection.

That's senseless, since:
a) Snort may have false negatives, or exhibit noncontextual alerts 
because of misconfiguration
b) An anomaly detector should flag things that a misuse detector by 
definition doesn't care about

you need a dataset which is hand labelled, sorry.

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------