Re: HTTP LOG files Labeling



wangweifrequent@xxxxxxxxx wrote:
In fact, we have designed a (good) online and adaptive anomaly
detection method for detecting HTTP attacks.

How do you know, if you don't have a testing dataset yet ?

We have obtained the detection results with our methods but we have
to know which lines are real attacks and which lines are not so that
we can compute the true positive rates and false positive rates to
evaluate our anomaly detection methods.

... so how do you know your method is good ? You haven't evaluated it yet...

Ideally labeling the HTTP logs is to use a precise signature-based
IDS (e.g., snort), but we didn't use it during data collection.

That's senseless, since:
a) Snort may have false negatives, or exhibit noncontextual alerts because of misconfiguration
b) An anomaly detector should flag things that a misuse detector by definition doesn't care about

you need a dataset which is hand labelled, sorry.

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------