Re: HTTP LOG files Labeling



wangweifrequent@xxxxxxxxx wrote:
In fact, we have designed a (good) online and adaptive anomaly
detection method for detecting HTTP attacks.

How do you know, if you don't have a testing dataset yet ?

We have obtained the detection results with our methods but we have
to know which lines are real attacks and which lines are not so that
we can compute the true positive rates and false positive rates to
evaluate our anomaly detection methods.

... so how do you know your method is good ? You haven't evaluated it yet...

Ideally labeling the HTTP logs is to use a precise signature-based
IDS (e.g., snort), but we didn't use it during data collection.

That's senseless, since:
a) Snort may have false negatives, or exhibit noncontextual alerts because of misconfiguration
b) An anomaly detector should flag things that a misuse detector by definition doesn't care about

you need a dataset which is hand labelled, sorry.

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------



Relevant Pages

  • RE: IDS that retaliates.
    ... years" was the ability for Intrusion Detection to be more reliable. ... As far as IDS' that retaliates, there are current products out there ... can lead to some interesting denial of service attacks were you use this ... port scans was based on a TXT file that was essentially a list of ports ...
    (Focus-IDS)
  • RE: IDS that retaliates.
    ... years" was the ability for Intrusion Detection to be more reliable. ... As far as IDS' that retaliates, there are current products out there ... can lead to some interesting denial of service attacks were you use this ... port scans was based on a TXT file that was essentially a list of ports ...
    (Security-Basics)
  • RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on
    ... detection methodology. ... outbound TCP80 connections were considered "bad", the IDS should ... Subject: Crying wolf: False alarms hide attacks: Eight IDSs fail to ... Actually, NFR's NID does look for server type, and records it when we ...
    (Focus-IDS)
  • Re: Alarming (was protocol analysis)
    ... Obviously, there are different ways to "detect" attacks, but John uses the ... no one should ever "rely" on any IDS for our ... As for Johns Metaphor of the motion sensor vs the pressure sensor, ... toward Intrusion Prevention as opposed to just Intrusion Detection. ...
    (Focus-IDS)
  • Re: HTTP LOG files Labeling
    ... IDS, but we didn't use it during data collection. ... allowing for their detection with signature-based detectors. ... (particularly in detecting DoS attacks). ... sufficiently similar to real web traffic that results from the data ...
    (Focus-IDS)