Re: HTTP LOG files Labeling
- From: Stefano Zanero <zanero@xxxxxxxxxxxxxx>
- Date: Thu, 22 May 2008 22:05:29 +0200
wangweifrequent@xxxxxxxxx wrote:
In fact, we have designed a (good) online and adaptive anomaly
detection method for detecting HTTP attacks.
How do you know, if you don't have a testing dataset yet ?
We have obtained the detection results with our methods but we have
to know which lines are real attacks and which lines are not so that
we can compute the true positive rates and false positive rates to
evaluate our anomaly detection methods.
... so how do you know your method is good ? You haven't evaluated it yet...
Ideally labeling the HTTP logs is to use a precise signature-based
IDS (e.g., snort), but we didn't use it during data collection.
That's senseless, since:
a) Snort may have false negatives, or exhibit noncontextual alerts because of misconfiguration
b) An anomaly detector should flag things that a misuse detector by definition doesn't care about
you need a dataset which is hand labelled, sorry.
Stefano
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
- Follow-Ups:
- Re: HTTP LOG files Labeling
- From: \"Zow\" Terry Brugger
- Re: HTTP LOG files Labeling
- References:
- Re: Re: HTTP LOG files Labeling
- From: wangweifrequent
- Re: Re: HTTP LOG files Labeling
- Prev by Date: Re: Re: OSSIM as IDS
- Next by Date: Re: HTTP LOG files Labeling
- Previous by thread: Re: Re: HTTP LOG files Labeling
- Next by thread: Re: HTTP LOG files Labeling
- Index(es):
Relevant Pages
|
