Cybersecurity attacks: which dataset should be used to evaluate an intrusion detection system?

Danijela D. Protić; Miomir M. Stanković

doi:10.5937/vojtehg71-46524

Danijela D. Protić Vojska Srbije, Generalštab, Uprava za telekomunikacije i informatiku (J-6), Centar za primenjenu matematiku i elektroniku, Beograd, Republika Srbija https://orcid.org/0000-0003-0827-2863
Miomir M. Stanković Matematički institut Srpske akademije nauka i umetnosti, Beograd, Republika Srbija https://orcid.org/0009-0002-8504-6966

DOI: https://doi.org/10.5937/vojtehg71-46524

Ključne reči: ADFA, AWID, CAIDA, CIC-IDS-2017, CSE-CIC-2018, DARPA, ISCX 2012, KDD Cup ’99, Kyoto 2006 , NSL-KDD, UNSW-NB15

Sažetak

Uvod: Analiza velikih skupova podataka koji se koriste za detekciju upada postaje istraživački izazov. U radu su predstavljeni najčešće korišćeni skupovi podataka. ADFA sadrži dva skupa podataka sa zapisima iz Linux-a i Unix-a. AWID je zasnovan na realnoj normalnoj aktivnosti i aktivnosti upada u IEEE 802.11 Wi-Fi mrežu. CAIDA sadrži podatke sa geografskih i topološki različitih regiona. CIC-IDS-2017 je bazirana na protokolima: HTTP, HTTPS, FTP, SSH i email. CSE-CIC-2018 uključuje apstraktne modele distribucije za aplikacije, protokole i mrežne entitete nižeg nivoa. DARPA sadrži podatke o mrežnom saobraćaju. ISCX 2012 je skup podataka različitih višestepenih napada i stvarnog mrežnog saobraćaja sa pozadinskim šumom. KDD Cup ‘99 je simulirana baza podataka virtualnog mrežnog okruženja. Kyoto 2006+ sadrži zapise realnog mrežnog saobraćajai koristi se isključivo za detekciju anomalija. NSL-KDD koriguje probleme iz KDD Cup ’99 izazvane redundantnim zapisima i duplikatima. UNSW-NB-15 nastaje kombinacijom realnog i sintetizovanog saobraćaja koji opisuje aktivnosti tipa napada na mrežni saobraćaj.

Metode: Ovaj rad koristi kvalitativnu i kvantitativnu tehnologiju. Razmatrane su naučne reference i javno dostupne informacije o datim bazama podataka.

Rezultati: Baze podataka se često simuliraju da bi bili ispunjeni ciljevi koje zahteva određena organizacija. Broj realnih baza podataka je veoma mali u poređenju sa simuliranim bazama podataka. Detekcija anomalija danas se retko koristi.

Zaključak: Prikazane su glavne karakteristike i komparativna analiza skupova podataka u pogledu datuma nastanka, veličine, broja atributa, vrste saobraćaja i namene.

Reference

Ahmad, I., Haq, Q.E.U., Imran, M., Alassafi, M.O. & AlGhamdi, R.A. 2022. An efficient network intrusion detection and classification system. Mathematics, 10(3), art.number:530. Available at: https://doi.org/10.3390/math10030530.

Ashok Kumar, D. & Venugopalan, S.R. 2018. A Novel algorithm for Network Anomaly Detection using Adaptive Machine Learning. In: Saeed, K., Chaki, N., Pati, B., Bakshi, S. & Mohapatra, D. (Eds.) Progress in Advanced Computing and Intelligent Engineering. Advances in Intelligent Systems and Computing, 564. Singapore: Springer. Available at: https://doi.org/10.1007/978-981-10-6875-1_7.

Behal, S. & Kumar, K. 2016. Trends in validation of DDoS research. International Conference on Computational Modeling and Security. Procedia Computer Science, 85, pp.7-15. Available at: https://doi.org/10.1016/j.procs.2016.05.170.

Bohara, B., Bhuyan, J., Wu, F. & Ding, J. 2020. A Survey on the Use of Data Clustering for Intrusion Detection System in Cybersecurity. International Journal of Network Security & Its Applications (IJNSA), 12(1), pp.1-18. Available at: https://doi.org/10.5121/ijnsa.2020.12101.

Borisniya, B. & Patel, D.R. 2015. Evaluation of Modified Vec tor Space Representation Using ADFA-LD and ADFA-WD Datasets. Journal of Information Security, 6(3), 250-264. Available at: https://doi.org/10.4236/jis.2015.63025.

-CAIDA. 2019. The CAIDA Anonymized Internet Traces Dataset (April 2008 - January 2019). Caida.org, December 3 [online]. Available at: https://www.caida.org/catalog/datasets/passive_dataset/ [Accessed: 10 June 2023].

-CAIDA. 2020a. The CAIDA “DDoS Attack 2007” Dataset. 2020. Caida.org, June 24 [online]. Available at: https://www.caida.org/catalog/datasets/ddos-20070804_dataset/ [Accessed: 10 June 2023].

-CAIDA. 2020b. The CAIDA OC48 Peering Point Traces. 2020. Caida.org, June 24 [online] Available at: https://www.caida.org/catalog/datasets/passive_oc48_dataset/ [Accessed: 10 June 2023].

Chen, J., Yang, T., He, B. & He, L. 2021. An analysis and research on wireless network security dataset. In: 2021 International Conference on Big Data Analysis and Computer Science (BDACS), Kunming, China, pp.80-83, June 25-27. Available at: https://doi.org/10.1109/BDACS53596.2021.00025.

Demertzis, K. 2018. The Bro Intrusion Detection System. Research Gate. Available at: https://doi.org/10.13140/RG.2.2.35333.40168.

Ferriyan, A., Thamrin, A.H., Takeda, K. & Murai, J. 2021. Generating Network Intrusion Detection Dataset Based on Real and Encrypted Synthetic Attack Traffic. Applied Sciences, 11(17), art.number:7868. Available at: https://doi.org/10.3390/app11177868.

Jie, C., Jiawei, L., Shulin, W. & Sheng, Y. 2018. Feature selection in machine learning: A new perspective. Neurocomputing, 300, pp.70-79. Available at: https://doi.org/10.1016/j.neucom.2017.11.077.

Khan, M.A., Karim, Md.R. & Kim, Y. 2019. A Scalable and Hybrid Intrusion Detection System Based on the Convolutional-LSTM Network. Symmetry, 11(4), art.number:583. Available at: https://doi.org/10.3390/sym11040583.

Khraisat, A. Gondal, I., Vamplew, P. & Kamruzzaman, J. 2019. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2(art.number:20). Available at: https://doi.org/10.1186/s42400-019-0038-7.

Khor, K.-C., Ting, C.-Y. & Amnuaisuk, S.-P. 2009. A Feature Selection Approach for Network Intrusion Detection. In: 2009 International Conference on Information Management and Engineering, Kuala Lumpur, Malaysia, pp.133-137, April 3-5. Available at: https://doi.org/10.1109/ICIME.2009.68.

-KDD. 1999. SIGKDD-KDD Cup: KDD Cup 1999: Computer network intrusion detection. Kdd.org [online] Available at: https://kdd.org/kdd-cup/view/kdd-cup-1999 [Accessed: 10 June 2023].

Levy, J.L. & Khoshgoftaar, T.M. 2020. A survey and analysis of intrusion detection models based on CSE-CIC IDS 2018 Big Data. Journal of Big Data 7(art.number:104). Available at: https://doi.org/10.1186/s40537-020-00382-x.

Lippmann, R.P., Cunningham, R.K., Fried, D.J., Graf, I., Kendal, K.R., Webster, S.E. & Zissman, M.A. 2000. Results of DARPA 1998 Offline Intrusion Detection Evaluation. In: Recent Advances in Intrusion Detection, RAID 99 Conference, West Lafayette, Indiana, USA. September 7-9. [online] Available at: https://archive.ll.mit.edu/ideval/files/RAID_1999a.pdf [Accessed: 10 June 2023].

McCarthy, R. 2014. Network analysis with the Bro Network Security Monitor. ADMIN Network & Security, 24 [online] Available at: https://www.admin-magazine.com/Archive/2014/24/Network-analysis-with-the-Bro-Network-Security-Monitor/(language)/eng-US [Accessed: 10 June 2023].

Mighan, S.N. & Kahani, M.A. 2021. A novel scalable intrusion detection system based on deep learning. International Journal of Information Security, 20, pp.387-403. Available at: https://doi.org/10.1007/s10207-020-00508-5.

Moustafa, N. & Slay, J. 2015. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, ACT, Australia, pp.1-6, November 10-12. Available at: https://doi.org/10.1109/MilCIS.2015.7348942.

Najafabadi, M.N., Khoshgoftaar, T.M. & Selyia, N. 2016. Evaluating Feature Selection Methods for Network Intrusion Detection with Kyoto Data. International Journal of Reliability, Quality and Safety Engineering, 23(1), art.number:1650001. Available at: https://doi.org/10.1142/S0218539316500017.

Natkaniec, M. & Bednarz, M. 2023. Wireless Local Area Networks Threat Detection Using 1D-CNN. Sensors, 23(12), art.number:5507. Available at: https://doi.org/10.3390/s23125507.

Nkiama, H., Mohd Said, S.Z. & Saidu, M. 2016. A Subset Feature Elimination Mechanisms for Intrusion Detection System. International Journal of Advanced Computer Science and Application, 7(4), pp.148-157. Available at: https://doi.org/10.14569/IJACSA.2016.070419.

Omar, S., Ngadi, A. & Jebur, H.H. 2013. Machine Learning Techniques for Anomaly Detection: An Overview. International Journal of Computer Applications, 79(2), pp.33-41 [online] Available at: https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=0278bbaf1db5df036f02393679d485260b1daeb7 [Accessed: 10 June 2023].

Park, K., Song, Y. & Cheong, Y. 2018. Classification of Attack Types for Intrusion Detection Systems Using a Machine Learning Algorithm. In: 2018 IEEE Fourth International Conference on Big Data Computing Service and Applications (BigDataService), Bamberg, Germany, pp.282-286, March 26-29. Available at: https://doi.org/10.1109/BigDataService.2018.00050.

Proebstel, E.P. 2008. Characterizing and Improving Distributed Network-based Intrusion Detection Systems (NIDS): Timestamp Synchronization and Sampled Traffic. Master thesis. Davis: University of California [online]. Available at: https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=ee123bb36e6d16ac9b70507e7ac614791dd8f759 [Accessed: 10 June 2023].

Protić, D. 2018. Review of KDD Cup '99, NSL-KDD and Kyoto 2006+ datasets. Vojnotehnički glasnik/Military Technical Courier, 66(3), pp.580-596. Available at: https://doi.org/10.5937/vojtehg66-16670.

Protić, D. & Stanković, M. 2020. Anomaly-Based Intrusion Detection: Feature Selection and Normalization Influence to the Machine Learning Models Accuracy. European Journal of Formal Sciences and Engineering, 3(1), pp.1-9. Available at: https://doi.org/10.26417/ejef.v2i3.p101-106.

Serkani, E., Gharaee, H. & Mohammadzadeh, N. 2019. Anomaly Detection Using SVM as Classifier and Decision Tree for Optimizing Feature Vectors. The ISC International Journal of Information Security (ISeCure), 11(2), pp.159-171 [online]. Available at: https://www.isecure-journal.com/article_91592_e825e0139e75d44a6b543ad437c18379.pdf [Accessed: 10 June 2023].

Sharafaldin, I., Lashkari, A.H. & Ghorbani, A.A. 2018. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy ICISSP, Funchal, Madeira, Portugal, 1, pp.108-116, January 22-24. Available at: https://doi.org/10.5220/0006639801080116.

Singh, R., Kumar, H. & Singla, R.K. 2015. An intrusion detection system using network traffic profiling and online sequential extreme learning machine. Expert Systems with Applications, 42(22), pp.8609-8624. Available at: https://doi.org/10.1016/j.eswa.2015.07.015.

Soltani, M., Siavoshani, M.J. & Jahangir, A.H. 2021. A content based deep intrusion detection system. International Journal of Information Security, 21, pp.547-562. Available at: https://doi.org/10.1007/s10207-021-00567-2.

Song, J., Takakura, H., Okabe, Y., Eto, M., Inoue, D. & Nakao, K. 2011. Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation. In: EuroSys '11: Sixth EuroSys Conference: BADGERS '11 - Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg, Austria, pp.29-36, April 10-13. Available at: https://doi.org/10.1145/1978672.1978676.

Sudaroli Vijayakumar, D. & Ganapathy, S. 2018. Machine Learning Approach to Combat False Alarms in Wireless Intrusion Detection System. Computer and Information Science 11(3), pp.67-81. Available at: https://doi.org/10.5539/cis.v11n3p67.

Tavallaee, M., Bagheri, E., Lu, W. & Ghorbani, A. 2009. A Detailed Analysis of the KDD Cup ’99 dataset. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canada, pp.1-6, July 8-10. Available at: Available at: https://doi.org/10.1109/CISDA.2009.5356528.

Thakkar, A. & Lohiya, R. 2020. A Review of the Advancement in Intrusion Detection Datasets. Procedia Computer Science, 167, pp.636-645. Available at: https://doi.org/10.1016/j.procs.2020.03.330.

Thomas, C., Sharma, V. & Balakrishnan, N. 2008. Usefulness of DARPA dataset for intrusion detection system evaluation. In: Proceedings: Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security, 6973, pp.1-8, March 16. Available at: https://doi.org/10.1117/12.777341.

Ting, K.M. 2011. Confusion Matrix. In: Sammut, C. & Webb, G.I. (Eds.) Encyclopedia of Machine Learning. Boston, MA: Springer. Available at: https://doi.org/10.1007/978-0-387-30164-8_157.

-UNB University of New Brunswick: Canadian Institute for Cybersecurity. 2018. CSE-CIC/IDS2018 on AWS [online] Available at: https://www.unb.ca/cic/datasets/ids-2018.html [Accessed: 10 June 2023].

-UNB University of New Brunswick: Canadian Institute for Cybersecurity. 2017. Intrusion Detection Evaluation Dataset (CIC-IDS2017) [online]. Available at: https://www.unb.ca/cic/datasets/ids-2017.html [Accessed: 10 June 2023].

-UNB University of New Brunswick: Canadian Institute for Cybersecurity. 2012. Intrusion Detection Evaluation Dataset (ISCXIDS2012) [online] Available at: https://www.unb.ca/cic/datasets/ids.html [Accessed: 10 June 2023].

-UNSV Sydney. 2021. The UNSW-NB15 Dataset. 2021. UNSV Sydney, June 02 [online] Available at: https://research.unsw.edu.au/projects/unsw-nb15-dataset [Accessed: 10 June 2023].

Xie, M., Hu, J., Yu, X. & Chang, E. 2014. Evaluating Host-Based Anomaly Detection Systems: Application of the Frequency-Based Algorithms to ADFA-LD. In: Au, M.H., Carminati, B. & Kuo, CC.J. (Eds.) Network and System Security. NSS 2015. Lecture Notes in Computer Science, 8792. Cham: Springer. Available at: https://doi.org/10.1007/978-3-319-11698-3_44.

Zhang, S., Xie, X. & Xu, Y. 2020. A Brute-Force Black-Box Method to Attack Machine Learning-Based Systems in Cybersecurity. IEEE Access, 8, pp.128250-128263. Available at: https://doi.org/10.1109/ACCESS.2020.3008433.

Napadi na sajber bezbednost: koji skup podataka treba koristiti za evaluaciju sistema za detekciju upada?

Sažetak

Reference

Vojnotehnički glasnik omogućava otvoreni pristup i, u skladu sa preporukom CEON-a, primenjuje Creative Commons odredbe o autorskim pravima:

Autori koji objavljuju u Vojnotehničkom glasniku pristaju na sledeće uslove: