David, to follow on from Tim's questions, I am assuming that you are
talking about network anomaly detection?
What kind of anomaly detection are you trying to test?
Protocol anomaly detection? Behavioural anomaly detection? Anomalies
detected via deviation from baseline? Exceeding certain thresholds?
Non-compliance with RFCs?
I would be more than happy to share experiences in methods I have used
to test and demonstrate some of the above if you provide some more
detailed information of the detection methodology...
Rgds.
On 12 Jul 2005 02:40:18 -0000, david.sames@sparta.com
<david.sames@sparta.com> wrote:
I'm in the process of developing test procedures for evaluating an internal
anomaly-based detection system. I'd like to construct a test set of nominal
data peppered with attack data. What is a reasonable ratio of attack data to
"normal" traffic that is representative of "real" systems.
Thanks,
Dave
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
