Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MIT Darpa Dataset,

from [Sanjay Rawat] Network Security [Permanent Link]
Subject: Re: MIT Darpa Dataset,
Date: Tue, 20 Sep 2005 10:58:28 +0530
At 02:39 PM 9/19/2005, Wilmar SULAIMAN wrote: 
Dear all,

I was wondering how normally people test their machine learning algorithims in MIT darpa dataset?

A lot of preprocessing is required before you actually apply DARPA data to any of the ML algos. In my case, it took a major portion of total time, I spent in experimentation!!!


I asked this question because I found that :
1) There is a time gap between the published list of attack to the dataset. For instance APACHE2 attack, the published list of attack say the attack was start on 00:00:40 (not the fake time), normally I see the attack within +-10 seconds of the published list of attack (this is by looking directly on the payload)

2) Many of U2R attack are in port 23. For instance the attacker executes the command : $./exploit
In the real dataset especially for per packet model, it will get translated to many packets i.e
1st packet contains "$"
2st packet contains "."
3rd packet contains "/"
4th packet contains "e"

If the IDS identified say the 4th packet as anomalous , is it justifiable to say that the IDS detects the particular attack?

It depends on the implementation of your IDS. Some IDS buffer the data before matching it against the stored patterns. In this case, one should be able to see the whole string "$./exploit". So..no problem. If you are looking per packet basis and you are able to find some anomalous pattern in one packet, before the connection is terminated, then I think, it should be OK. If your aim is to find intrusive "connections", then any packet corresponding to intrusive connection, detected as malicious, should be good.


thanks

Wilmar Sulaiman



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------


Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Any Def Con packet captures, Richard Bejtlich
Next by Date:  [ANNOUNCE]: Prelude Hybrid IDS suite 0.9.0 released, Yoann Vandoorselaere
Previous by Thread:  MIT Darpa Dataset,, Wilmar SULAIMAN
Next by Thread:  RE: IPS comparison, Frank Knobbe
Indexes:  [Date] [Thread] [Top] [All Lists]