Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation

Since the DARPA Intrusion Detection Evaluation Data Set [2] was made available in 1998, and then updated in 1999 and 2000, it seems that no other significant freely available data sets have been provided to allow benchmarking of Intrusion Detection Systems (IDS). Even if those traffic traces are still used by the security research community, they have not been updated since. The absence of additional data is mainly due to the cumbersomeness of the task. This lack of data was mentioned in a NIST Interagency Report published in 2003 [3], which raised the fact that more data sets are needed to test and evaluate Intrusion Detection Systems. In the conclusion of this report, some recommendations for IDS Testing Research are made. Among those recommendations, the authors insist that data sets should contain realistic data and be shared freely between multiple organizations. They also state that there is a great need to provide the security community with a large set of attack traces. Such information could be easily added to and would greatly augment existing vulnerability databases. The resulting vulnerability/attack trace databases would aid IDS testing researchers and would provide valuable data for IDS developers. To address those issues and facilitate certain aspects of this task, we developed a strategy to rapidly generate and collect a large number of attack traffic traces for intrusion detection system testing and evaluation. To develop such a large scale data set, a controlled network infrastructure had to be developed. This infrastructure had to allow: