(Georgia Institute of Technology, 2005-06)
Grizzard, Julian B.; Simpson, Charles Robert, Jr.; Krasser, Sven; Owen, Henry L., III; Riley, George F.
We conduct a flow based comparison of honeynet traffic,
representing malicious traffic, and NETI@home traffic, representing
typical end user traffic. We present a cumulative
distribution function of the number of packets for a TCP
flow and learn that a large portion of these flows in both
datasets are failed and potentially malicious connection attempts.
Next, we look at a histogram of TCP port activity
over large time scales to gain insight into port scanning and
worm activity. One key observation is that new worms can
linger on for more than a year after the initial release date.
Finally, we look at activity relative to the IP address space
and observe that the sources of malicious traffic are spread across the allocated range.
(Georgia Institute of Technology, 2003-03)
Athanasiades, Nicholas; Abler, Randal T.; Levine, John G. (John Glenn); Owen, Henry L., III; Riley, George F.
The ad-hoc methodology that is prevalent in today’s
testing and evaluation of network intrusion detection algorithms
and systems makes it difficult to compare different algorithms
and approaches. After conducting a survey of the literature on
the methods and techniques being used, it can be seen that a new
approach that incorporates an open source testing methodology
and environment would benefit the information assurance
community. After summarizing the literature and presenting
several example test and evaluation environments that have been
used in the past, we propose a new open source evaluation
environment and methodology for use by researchers and
developers of new intrusion detection and denial of service detection and prevention algorithms and methodologies.