wangweifrequent_at_gmail.com wrote:
> In fact, we have designed a (good) online and adaptive anomaly
> detection method for detecting HTTP attacks.
How do you know, if you don't have a testing dataset yet ?
> We have obtained the detection results with our methods but we have
> to know which lines are real attacks and which lines are not so that
> we can compute the true positive rates and false positive rates to
> evaluate our anomaly detection methods.
... so how do you know your method is good ? You haven't evaluated it yet...
> Ideally labeling the HTTP logs is to use a precise signature-based
> IDS (e.g., snort), but we didn't use it during data collection.
That's senseless, since:
a) Snort may have false negatives, or exhibit noncontextual alerts
because of misconfiguration
b) An anomaly detector should flag things that a misuse detector by
definition doesn't care about
you need a dataset which is hand labelled, sorry.
Stefano
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Received on May 22 2008
Intro
