Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Packet- vs. session-based modeling for intrusion detection systems
Caulkins B., Lee J., Wang M.  Coding and computing (Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05) - Volume I, Apr 4-6, 2005)116-121.2005.Type:Proceedings
Date Reviewed: Aug 22 2005

This paper aims to provide a comparison between session-based and packet-based modeling techniques for building anomaly detection systems. The authors state that they will propose a methodology for performing such comparisons.

Although this research topic is interesting indeed, the paper falls short in several ways. The authors use the 1999 Defense Advanced Research Projects Agency (DARPA) evaluation dataset, which has well-known shortcomings [1]. They do not fully describe the data preparation: why they chose to discard certain features, such as the source/destination hosts, is not explained. They also do not describe their classifier, making it difficult to replicate their results.

After creating a model of the DARPA dataset, they apply it to an unlabeled dataset drawn from their own network, which is completely different from the 1999 testbed. It is quite challenging to understand how this could possibly work.

But, in fact, we do not know whether or not the experiment succeeded. The authors do not give any meaningful results, such as a detection rate or false-positive rate. They just give a “positive rate,” leaving us to guess whether their approach is a great detector, or just a generator of white noise.

From these limited observations, no conclusions can be drawn regarding the original question of comparing session- and packet-based mechanisms for anomaly detection.

Reviewer:  Stefano Zanero Review #: CR131699 (0607-0717)
1) Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. on Information and System Security 3, 4 (2000), 262–294.
Bookmark and Share
  Reviewer Selected
Would you recommend this review?
Other reviews under "Security and Protection": Date
Factors affecting distributed system security
Nessett D. IEEE Transactions on Software Engineering SE-13(2): 233-248, 1987. Type: Article
Jun 1 1988
Developing trust: online privacy and security
Curtin M., APress, LP, Berkeley, CA, 2002.  282, Type: Book (9781893115729), Reviews: (2 of 2)
Nov 14 2002
Internet security dictionary: a quantitative approach, (3rd ed.)
Phoha V., Springer-Verlag New York, Inc., New York, NY, 2002.  320, Type: Book (9780387952611)
Jul 21 2003

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 2004™
Terms of Use
| Privacy Policy