Real traffic logs creation for testing intrusion detection systems

Abstract

Port scanning is one of the most popular reconnaissance techniques that many attackers use to profile running services on a potential target before launching an attack. Many port scanning detection mechanisms have been suggested in literature. To test the proposed detection approaches, researchers use data sets that are available online or simulate their own. However, the available data sets do not provide complete logs and are usually outdated. Furthermore, the simulated data sets provide logs that do not resemble real-life scenarios. These deficiencies in the available data sets highly affect the performance of testing the intrusion detection systems (IDSs) and result in poor evaluations. Meanwhile, very little work has been done on generating port scanning benchmarks that researchers can use to test their detection methods. In this work, we suggest a simulation framework using OMNeT++ to generate benchmarks that resemble real-life traffic. We approach the problem by dividing it into three modules: (1) topology creation; (2) good traffic generation; and (3) bad traffic generation, each of which are made realistic, similar to deployed and usable networks. The benchmark is then tested using Snort and MalwareAnalysis. The tested IDSs were not able to catch many of the generated port scanning attacks, specifically the slow and distributed ones. We also measured the attack detection efficiency of the IDSs under different loads of background activities. Hence, the proposed framework and the annotated benchmarks will provide researchers and industry with an effective way of testing the power of IDSs' port scanning detection modules. Copyright © 2014 John Wiley & Sons, Ltd.