Abstract

We introduce a methodology for evaluating network intrusion detection systems using an observable attack space, which is a parameterized representation of a type of attack that can be observed in a particular type of log data. Using the observable attack space for log data that does not include payload (e.g., NetFlow data), we evaluate the effectiveness of five proposed detectors for bot harvesting and scanning attacks, in terms of their ability (even when used in conjunction) to deter the attacker from reaching his goals. We demonstrate the ranges of attack parameter values that would avoid detection, or rather that would require an inordinately high number of false alarms in order to detect them consistently.

Date

November 2, 2025

Authors

M Patrick Collins, Michael K Reiter

Conference

Recent Advances in Intrusion Detection: 11th International Symposium, RAID 2008, Cambridge, MA, USA, September 15-17, 2008. Proceedings 11

Pages

251-270

Publisher

Springer Berlin Heidelberg