Increasing Diversity in Network Intrusion Detection System Evaluation

The performance of Network Intrusion Detection Systems (NIDS) depends heavily on the inputs to the system (rules and network traffic). A common trend in the evaluation of NIDS is to use a narrow selection of publicly or privately available rule-sets and traffic. Private rule-sets and traffic make the repeatability of experiments difficult while publicly available rule-sets and traffic often lack the diversity to explore the NIDS's true operating range. This can cause misleading results in the face of inputs that do not adequately test the NIDS. To improve diversity and provide better context for evaluations it is necessary to employ synthesized traffic and rules in addition to the use of public or private traffic and rule-sets. This research expands on previous models and tools to provide systematic means for increasing the diversity and context of any evaluation providing for a broader perspective from which to view NIDS performance and compare results.