[EMAIL PROTECTED] wrote:
In fact, we have designed a (good) online and adaptive anomaly
detection method for detecting HTTP attacks.
How do you know, if you don't have a testing dataset yet ?
We have obtained the detection results with our methods but we have
to know which lines are real attacks and which lines are not so that
we can compute the true positive rates and false positive rates to
evaluate our anomaly detection methods.
... so how do you know your method is good ? You haven't evaluated it yet...
Ideally labeling the HTTP logs is to use a precise signature-based
IDS (e.g., snort), but we didn't use it during data collection.
That's senseless, since:
a) Snort may have false negatives, or exhibit noncontextual alerts
because of misconfiguration
b) An anomaly detector should flag things that a misuse detector by
definition doesn't care about
you need a dataset which is hand labelled, sorry.
Stefano
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
