Network Traffic Emulation for IDS Evaluation

Abstract

The network traffic emulation is used in generating background traffic for IDSs evaluation. The Background traffic can be used to evaluate the false positive level and the performance of the misuse IDSs and help training normal behavior profiles for anomaly IDSs. Currently the emulation methods for the background traffic are either restricted by the performance bottleneck of the software and hardware, or lack of the semantic of flow and session. So they can 't satisfy the IDS evaluation requirement in highspeed network environment. After analyzing the requirement of IDSs evaluation and the characteristics of network traffic, this paper proposes a differential equation model of active flow rate. Based on the equation, a structural simulation model of network flow is constructed and used in the network traffic emulation for IDS evaluation. This model is both simple for high performance and similar to the reality. The experiments show that the model proposed can generate traffic both realistic and controllable.