Generating Realistic Network Traffic for Security Experiments

Abstract

This paper reports results of an effort to develop a test environment in which ¿live¿ attack-free background traffic reflects the characteristics of the network to be defended. The expectation is that new intrusion detection techniques can be better evaluated (and tuned), in such a background, against inserted attacks and no others. Based on analysis of traffic captured from an example network in 2003, we determine models appropriate for the major Internet protocols present and compare these with previously obtained results. We describe the traffic modeling, and we describe an approach for generating realistic attack-free traffic (that is statistically similar to the captured traffic) in a test environment.