Testing IDS using GENESIDS: Realistic Mixed Traffic Generation for IDS Evaluation

Abstract

Evaluating signature-based Network Intrusion Detection Systems (NIDS) is a necessary but in general difficult task. Often, live or recorded real-world traffic is used. However, real-world network traffic is often hard to come by at larger scale and the few available traces usually do not contain application layer payload. Furthermore, these traces only contain a small amount of malicious traffic, which does not suffice to thoroughly test a NIDS. We solve this problem by proposing a complete stateful traffic generation system that mixes realistic traffic with user definable malicious HTTP traffic with the purpose of evaluating a NIDS. By relying on the Snort syntax for traffic definition, we guarantee a large dataset of realistic up-to-date attack patterns.