1999 DARPA Intrusion Detection Evaluation: Design and Procedures

Abstract : Recent DARPA Intrusion Detection (ID) and Strategic Intrusion Assessment (SIA) programs have funded development of new approaches to intrusion detection. The Information Systems Technology Group at MIT Lincoln Laboratory assisted this research with off-line evaluations of these new Systems in 1998 and 1999. These evaluations measured detections and false alarm rates of the intrusion detection systems. Eight research sites participated in the second annual evaluation. A network testbed was developed for this evaluation. It included host computers that were attacked and recently-developed traffic generators that produced live traffic modeled after a small Air Force base. This traffic appears as if it were generated by hundreds of users and thousands of hosts. More than 200 instances of 58 attack types were launched against victim UNIX and Windows NT hosts in three weeks of training data and two weeks of test data. Objectives of this effort were to support algorithm development, perform a blind, off-line evaluation of intrusion detection approaches. and help DARPA guide research directions. This technical report describes the testbed design and operation, background traffic modeling and generation, attack modeling and automation, and the scoring procedure. Results of the 1999 evaluation are discussed in a separate technical report entitled "Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation."