Characterizing Realistic Signature-based Intrusion Detection Benchmarks

Speeding up pattern matching for intrusion detection systems has been a growing field of research. There has been a flux of new algorithms, modifications to existing algorithms and even hardware architectures aimed at improving pattern matching performance. Establishing an accurate comparison to related work is a real challenge because researchers use different datasets and metrics to evaluate their work. The purpose of this paper is to characterize and identify realistic workloads, propose standard benchmarks, and establish common metrics to better compare work in the area of pattern matching for intrusion detection. We collect traffic traces and attack signatures from popular open source platforms. The datasets are processed, cleansed and studied, to give the researchers a better understanding of their characteristics. The final datasets along with detailed information about their origins, contents, features, statistical analysis and performance evaluation using well-known pattern-matching algorithms are available to the public. In addition, we provide a generic parser capable of parsing different intrusion detection systems rule formats and extract attack signatures. Finally, a pattern-matching engine that enables researchers to plug-and-play their new pattern matching algorithms and compare to existing algorithms using the predefined metrics.