DARPA Intrusion Detection Evaluation
1999 DARPA Intrusion Detection Evaluation Data Set
1999 DARPA Intrusion Detection Evaluation Data Set Overview
There were two parts to the 1999 DARPA Intrusion Detection Evaluation: an off-line evaluation and a realtime evaluation.
Intrusion detection systems were tested in the off-line evaluation using network traffic and audit logs collected on a simulation network. The systems processed this data in batch mode and attempted to identify attack sessions in the midst of normal activities.
Intrusion detection systems were delivered to AFRL for the realtime evaluation. These systems were inserted into the AFRL network testbed and attempted to identify attack sessions in the midst of normal activities, in realtime.
Intrusion detection systems were tested as part of the off-line evaluation, the realtime evaluation or both.
Three weeks of training data were provided for the 1999 DARPA Intrusion Detection off-line evaluation.
The first and third weeks of the training data do not contain any attacks. This data was provided to facilitate the training of anomaly detection systems.
The second week of the training data contains a select subset of attacks from the 1998 evaluation in addition to several new attacks. The primary purpose in presenting these attacks was to provide examples of how to report attacks that are detected.
Note: In 1999, Intrusion detection systems were trained using the data from both the 1998 and the 1999 evaluations.
The following files are provided for each day in the training set:
- Outside sniffing data ( Tcpdump format )
- Inside sniffing data ( Tcpdump format )
- BSM audit data ( From pascal )
- NT audit data ( From hume )
- Long listings of directory trees ( From pascal, marx, zeno, and hume )
- Dumps of selected directories ( From pascal, marx, zeno, and hume )
- A Report of file system inode information ( From pascal )
BSM Configuration [tar/gzip]
First Week of Training Data (Attack Free)
Second Week of Training Data (Contains Labled Attacks)
Third Week of Training Data (Attack Free)
Two weeks of network based attacks in the midst of normal background data. The forth and fifth weeks of data are the "Test Data" used in the 1999 Evaluation from 9/16/1999 to 10/1/1999. There are 201 instances of about 56 types of attacks distributed throughout these two weeks.
Further information about the attack instances, where they are located in week 4 and 5 data is found in the "1999 Attack Truth" available on the Documentation page.
top of page