Intrusion detection systems were tested in the off-line evaluation using network traffic and audit logs collected on a simulation network. The systems processed these data in batch mode and attempted to identify attack sessions in the midst of normal activities.

There were two parts to the 1998 DARPA Intrusion Detection Evaluation: an off-line evaluation and a real-time evaluation.

Intrusion detection systems were tested in the off-line evaluation using network traffic and audit logs collected on a simulation network. The systems processed these data in batch mode and attempted to identify attack sessions in the midst of normal activities.

Intrusion detection systems were delivered to the Air Force Research Laboratory (AFRL) for the real-time evaluation. These systems were inserted into the AFRL network test bed and attempted to identify attack sessions in real time during normal activities.

Intrusion detection systems were tested as part of the off-line evaluation, the real-time evaluation, or both.

Sample Data

A sample of the network traffic and audit logs that were used for evaluating systems. These data were first made available in February 1998.

Four-Hour Subset of Training Data

A somewhat larger sample of training data. These data were first made available in May 1998.

Training Data

Seven weeks of network-based attacks in the midst of normal background data. Listings of attacks and anomalies are available in the documentation section below.

Testing Data

Two weeks of network-based attacks in the midst of normal background data.


Documentation

1998 DARPA Intrusion Detection Evaluation

The following three talks presented by MIT Lincoln Laboratory in December 1998 summarize the evaluation.

  • Introduction to the Evaluation [ppt]
  • Summary and Plans for 1999 [pdf]

The official guidelines for the 1998 DARPA evaluation were first made available in March 1998 and were updated throughout the following year.

  • Evaluation schedule
  • Off-line Evaluation Plan [txt]
  • Off-line Evaluation Network Diagram [GIF] [PS] [ppt]
  • List of simulation network hosts (names and IP addresses)
  • Real-time Evaluation Plan [txt]
  • Real-time Evaluation Network [GIF] [PS] [ppt]

Documentation for the first sample of network traffic and audit logs that was first made available in February 1998.

Documentation for a four-hour sample of network traffic and audit logs that was first made available in May 1998.

A list of attacks and a list of anomalies, with descriptions, provide further documentation of the seven weeks of training data used in the 1998 evaluation.