Intrusion detection systems were tested in the off-line evaluation using network traffic and audit logs collected on a simulation network. The systems processed these data in batch mode and attempted to identify attack sessions in the midst of normal activities.

Overview

There were two parts to the 1999 DARPA Intrusion Detection Evaluation: an off-line evaluation and a real-time evaluation.

Intrusion detection systems were tested in the off-line evaluation using network traffic and audit logs collected on a simulation network. The systems processed these data in batch mode and attempted to identify attack sessions in the midst of normal activities.

Intrusion detection systems were delivered to the Air Force Research Laboratory (AFRL) for the real-time evaluation. These systems were inserted into the AFRL network test bed and attempted to identify attack sessions in real time during normal activities.

Intrusion detection systems were tested as part of the off-line evaluation, the real-time evaluation or both.

Training Data

Three weeks of training data were provided for the 1999 DARPA Intrusion Detection off-line evaluation.

The first and third weeks of the training data do not contain any attacks. These data were provided to facilitate the training of anomaly detection systems.

The second week of the training data contains a select subset of attacks from the 1998 evaluation in addition to several new attacks. The primary purpose in presenting these attacks was to provide examples of how to report attacks that are detected.

Note: In 1999, Intrusion detection systems were trained using the data from both the 1998 and the 1999 evaluations.

The following files are provided for each day in the training set:

  • Outside sniffing data ( Tcpdump format )
  • Inside sniffing data ( Tcpdump format )
  • BSM audit data ( From pascal )
  • NT audit data ( From hume )
  • Long listings of directory trees ( From pascal, marx, zeno, and hume )
  • Dumps of selected directories ( From pascal, marx, zeno, and hume )
  • A report of file system inode information ( From pascal )


BSM configuration [tar/gzip]
First week of training data (attack free)
Second week of training data (contains labeled attacks)
Third week of training data (attack free)

 

Testing Data

Two weeks of network-based attacks in the midst of normal background data. The fourth and fifth weeks of data are the test data used in the 1999 evaluation from 9/16/1999 to 10/1/1999. There are 201 instances of about 56 types of attacks distributed throughout these two weeks.

Further information about the attack instances and where they are located in week 4 and 5 data is found in the 1999 Attack Truth available in the documentation section below.


Fourth week of test data
Fifth week of test data


Documentation

1999 DARPA Intrusion Detection Evaluation

The official guidelines for the 1999 DARPA evaluation. Numerous things were changed from the 1998 evaluation.

Other documents about the 1999 evaluation are available.

  • A summary of the 1998 Evaluation with a brief outline of changes for the 1999 Evaluation is available in PDF format.

    A table of stealthy U2R attack instances, showing how each attack instance was made to be stealthy with respect to the network sniffer-based intrusion detection systems.

An attack database is now available online. This attack taxonomy is based on the 1998–1999 training data and incorporates attack descriptions from Kris Kendall's thesis. The database includes attacks considered new in the 1999 Evaluation.

The master's thesis of Kris Kendall contains descriptions of all the attacks used in the 1998 Evaluation and a useful taxonomy of attacks. The thesis is available on the publications page.

Detection scoring truth —List of all attack instances in the 1999 test data

Identification scoring truth — Identification alert entries for all attack instances in the 1999 test data

1999 Analysis of Windows NT Attacks

In early 2000, work was done to further analyze the detectability of all attacks run against the Windows NT host in the 1999 Windows NT event log auditing test data. We have compiled a table of all such attacks and the detection results in 1999 and provided a Perl script that automatically locates the specific implementations of these attacks used in 1999.

  • Table of NT attack instances and detection results in 1999
  • A Perl script for locating the 1999 NT attacks in the audit logs