On the self-similarity of synthetic traffic for the evaluation of intrusion detection systems

The difficulty of quantifying the accuracy of intrusion detection tools against real network data mandates that researchers use simulated attack data for the partial evaluation of such tools. In 1998 and 1999 researchers at MIT Lincoln Labs produced datasets both with and without attack data specifically for use by those interested in developing intrusion detection tools. Because self-similarity has been shown to be a statistical property, of real network traffic, this paper examines the attack-free datasets for the presence of self-similarity in various time periods. The results offer insight for researchers who may wish to use specific subsets of the data for testing. Where the results indicate a lack of self-similarity in the data, the likely cause was determined to be either a low activity level or traffic that was dominated by a single protocol, thus forcing the overall distribution to match its own.