On generating network tra ic datasets with synthetic a acks for intrusion detection

Most research in the area of intrusion detection requires datasets to develop, evaluate or compare systems in one way or another. In this €eld, however, €nding suitable datasets is a challenge on to itself. Most publicly available datasets have negative qualities that limit their usefulness. In this article, we propose ID2T (Intrusion Detection Dataset Toolkit) to tackle this problem. ID2T facilitates the creation of labeled datasets by injecting synthetic aŠacks into background trac. Œe injected synthetic aŠacks blend themselves with the background trac by mimicking the background trac’s properties to eliminate any trace of ID2T’s usage. Œis work has three core contribution areas. First, we present a comprehensive survey on intrusion detection datasets. In the survey, we propose a classi€cation to group the negative qualities we found in the datasets. Second, the architecture of ID2T is revised, improved and expanded. Œe architectural changes enable ID2T to inject recent and advanced aŠacks such as the widespread EternalBlue exploit or botnet communication paŠerns. Œe toolkit’s new functionality provides a set of tests, known as TIDED (Testing Intrusion Detection Datasets), that help identify potential defects in the background trac into which aŠacks are injected. Œird, we illustrate how ID2T is used in di‚erent use-case scenarios to evaluate the performance of anomaly and signature-based intrusion detection systems in a reproducible manner. ID2T is open source so‰ware and is made available to the community to expand its arsenal of aŠacks and capabilities.