Characterizing The Effectiveness Of Network-Based Intrusion Detection Systems

Network-based Intrusion Detection Systems (NIDSs) must detect and defend against many kinds of attacks. These defenses are certainly limited in their capabilities; however, there is a lack of precise understanding of their strengths and weaknesses. In particular, there are two kinds of NIDSs, flow-based vs. packet-based, whose effectiveness needs to be systematically characterized using real, or as real as possible, datasets with known ground truth. In this paper, we report our empirical study on using a modern dataset, with known ground truth about the attacks it contains, to evaluate the effectiveness of flow-based vs. packet-based NIDSs. This allows us to draw initial insights towards the ultimate characterization of the gap between flow-based and packet-based NIDSs.