Extraction of features from DARPA dataset tcpdump files
vern at icir.org
Tue Apr 27 10:23:17 PDT 2004
> I'd like to extract 41 features and their corresponding attack classes based on
> the DARPA 1999 dataset and 2000 dataset
Bro doesn't have these features directly coded into its analyzers.
You could probably add them with not that much work, but I'd advise you
to first consider whether you really want to do so: those datasets, while
invaluable for the evaluations for which they were originally developed,
are notorious for how they are misapplied for subsequent intrusion detection
research. The main problem is that they have artifacts due to their synthetic
nature. In particular, the feature set from the KDD Cup is known to be
seriously flawed. See McHugh's critique of the original datasets and
Mahoney/Chen's RAID 2003 paper on the problems with the KDD Cup feature set.
More information about the Bro