Welcome

The goal of the Datapository anomaly detection testbed is to provide a useful framework and storage facility for researchers and network administrators to develop and test new anomaly detection methods, perform analysis of current detection methods, and analyze the traffic features used by these methods with user provided traffic sets or publicly available traffic sets in the Datapository database. The testbed provides a toolkit for running anomaly detection methods, generating synthetic attacks in to the traffic, monitoring traffic metrics, and reformatting user data for insertion in to the Datapository database. Through the collaboration of users, we hope to expand our set of available detection methods, synthetic attack models, and publicly available traffic data and tools for analysis.

Accessible Information

• How To Use the Testbed
  • Using the database
  • Using ruby to interface

• Database Information
  • Entity relationship diagram
  • Entity and attribute dictionary
  • Formatting the flow data
  • Partitioning the flows table and inserting flows

• Traffic Analysis
  • Traffic features
  • Traffic feature statistics
  • Generating entropy data
  • Correlating data

• Anomaly Detection
  • Anomaly detection overview
  • Standard deviation detection
  • Wavelet detection

• Labeling Anomalies
  • Labeling overview
  • Inserting or creating labels
  • Viewing and searching labels
  • Retrieving labeled flows

• Synthetic Attack Generation and Analysis
  • Synthetic attack overview
  • Generating synthetic attacks
    • Distributed bandwidth flood
    • Horizontal scan activity
    • Vertical scan activity
    • Worm activity
  • Guide to creating synthetic attacks

• Framework Overview
  • User functions

• Related Documentation / Publications
  • George Nychis, Masters Thesis: An Empirical Evaluation of Entropy-based Anomaly Detection