The research literature on cybersecurity incident response is very rich in automatic intrusion detection methodologies. The most accepted approach to compare the detection performance of the methods is by using a real traffic data set where normal traffic and anomalies are conveniently combined and labeled. In this paper, we follow this approach in a real network where a number of controlled attacks are launched. Using the captured traffic and the feedback of the IT team of the network, we assess the performance of the Multivariate Statistical Network Monitoring (MSNM) technique proposed in a recent paper, and compare it with the one-class Support Vector Machine (OCSVM). We derive two main conclusions from this real experiment: i) while both approaches showed a similar detection performance, MSNM was superior in diagnosis, a step which is seldom considered in comparisons, and ii) the traffic also presented several non-induced anomalies, initially labeled as normal traffic and clearly detected by both MSNM and OCSVM. This suggests caution in the use of typical performance measures in this type of experiments, since they heavily rely on the correctness of the labeling. With this experiment, we illustrate that the MSNM approach is coherent with the needs of an incident response team: it provides an adequate priorization of the security events and gives support to diagnosis, so that in less time and with less resources the team can be more effective.
Financed by the National Centre for Research and Development under grant No. SP/I/1/77065/10 by the strategic scientific research and experimental development program:
SYNAT - “Interdisciplinary System for Interactive Scientific and Scientific-Technical Information”.