Improving Synthetic Network Attack Traffic Generation

The increasing diversity and sophistication of cyber threats highlight the need for improved intrusion detection deployment. This need is nowadays often addressed via machine learning algorithms or other anomaly-based detection techniques. However, many of these proposals require realistic attack network datasets for training and evaluation. This is a problem that is often compensated with very old datasets (e.g., the KDD99) or others who are not public and therefore create reproducibility issues. To overcome such issues researchers proposed the creation of a dynamic toolkit that is able to generate attack traffic; the so-called Intrusion Detection Dataset Toolkit (ID2T). ID2T aims to generate synthetic, yet realistic attacks traces, for subsequent injection into benign background traffic. In this paper, we identify a number of limitations in ID2T that we subsequently resolve by proposing and implementing specific improvements. Moreover, we expand the tool to include more complex and modern attacks. For instance, we improve i) the background traffic manipulation modules, ii) the generation of realistic inter-arrival times between network packets, iii) the overall generated network packets in relation to the generation of context aware IP addresses, and iv) the usage of ephemeral ports and the creation of the synthetic payloads. Each improvement is followed by a respective implementation and an extensive evaluation.