1999 DARPA Intrusion Detection Evaluation Schedule

This document describes the schedule for the DARPA 1999 off-line intrusion detection evaluation being conducted by MIT Lincoln Laboratory. This schedule provides three weeks for sites to train systems with the complete set of training data and three weeks to run test data through systems and return results. The separate evaluation guidelines document provides further details on the off-line evaluation.

For information on the real-time component of the DARPA 1999 evaluation being conducted by the Air Force Research Laboratory contact Terry Champion.

Distribute Training Data

Training data distributed from Lincoln Lab to all sites participating in off-line evaluation. All tcpdump, bsm, and file system data posted on the Lincoln Web Site. CD's will be mailed out after posting data on the web site only by request.

System Descriptions Due

Each site participating in the off-line evaluation provides a short (text-only) description of systems they will be evaluating to Lincoln. Included at the beginning of each description will be the following paragraph:

{name of site} commits firmly to running this system in the 1999 DARPA Intrusion Detection Evaluation according to the guidelines provided by MIT Lincoln Laboratory. {name of site} will submit results to MIT Lincoln Laboratory by internet remote file transfer no later than 11:59 pm EST, 09/30/99. This system is {or is not} the primary entry in the evaluation from {name of site} .

Only sites that provide these descriptions and a firm commitment to return test results will receive test data. Each site must submit results from at most one primary system, and sites may submit results from up to three additional systems. Official evaluation guidelines can be found in the evaluation plans.

Optional Pretest

A pretest is offered to help sites prepare for the final evaluation.

Participants in the pretest should use their intrusion detection systems to evaluate one day from the training data ( Thursday of the second week ).

They should return detection and identification files for Thursday of the second week as soon as possible and preferably well before September 1, 1999. Files returned after September 1, 1999 will not be analyzed. Files provided by a participant before September 1, 1999 will be evaluated and the results returned to that participant.

Sites choosing to participate in the pretest should contact Joshua W. Haines) to obtain instructions for submitting detection and identification files.

Pretest results will provide feedback to each participant, help ensure that participants understand the result submission format, help us refine our analysis procedures, and help clarify the definition and scoring of attacks.

We highly recommend that sites participate in this pretest.

Test Data Distributed

The test data will be provided to all sites participating in the off-line evaluation, i.e. all sites that have provided the short descriptions and firm commitments provided above.

This year, test data will not be available on CD-ROM because this incurred too much delay last year. Instead, the test data will be available on our web site.

Some participants may require an alternative means of test data distribution. Those participants should contact Joshua W. Haines) to make other arrangements.

Results Due Back

Sites participating in off-line evaluation send evaluation results back to Lincoln Lab.

PI Meeting to Discuss Results

Lincoln Laboratory will describe the evaluation procedure and present evaluation results to sites and sponsors, and sites will report on the their research and systems.


top of page