I have been tasked to test effectiveness of OSSEC HIDS (by effectiveness I mean detection rate it achieves as well as false positives rate) when a dataset of raw system call traces are used.
The dataset itself is the AFDA-LD dataset which can be found here http://www.cybersecurity.unsw.adfa.edu.au/ADFA%20IDS%20Datasets/
This dataset consists of 3 groups of raw system call traces generated with auditd UNIX program:
- Normal training data
- Normal validation data
- Attack data.
The method used to perform this task is irrelevant as long as I manage to use this particular dataset with OSSEC HIDS.
So far I have the latest version of OSSEC installed on Ubuntu 14.04. I suppose that in order to perform my task, OSSEC should first be trained using the normal training data of the dataset and then tested for false positives using the normal validation data and for attack detection using the attack data.
My question is - Can OSSEC be trained and tested with raw system call traces in the first place, and if yes, how? If not, can the data from this particular dataset be used in any other way in order to test effectiveness of OSSEC?
