Network Intrusion Detection Systems (NIDS) have been studied in research for almost four decades. Yet, despite thousands of papers claiming scientific advances, a non-negligible number of recent works suggest that the findings of prior literature may be questionable. At the root of such a disagreement is the well-known challenge of obtaining data representative of a real-world network -- and, hence, usable for security assessments. We tackle such a challenge in this paper. We propose ConCap, a practical tool meant to facilitate experimental research on NIDS. Through ConCap, a researcher can set up an isolated and lightweight network environment and configure it to produce network-related data, such as packets or NetFlows, that are automatically labeled -- hence ready for fine-grained experiments. ConCap is rooted on open-source software and is designed to foster experimental reproducibility across the scientific community by sharing just one configuration file. Through comprehensive experiments on 10 different network activities, further expanded via in-depth analyses of 21 variants of two specific activities and of 100 repetitions of four other ones, we empirically verify that ConCap produces network data resembling that of a real-world network. We also carry out experiments on well-known benchmark datasets as well as on a real ``smart-home'' network, showing that, from a cyber-detection viewpoint, ConCap's automatically-labeled NetFlows are functionally equivalent to those collected in other environments. Finally, we show that ConCap enables to safely reproduce sophisticated attack chains (e.g., to test/enhance existing NIDS). Altogether, ConCap is a solution to the ``data problem'' that is plaguing NIDS research.

翻译：网络入侵检测系统（NIDS）在学术界的研究已持续近四十年。然而，尽管有数以千计的论文宣称取得了科学进展，近期不少研究指出先前文献的结论可能值得商榷。这一分歧的根源在于获取能够代表真实网络环境、从而适用于安全评估的数据——这一众所周知的挑战。本文旨在应对这一挑战。我们提出了ConCap，一个旨在促进NIDS实验研究的实用工具。通过ConCap，研究人员可以建立一个隔离且轻量级的网络环境，并将其配置为生成自动标记的网络相关数据（如数据包或NetFlows），从而直接支持细粒度实验。ConCap基于开源软件构建，其设计目标是通过共享单一配置文件，促进科学界内的实验可复现性。通过对10种不同网络活动的综合实验，并进一步扩展至对两种特定活动的21种变体以及另外四种活动的100次重复的深入分析，我们实证验证了ConCap生成的网络数据与真实网络环境中的数据具有相似性。我们还在知名基准数据集及一个真实的“智能家居”网络上进行了实验，结果表明，从网络威胁检测的角度看，ConCap自动标记的NetFlows在功能上等同于其他环境中采集的数据。最后，我们展示了ConCap能够安全地复现复杂的攻击链（例如用于测试或增强现有NIDS）。总体而言，ConCap为困扰NIDS研究的“数据问题”提供了一种解决方案。