Controlled anomaly injection into network traffic for stress-testing of intrusion detection systems

Abstract

In modern dynamic networks where traffic encryption and sophisticated “low-and-slow” attacks are becoming the norm, classical approaches to testing Intrusion Detection Systems (IDS) are proving to be inadequate. Existing static datasets fail to reflect either modern multi-stage attack scenarios or the diversity of legitimate background traffic, leading to unrepresentative evaluations. This paper proposes a comprehensive methodology of controlled anomaly injection for the systematic and reproducible stress-testing of IDS in a laboratory environment. In contrast to outdated practices, the proposed framework introduces clearly defined and controlled injection parameters. This allows for flexible configuration of the intensity, duration, spatio-temporal locality, stealth level, and semantics of scenarios, covering reconnaissance, denial-of-service attacks, credential brute-forcing, and covert data exfiltration.Such an approach enables the targeted "tuning" of test complexity and the transparent comparison of different IDS implementations. A key advantage is its complete independence from any specific synthesis technology; the methodology is compatible with various generators, including modern diffusion models. This ensures the long-term relevance of the framework, allowing it to evolve alongside the development of generative technologies. Injections are integrated into existing traces or cogenerated with a realistic background, maintaining guaranteed reproducibility through standardized descriptive manifests. These manifests record tool versions, random generator seeds, and artifact checksums. Thus, not only the attack conditions but also the evaluation protocol are standardized.Pilot tests are planned and expected to demonstrate the controlled impact of the parameters on IDS behavior. It is anticipated that with an increase in stealth, signature-based detectors will lose effectiveness, while behavioral detectors will show a measurable increase in reaction time. This will make it possible to investigate their operational limits, analyze false positive rates, and evaluate the resource behavior of the systems under load. The findings should confirm the methodology's suitability for the systematic assessment of resilience and the identification of “blind spots.” Security and ethical aspects are considered separately. Future work outlines the integration of the framework with CI/CD processes to foster a culture of continuous security validation (DevSecOps), and the publication of open, reproducible benchmarks.