SSH Username Enumeration Attack Detection Dataset

The dataset is collected from a closed-environment network using network monitoring tools installed in the data collection point. The dataset generation was achieved through the use of common vulnerabilities and exposures (CVE) with the identification number CVE-2018-15473 retrieved from the public exploits database and pcap file of normal traffic obtained from public training repository.   A total of 36,273 instances were collected with two classes “username enumeration attack” and “non-username enumeration”.   We chose the terms “username enumeration attack” and “non-username enumeration” instead of the traditional “attack” and “normal” label notations since “normal” traffic data could contain attacks other than username enumeration attack. The username enumeration attack corresponds to the attack traffic while non-username enumeration traffic corresponds to the normal traffic. This traffic reflects different services including emails, DNS, HTTP, web, few to mention. Several data preprocessing techniques were carried out including categorical encoding. Both label encoding and one hot encoding techniques were used to transform categorical feature values into numerical feature values. Hence, two types of datasets were generated.

本数据集通过部署于数据采集点的网络监控工具，于封闭环境网络中采集得到。数据集生成依托公共漏洞与披露（Common Vulnerabilities and Exposures，以下简称CVE）数据库中编号为CVE-2018-15473的公开漏洞利用代码，以及从公共训练仓库中获取的正常流量pcap文件完成。本次采集共得到36273条样本，分为"用户名枚举攻击"与"非用户名枚举"两个类别。相较于传统的"攻击"与"正常"标签体系，我们选用上述两类命名，原因在于"正常"流量数据中可能包含除用户名枚举攻击外的其他攻击流量。 用户名枚举攻击对应攻击流量，非用户名枚举流量对应正常流量。该流量涵盖电子邮件、域名系统（DNS）、超文本传输协议（HTTP）、Web服务等多种服务类型。我们开展了多项数据预处理工作，其中包含类别特征编码：分别采用标签编码（Label Encoding）与独热编码（One-Hot Encoding）两种技术，将类别型特征值转换为数值型特征值，最终生成两类数据集。