BH-KSU23: A Novel Dataset for Evaluating and Enhancing Intrusion Detection Systems Targeting Command-and-Control Traffic

The increasing prevalence of sophisticated cyber-attacks, particularly those orchestrated by state-sponsored threat actors, has highlighted the need for enhanced intrusion detection capabilities. One notable limitation in existing intrusion detection system (IDS) datasets is the lack of realistic and comprehensive representation of command-and-control (C2) framework traffic. This paper introduces BH-KSU23, a novel dataset designed to address this gap, enabling researchers and practitioners to better understand and detect such advanced cyber threats. The dataset was generated using an environment that mimicked real-world infrastructure and incorporated seven different C2 frameworks. Various attack types, including enumeration, exploitation, and post-exploitation, were conducted, resulting in 142GB of raw network traffic. Relevant features were extracted using CIC-Flowmeter, producing a set of 76 features. BH-KSU23 comprises approx. 400,000 records, with an near-equal distribution of benign and malicious samples. A comparison with other datasets, such as NSL-KDD, KDD CUP, and DARPA, reveals that BH-KSU23 offers a more accurate representation of C2 traffic, with a better malicious-to-benign ratio and no duplicate or null records. By providing a dataset that specifically represents C2 traffic, BH-KSU23 aims to facilitate the development of more effective intrusion detection systems and countermeasures against sophisticated cyber-attacks.

随着复杂网络攻击的日益普遍，尤其是那些由国家支持的安全威胁行为者发起的攻击，凸显了提升入侵检测能力的重要性。现有入侵检测系统（IDS）数据集中存在的一个显著局限在于缺乏对命令与控制（C2）框架流量的真实和全面表征。本文引入了BH-KSU23，这是一个旨在填补这一空白的创新数据集，它使研究人员和实践者能够更好地理解和检测此类高级网络威胁。该数据集是在一个模拟现实世界基础设施的环境中生成的，并集成了七个不同的C2框架。执行了包括枚举、利用和利用后的攻击在内的各种攻击类型，产生了142GB的原始网络流量。使用CIC-Flowmeter提取了相关特征，生成了一个包含76个特征的集合。BH-KSU23包含约40万个记录，良性和恶意样本分布接近均衡。与其他数据集（如NSL-KDD、KDD CUP和DARPA）的比较表明，BH-KSU23提供了对C2流量的更准确表征，具有更好的恶意与良性样本比率，且无重复或空记录。通过提供专门表征C2流量的数据集，BH-KSU23旨在促进更有效的入侵检测系统和针对复杂网络攻击的对策的发展。