Kitsune网络攻击数据集数据集

Data Set Information: ==== Overview ==== The are 9 network capture datasets in total, listed below. Viol. is the security violation (Confidentiality, Integrity, and Authenticity). Attack Type Attack Name Tool Viol. Description: The attacker Recon. -1 OS Scan Nmap C scans the network for hosts, and their operating systems, to reveal possible vulnerabilities. -2 Fuzzing SFuzz C searches for vulnerabilities in the camera's web servers by sending random commands to their cgis. Man in the Middle -3 Video Injection Video Jack C,I injects a recorded video clip into a live video stream. -4 ARP MitM Ettercap C intercepts all LAN traffic via an ARP poisoning attack. -5 Active Wiretap R.PI 3B C intercepts all LAN traffic via active wiretap (network bridge) covertly installed on an exposed cable. Denial of Service -6 SSDP Flood Saddam A overloads the DVR by causing cameras to spam the server with UPnP advertisements. -7 SYN DoS Hping3 A disables a camera's video stream by overloading its web server. -8 SSL Reneg. THC A disables a camera's video stream by sending many SSL renegotiation packets to the camera. Botnet Malware -9 Mirai Telnet C,I infects IoT with the Mirai malware by exploiting default credentials, and then scans for new vulnerable victims network. -For more details on the attacks themselves, please refer to our paper. ==== Data Organization ==== For each attack (network capture) above we provide (1) a csv of the features used in our paper where each row is a network packet, (2) the corresponding labels [benign, malicious], and (3) the original network capture in truncated pcap format. -Each attack dataset is located in a separate directory -Each directory contains three files: Attribute Information: === The features in the csv files === Each row in the csv is a packet captured (chronologically). More a deep explanation, please see our paper. In general, each row (feature vector) are recent (temporal) statistics which describes the context of the packet's channel and its communicating parties: Whenever a packet arrives, we extract a behavioral snapshot of the hosts and protocols which communicated the given packet. The snapshot consists of 115 traffic statistics capturing a small temporal window into: (1) the packet's sender in general, and (2) the traffic between the packet's sender and receiver. Specifically, the statistics summarize all of the traffic... ...originating from this packet's source MAC and IP address (denoted SrcMAC-IP). ...originating from this packet's source IP (denoted SrcIP). ...sent between this packet's source and destination IPs (denoted Channel). ...sent between this packet's source and destination TCP/UDP Socket (denoted Socket). A total of 23 features (capturing the above) can be extracted from a single time window ?? (see Table II). The FE extracts the same set of features from a total of five time damped windows of approximately: 100ms, 500ms, 1.5sec, 10sec, and 1min into the past (?? = 5, 3, 1, 0.1, 0.01), thus totaling 115 features. We note that not every packet applies to every channel type (e.g., there is no socket if the packet does not contain a TCP or UDP datagram). In these cases, these features are zeroed. Thus, the final feature vector ~x, which the FE passes to the FM, is always a member of R^n, where n = 115. The feature extraction code (pcap to csv) is available at: [Web link] Relevant Papers: [Web link] [Web link] Citation Request: If you use this dataset, please cite: Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai, 'Kitsune: An Ensemble of Autoencoders for online Network Intrusion Detection', Network and Distributed System Security Symposium 2018 (NDSS'18) Creators: Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai. Ben-Gurion University of the Negev, Department of Information Systems Engineering Donor: Yisroel Mirsky yisroel

数据集信息：==== 概览 ==== 本数据集共包含9份网络流量捕获数据集，详情如下。其中Viol.指代安全违规，涵盖机密性（Confidentiality）、完整性（Integrity）与真实性（Authenticity）三类。 | 攻击类型 | 攻击名称 | 使用工具 | 违规类型 | 攻击描述 | | --- | --- | --- | --- | --- | | 侦察（Recon.） | 操作系统扫描 | Nmap | C | 扫描网络主机及其操作系统，以发现潜在漏洞。 | | 侦察（Recon.） | 模糊测试（Fuzzing） | SFuzz | C | 通过向摄像头的CGI接口发送随机命令，在其Web服务器中寻找漏洞。 | | 中间人攻击（Man in the Middle） | 视频注入 | Video Jack | C,I | 将预录制的视频片段注入实时视频流。 | | 中间人攻击（Man in the Middle） | ARP中间人攻击（ARP MitM） | Ettercap | C | 通过ARP毒化攻击拦截所有局域网流量。 | | 中间人攻击（Man in the Middle） | 主动窃听 | R.PI 3B | C | 通过在暴露的网络线缆上隐蔽安装网络桥接设备，拦截所有局域网流量。 | | 拒绝服务攻击（Denial of Service） | SSDP泛洪攻击 | Saddam | A | 通过让摄像头向服务器发送大量UPnP广告流量，使数字录像机（DVR）过载。 | | 拒绝服务攻击（Denial of Service） | SYN拒绝服务攻击（SYN DoS） | Hping3 | A | 通过过载摄像头的Web服务器，使其视频流服务失效。 | | 拒绝服务攻击（Denial of Service） | SSL重协商攻击（SSL Reneg.） | THC | A | 向摄像头发送大量SSL重协商数据包，使其视频流服务失效。 | | 僵尸网络恶意软件（Botnet Malware） | Mirai Telnet攻击 | Telnet | C,I | 利用默认凭证感染物联网设备的Mirai恶意软件，并扫描新的易受攻击的网络主机。 | 关于各类攻击的更多细节，请参阅我们的研究论文。 ==== 数据组织 ==== 针对上述每一种攻击（即每一份网络流量捕获文件），我们提供以下三类内容：(1) 本论文中使用的特征逗号分隔值（CSV，Comma-Separated Values）文件，每一行对应一条按时间顺序捕获的网络数据包；(2) 对应的标签集[良性，恶意]；(3) 截断pcap格式的原始网络捕获文件。 每个攻击对应的数据集均存储于独立的目录中，每个目录包含三个文件： ==== 特征信息 ==== ### CSV文件中的特征 CSV文件中的每一行对应一条按时间顺序捕获的数据包。更详细的特征说明请参阅我们的研究论文。 一般而言，每一行（即特征向量）均为时序统计特征，用于描述该数据包所属的通信信道及其通信双方的上下文信息：每当捕获到一条数据包时，我们会提取本次通信涉及的主机与协议的行为快照。该快照包含115项流量统计特征，覆盖的短时时序窗口涵盖两部分内容：(1) 数据包发送方的整体流量特征；(2) 数据包发送方与接收方之间的交互流量特征。 具体而言，这些统计特征汇总了以下几类流量： 1. 源自本数据包源媒体访问控制地址（MAC）与网际协议地址（IP）的流量（记为SrcMAC-IP）； 2. 源自本数据包源IP地址的流量（记为SrcIP）； 3. 本数据包源IP与目的IP之间的交互流量（记为Channel）； 4. 本数据包源与目的传输控制协议/用户数据报协议（TCP/UDP）套接字之间的交互流量（记为Socket）。 单个时序窗口可提取共计23项上述特征（详见表II）。特征提取模块（Feature Extraction，FE）会从共计5个带时间衰减的时序窗口中提取相同的特征集，这些窗口分别对应过去约100ms、500ms、1.5秒、10秒及1分钟（对应权重参数分别为5、3、1、0.1、0.01），最终总计得到115项特征。 需要说明的是，并非所有数据包都适用于所有信道类型（例如，若数据包未包含TCP或UDP数据报，则不存在套接字特征）。此类情况下，对应特征将被置零。因此，特征提取模块传递至流量匹配模块（Feature Matching，FM）的最终特征向量~x始终属于n=115维的实数空间R^n。 特征提取代码（用于将pcap文件转换为CSV文件）可通过以下链接获取：[Web链接] ### 相关研究论文 [Web链接] [Web链接] ### 引用说明 若您使用本数据集，请引用以下文献：Yisroel Mirsky、Tomer Doitshman、Yuval Elovici与Asaf Shabtai，《Kitsune：用于在线网络入侵检测的自编码器集成模型》，2018年网络与分布式系统安全研讨会（NDSS'18） ### 数据集创建者 Yisroel Mirsky、Tomer Doitshman、Yuval Elovici与Asaf Shabtai。本-古里安大学内盖夫分校信息系统工程系 ### 数据提供者 Yisroel Mirsky，联系方式：yisroel