Darpa OpTC (Darpa Operationally Transparent Cyber (OpTC) Dataset)

运营透明网络 (OpTC) 是一项技术过渡试点研究，由波士顿融合公司的企业系统网络APT方案 (案例) 项目资助。其主要目标是确定DARPA透明计算 (TC) 计划技术是否可以在不损失检测性能的情况下进行扩展，以解决USTRANSCOM 2019-2023财政年度政府联合部署分销企业 (JDDE) 招标中发现的网络防御能力差距。波士顿融合与TC计划的两名表演者 (五个方向提供端点遥测 (TA1) 和BAE提供数据分析 (TA2)) 一起努力将他们的系统从两台机器扩展到1,000机器。OpTC小组在秋季2019年中进行了缩放和检测测试。最初与TC计划无关的第三表演者 (Provatek) 担任红色团队和测试协调员。此数据集表示该活动的子集。 OpTC在TC程序测试中采用了在两台主机上运行良好的TC系统组件，并将其扩展为与一千台主机一起使用。这个放大的系统在一个高度工具化的环境中进行了为期两周的评估，并且该集合中的数据包含来自该评估的压缩JSON兼容格式的大约tb数据。评估始于一段良性记录生成时期，然后是红色团队注入恶意软件。红队活动期间良性交通持续运行。由于评估期间收集数据空间的限制，来自500主机的数据被收集，而不是来自一千个主机的完整集合。

The Operational Transparent Computing (OpTC) is a technology transition pilot study sponsored by the Enterprise Systems Networking APT Program (CASE) project of Boston Fusion Corporation. Its primary objective is to determine whether the technologies from the DARPA Transparent Computing (TC) program can be scaled without sacrificing detection performance to address the cyber defense capability gaps identified in the USTRANSCOM Joint Deployment Distribution Enterprise (JDDE) solicitation for fiscal years 2019-2023. Boston Fusion collaborated with two performers of the TC program: Five Directions providing endpoint telemetry (TA1) and BAE Systems providing data analytics (TA2), to scale their system from two machines to one thousand machines. The OpTC team conducted scaling and detection tests in mid-autumn 2019. A third performer initially unaffiliated with the TC program, Provatek, served as the red team and test coordinator. This dataset represents a subset of this activity. OpTC adopted TC system components that performed reliably on two hosts and scaled them to operate with one thousand hosts during TC program testing. This scaled system was evaluated over a two-week period in a highly instrumented environment, and the data in this collection contains approximately terabytes of data in compressed JSON-compatible format from this evaluation. The evaluation commenced with a benign traffic generation phase, followed by the red team injecting malware. Benign traffic continued to operate during the red team's activities. Due to storage space constraints during the data collection phase of the evaluation, data was collected from 500 hosts rather than the full set of one thousand hosts.