CyberLab honeynet dataset

This dataset contains all data collected by the CyberLab honeynet experiment, from May 2019 to February 2020. The experiment was based on the Cowrie honeypot (https://github.com/cowrie/cowrie, versions 1.6.0 and 2.0.2, see below for the timeline) deployed on approximately 50 nodes at different EU and US universities and companies. This number has varied throughout the duration of the experiment due to scaling efforts and the target node availability. All public IP addresses in the dataset are pseudonymized to protect the identity of the destination nodes. Each file in the dataset is a daily compilation of all connections starting at midnight on that date (date in filename, midnight in UTC time), grouped into "attack sessions". Each event in such a session includes all the data reported by the honeypot software (https://github.com/cowrie/cowrie). The honeypot has been operating in its default (low-interaction) mode using version 1.6.0 from the start of the experiment until November 8, 2019; after that date, we upgraded to Cowrie version 2.0.2, which allowed us to back it by a pool of real Linux instances to provide more convincing high-interaction mode. Results from high-interaction mode are tagged with "sensor:ubuntu_basic_pool".  Geolocation data was added to Cowrie output messages based on the source IP address. Field Description =============================== =========================================================== session_id Unique ID of the session dst_ip_identifier Pseudonymized dst public IPv4 of the honeypot node dst_host_identifier Obfuscated (pseudonymized) name of the honeypot node src_ip_identifier Obfuscated (pseudonymized) IP address of the attacker eventid Event id of the session in the cowrie honeypot timestamp UTC time of the event message Message of the Cowrie honeypot protocol Protocol used in the cowrie honeypot; either ssh or telnet geolocation_data/postal_code Source IP postal code as (determined by logstash) geolocation_data/continent_code Source IP continent code (as determined by logstash) geolocation_data/country_code3 Source IP country code3 (as determined by logstash) geolocation_data/region_name Source IP region name (as determined by logstash) geolocation_data/latitude Source IP latitude (as determined by logstash) geolocation_data/longitude Source IP longitude (as determined by logstash) geolocation_data/country_name Source IP full country name (as determined by logstash) geolocation_data/timezone Source IP timezone geolocation_data/country_code2 Source IP country code2 geolocation_data/region_code Source IP region code geolocation_data/city_name Source IP city name src_port Source TCP port sensor Sensor name; serves to identify our experiment config arch Represents the CPU/OS architecture emulated by cowrie duration Session duration in seconds ssh_client_version Attacker's SSH client version username Login username; only used for login events password Password; only used for login events macCS HMAC algorithms supported by the client encCS Encryption algorithms supported by the client kexAlgs Key exchange algorithms supported by the client keyAlgs Public key algorithms supported by the client More detailed description of the fields (with examples) and all subsequent data (after February 2020) can be found at cyber.ltfe.org.