Operationally Transparent Cyber (OpTC)

Disclaimer DARPA is releasing these files in the public domain to stimulate further research. Their release implies no obligation or desire to support additional work in this space. The data is released as-is. DARPA makes no warranties as to the correctness, accuracy, or usefulness of the released data. In fact, since the data was produced by research prototypes, it is practically guaranteed to be imperfect. Nonetheless, as this data represents a very large repository of semantically rich and structured data, DARPA believes that it is in the best interests of the Department of Defense and the research community to make them freely available. Distribution Statement A: Approved for public release. Distribution is unlimited. OpTC OverviewOperationally Transparent Cyber (OpTC) was a DARPA transition pilot activity funded under Boston Fusion Corp.'s (BFC) Cyber APT Scenarios for Enterprise Systems (CASES) project. The main goal of the pilot was to determine if technology developed under the DARPA Transparent Computing (TC) program could scale up to one thousand clients while maintaining detection performance. Boston Fusion along with two performers from the TC program (Five Directions and BAE) developed the OpTC prototype. Provatek joined the team to serve as test coordinator, conducting scaling and detection tests in 2019. This data set represents a subset of collection from that activity. OpTC was evaluated at the National Cyber Range (NCR), which provided a well-instrumented facility to measure the impact of the system on network and client machine bandwidth, disk, and memory usage. Client machines created using VMware were programmed to complete general tasks such as creating, editing, and deleting presentations and text documents; sending, receiving, and downloading attachments from emails; browsing various websites; and mimicking generic daily user activities. Each client machine in the NCR evaluations was equipped with an Acuity Intelligent Agent (AIA) sensor developed by Five Directions. This sensor sends real time, system-level data to servers equipped with Acuity Translator (AT) software, also developed by Five Directions. The Acuity Translator servers compile co-related events into aggregate messages and forwards the contents to Rapid Infiltration and Prevention of Exfiltration (RIPE) translators developed by BAE. The messages then undergo additional refinement before being sent to the RIPE Data Analytics Engine, which generates a network topology graph that may be queried to identify advanced persistent threat (APT) activity. The OpTC team collected the data in this release over three days, during which the number of clients varied from five hundred to one thousand. Working with five hundred clients tended to be more convenient in terms of the amount of time it took to bring up the system and manage the instrumentation. During the three-day evaluation event, randomly chosen machines were attacked, compromised, and used to perform additional attacks on other network clients. All event data was recorded for post-event analysis with ground truth data on attack insertions documented. The dataset consists of four main directories, each containing a single file per client. These files are sorted by event time and labeled based on data provided by the red team.

免责声明：DARPA 将这些文件公开发布于公共领域，以激发进一步的研究。其发布并不意味着有任何义务或意愿支持该领域内额外的研发工作。数据以现有形式发布。DARPA 对发布数据的正确性、准确性或有用性不提供任何保证。实际上，由于数据由研究原型生成，其不完善性几乎是必然的。尽管如此，鉴于这些数据代表了一个语义丰富且结构化的庞大数据集，DARPA 认为将其免费提供给国防部和研究界符合最大利益。分发声明 A：经批准公开发布。分发不受限制。 OpTC 概述：操作透明网络安全（OpTC）是 DARPA 转型试点活动，由波士顿融合公司（BFC）的企业系统网络攻击场景（CASES）项目资助。该试点的主要目标是确定在 DARPA 透明计算（TC）项目下开发的技术能否扩展至一千个客户端，同时保持检测性能。波士顿融合公司以及 TC 项目下的两位执行者（五向和 BAE）开发了 OpTC 原型。Privatek 加入团队担任测试协调员，于 2019 年进行了扩展和检测测试。该数据集代表了该活动收集的一部分数据。OpTC 在国家网络安全范围（NCR）进行了评估，该范围提供了一个经过良好配置的设施，以测量系统对网络和客户端机器带宽、磁盘和内存使用的影响。使用 VMware 创建的客户端机器被编程以完成一般任务，例如创建、编辑和删除演示文稿和文本文件；发送、接收和下载电子邮件附件；浏览各种网站；以及模拟通用日常用户活动。NCR 评估中的每个客户端机器都配备了五向公司开发的 Acuity 智能代理（AIA）传感器。该传感器将实时、系统级数据发送到配备 Acuity 翻译器（AT）软件的服务器，该软件也由五向公司开发。Acuity 翻译器服务器将相关事件编译成聚合消息，并将内容转发给由 BAE 开发的快速渗透和阻止泄露（RIPE）翻译器。然后，消息经过进一步精炼，再发送到 RIPE 数据分析引擎，该引擎生成可能被查询以识别高级持续性威胁（APT）活动的网络拓扑图。OpTC 团队在三天内收集了本次发布的数据，期间客户端数量从五百到一千不等。与五百个客户端一起工作在系统启动时间和仪器管理方面通常更为便利。在三天评估活动中，随机选择的机器遭到攻击、被入侵并用于对其他网络客户端进行额外的攻击。所有事件数据都被记录下来以供事后分析，并记录了攻击插入的真实数据。该数据集包含四个主要目录，每个目录包含每个客户端的单个文件。这些文件按事件时间排序，并根据由红队提供的数据进行标记。