CTU-AIP-Attacks-2022

The CTU-AIP-Attacks-2022 dataset aggregates network attacks of 27 bare-metal Internet of Things (IoT) honeypots. The IoT devices were located in the same physical location. The data were captured from January 1st, 2022, to December 31st, 2023. The raw network attacks were captured using Zeek [1], an open-source software network analysis framework. The raw network data was processed to aggregate network attacks. The network data was aggregated by the source IP address of the attacker per day. For each attacker, the following data were aggregated: date: Date of the aggregation, in YYYY-MM-DD format orig: IP address attacking the IoT honeypots flows: Sum of all network flows from the attacking IP address to the IoT honeypots, calculated as the number of times the same IP (id.orig_h) appears in the Zeek conn.log file. duration: Sum of the "duration" column [2] of the Zeek conn.log file for all the rows with the same IP in the column "id.orig_h". In Zeek, this column is the duration from the first packet to the last packet in the network flow. packets: Sum of the "orig_pkts" column [2] for all the rows with the same IP in the "id.orig_h" column. In Zeek, this column counts the number of packets sent by the originator, and not the total number of packets. bytes: Sum of the "orig_bytes" column [2] for all the rows with the same IP in the "id.orig_h" column. In Zeek, this column counts the number of bytes sent by the originator, and not the total number of bytes. Every connection initiated by any IP to the honeypots is, by definition, an attack. However, we use an active probe service to alert when a honeypot is down. We removed those IPs corresponding to the probes. The list of IPs removed can be found listed below. The resulting dataset is composed of one CSV file per day. The excerpt below shows a sample of one of the dataset files:   ~ $ zcat attacks.2022-04-04.csv.gz | head -n20 # This file is part of the CTU-AIP-Attacks-2022 dataset # Version: 1.0 # Publication Date: 2023-03 # Authors: Joaquin Bogado, Veronica Valeros, Sebastian Garcia # Institution: Stratosphere Laboratory, AIC, FEL, Czech Technical University in Prague # DOI: 10.5281/zenodo.7684550 # Zenodo: https://zenodo.org/record/7684550/ # Source: https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIP-Attacks-2022/ date,orig,flows,duration,packets,bytes 2022-04-04,1.0.234.65,1,5e-06,2,104 2022-04-04,1.10.172.211,1,0.0,1,52 2022-04-04,1.116.138.182,1,4.7e-05,2,80 2022-04-04,1.116.243.210,1,3e-06,2,80 2022-04-04,1.116.37.121,1,2e-06,2,80 2022-04-04,1.116.67.192,24,0.000173,48,1920 2022-04-04,1.116.73.236,22,0.000173,43,1720 2022-04-04,1.116.97.146,1,1e-06,2,120 2022-04-04,1.117.107.145,1,3e-06,2,126 2022-04-04,1.117.199.237,1,5e-06,2,80 2022-04-04,1.12.255.18,2,2e-05,4,160 Tools Zeek connection logs were processed using the [AIP](https://github.com/stratosphereips/AIP) tool to generate the aggregated data for this dataset. Zeek version 2.6-264 and AIP version 2.0 were used. Data cleaning The IPs removed from the dataset corresponding to the active probe service were: 104.131.107.63 122.248.234.23 128.199.195.156 138.197.150.151 139.59.173.249 146.185.143.14 159.203.30.41 159.89.8.111 165.227.83.148 167.99.209.234 178.62.52.237 18.221.56.27 216.245.221.83 216.245.221.91 34.233.66.117 46.101.250.135 46.137.190.132 52.60.129.180 54.64.67.106 54.67.10.127 54.79.28.129 54.94.142.218 63.143.42.242 63.143.42.251 69.162.124.237 Contact For information or questions about this dataset, contact us at stratosphere@aic.fel.cvut.cz with the subject: CTU-AIP-Attacks-2022. References [1] The Zeek Network Security Monitor, https://zeek.org/. Accessed on 03/03/2023.   [2] base/protocols/conn/main.zeek -- Book of Zeek (git/master), https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html. Accessed on 03/03/2023.