基于可信行为定量分析与预测的入侵检测系统评估数据集CICIDS-2017

入侵检测系统和入侵防御系统是抵御复杂且不断增长的网络攻击的最重要防御工具。由于缺乏可靠的测试和验证数据集，基于异常的入侵检测方法正在遭受一致且准确的性能演变。我们对最近11个数据集的评估表明，大多数数据集都已经过时且不可靠。其中一些数据集缺乏流量多样性和数量，一些没有涵盖各种已知攻击，而另一些则对数据包有效载荷数据进行匿名化处理，无法反映当前趋势。有些还缺少功能集和元数据。CICIDS2017数据集包含良性和最新的常见攻击，类似于真实的真实数据。它还包括使用CICFlowMeter进行网络流量分析的结果，其中包含基于时间戳、源和目标IP、源和目标端口、协议和攻击的标记流。数据集共包括8个数据文件，其中：(1) Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX.csv是web攻击数据，数据量79.25MB；(2) Wednesday-workingHours.pcap_ISCX.csv是DDoS攻击数据，数据量214.74MB；(3) Tuesday-WorkingHours.pcap_ISCX.csv是FTP攻击数据，数据量128.82MB；(4) Monday-WorkingHours.pcap_ISCX.csv是良性流量数据，数据量168.73MB；(5) Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv是SSH攻击数据，数据量49.61MB；(6) Friday-WorkingHours-Morning.pcap_ISCX.csv是僵尸网络攻击数据，数据量55.62MB；(7) Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv是DDoS攻击数据，数据量73.55MB；(8) Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX.csv是端口扫描攻击数据，数据量73.34MB.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are the most critical defensive tools against complex and evolving cyberattacks. Anomaly-based intrusion detection methods have been struggling to achieve consistent and accurate performance advancements due to the lack of reliable test and validation datasets. Our evaluation of 11 recent datasets reveals that most of them are outdated and unreliable. Some datasets lack sufficient traffic diversity and volume, some fail to cover a wide range of known attack types, others anonymize packet payload data which cannot reflect current network trends, and some also lack complete feature sets and metadata. The CICIDS2017 dataset contains both benign traffic and the latest common attack samples, which closely resembles real-world network data. It also includes the results of network traffic analysis conducted using CICFlowMeter, with labeled flows based on timestamps, source and destination IP addresses, source and destination ports, protocols, and attack types. The dataset consists of 8 data files in total, detailed as follows: 1. Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX.csv: web attack data, with a size of 79.25 MB; 2. Wednesday-workingHours.pcap_ISCX.csv: DDoS attack data, with a size of 214.74 MB; 3. Tuesday-WorkingHours.pcap_ISCX.csv: FTP attack data, with a size of 128.82 MB; 4. Monday-WorkingHours.pcap_ISCX.csv: benign traffic data, with a size of 168.73 MB; 5. Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv: SSH attack data, with a size of 49.61 MB; 6. Friday-WorkingHours-Morning.pcap_ISCX.csv: botnet attack data, with a size of 55.62 MB; 7. Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv: DDoS attack data, with a size of 73.55 MB; 8. Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX.csv: port scan attack data, with a size of 73.34 MB.