TRUST Lab [Dataset]

Key Characteristics: Single-Class Session Policy: The dataset is built on a design where each capture session contains exclusively benign traffic or a single attack family. This prevents temporal overlap and ensures that every bi-flow has an unambiguous label. Modern Traffic and APIs: The benign traffic simulates enterprise-grade services (HTTP/S, DNS, SSH, MySQL) and includes modern API traffic (REST, GraphQL, SOAP), which is critical for representing contemporary edge environments. Diverse Threat Coverage: It incorporates 15 distinct attack families, including volumetric attacks (DDoS/DoS), reconnaissance (Portscan), web and API exploits, brute force, DNS abuse, MITM, NIDS evasion, and persistence vectors like C2/beaconing and exfiltration. CICFlowMeter Integration: The raw traffic was processed using CICFlowMeter (version 4.0) to generate bidirectional flows (bi-flows). It provides a standardized schema of 80 statistical features per flow, allowing for lightweight detection without payload inspection. Structure and Scale: The dataset comprises approximately 4.6 million bi-flows distributed across 16 independent single-class CSV files. This modular structure allows researchers to construct custom distributions and prevents temporal leakage during model training. Realistic Imbalance: The data reflects a realistic traffic distribution where benign activity dominates, with a ratio of approximately 1.3:1 between benign and malicious flows.