AdDDoSDN: Adversarial DDoS Attacks Dataset for Software-Defined Networks

The AdDDoSDN dataset is a comprehensive network traffic corpus built for defensive SDN research, capturing coordinated DDoS attacks and benign enterprise activity through controlled Mininet experiments driven by a remote Ryu L3 controller to deliver high-quality labeled data for real-time detection development. The environment emulates a segmented four-subnet enterprise: h1 (192.168.10.10/24) acts as the external attacker, h2–h5 (192.168.20.10–13/24) form the corporate client subnet with h2 handling ICMP exchanges and h3/h5 generating rich TCP and UDP application sessions, h6 (192.168.30.10/24) resides in the server/DMZ subnet as the primary victim, and controller services operate on 192.168.0.0/24, providing realistic inter-subnet attack paths while preserving centralized SDN visibility. The dataset follows a structured, configurable timeline sourced from config.json, with the default cycle spanning roughly 35 minutes per run: a 5-second initialization period, 1,600 seconds of benign traffic mixing ICMP, Telnet, SSH, FTP, HTTP/S, and DNS exchanges, enhanced traditional attacks from h1 including an 88-second SYN flood and 176-second UDP flood against h6, plus an 88-second ICMP flood toward h4, and adversarial attacks from h1 to h6 comprising a 72-second TCP state-exhaustion phase with human-like timing patterns, a 24-second application-layer mimicry burst combining heavy HTTP range/post requests with legitimate queries, and a 72-second slow-read phase sustaining long-lived connections. Traditional phases operate around 20–30 packets per second with protocol-compliant options, while adversarial scripts emphasize mimicry and timing jitter. The dataset provides three synchronized data products derived from each capture cycle: 1. Packet-level data (adddosdn_packet_dataset.csvv): 30 header fields + 2 labels extracted directly from PCAP phases. 2. SDN flow-level data (adddosdn_flow_dataset.csv): Controller statistics with derived rates and labels collected via the Ryu REST API. 3. CICFlow aggregated data (adddosdn_cicflow_dataset.csv): 85 bidirectional behavioral features generated with CICFlowMeter. The dataset demonstrates exceptional quality containing 3.5 million total records across dataset instances, each representing different temporal scenarios. Labels span normal, syn_flood, udp_flood, icmp_flood, ad_syn, ad_udp, and ad_slow, with Label_binary collapsing them into benign (0) versus malicious (1) classes to maintain consistency across packet, controller-flow, and behavioral representations.