NCC-2 Dataset: Simultaneous Botnet Dataset

This dataset simulates botnet assaults by utilizing botnet activity from CTU-13 [1] and NCC [2]. The simulation extracts all scenarios from the two datasets to determine attack activity, attack phases, and the time difference between attacks and normal activities [3]. The output of the dataset is stored as bidirectional network flow (binetflow) files. The proposed dataset contains 18 features that are used to identify network traffic as network headers. This dataset contains simultaneous botnet activity compared to the case of multiple attack activity carried out in short time intervals. Simultaneous attack activity is a more advanced analytical characteristic compared to sporadic attacks on CTU-13 and periodic attacks on NCC. Sporadic botnets carry out attack activities that peak at random periods. Periodic botnets have organized assault arrival times to identify attack activity in each time segment [4]. Botnet attacks with simultaneous characteristics are significantly more intense than sporadic and periodic attacks. The characteristics of simultaneous attacks will compel a security system with limited resources to deal with many attacks at the same time in a very short time period. Different sensor detection methods can identify the same type of bot or attack behavior in parallel with simultaneous activities.

本数据集通过利用CTU-13[1]与NCC[2]中的僵尸网络（botnet）活动，模拟僵尸网络攻击行为。该仿真流程提取了上述两个数据集的全部场景，以确定攻击活动、攻击阶段，以及攻击与正常活动之间的时间差[3]。本数据集的输出以双向网络流（bidirectional network flow, binetflow）文件格式存储。本研究提出的数据集包含18项特征，用于识别作为网络头部的网络流量。本数据集涵盖了同时发生的僵尸网络活动，相较于CTU-13中的零星攻击与NCC中的周期性攻击这类在短时间间隔内开展多次攻击活动的场景，同时性攻击活动是一类更为进阶的分析特征。零星僵尸网络的攻击活动峰值出现在随机时段；周期性僵尸网络则具备规律的攻击发起时间，可在各时间片段中识别攻击行为[4]。具备同时性特征的僵尸网络攻击，其攻击强度显著高于零星攻击与周期性攻击。同时性攻击的特性会迫使资源有限的安全系统在极短时间内同时应对大量攻击。不同的传感器检测方法可在并行的同时性活动中，识别出同一类型的僵尸程序（bot）或攻击行为。