Merge pull request #24 from fkie-cad/add-dataset-1-cic-dos

Add "CIC DoS" dataset
fkie-cad · Apr 2, 2024 · 83dbd06 · 83dbd06
2 parents 59af3e0 + 85ba9b0
commit 83dbd06
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 4 deletions.
diff --git a/content/all_datasets.md b/content/all_datasets.md
@@ -15,6 +15,7 @@ before-content: gh_buttons.html
 | [ASNM Datasets](../datasets/asnm_datasets)                                                         |    Network     | Specialized features extracted from instances of remote buffer overflow attacks for the purpose of anomaly-based detection                                        | 2009-2018 | Mixed                | Windows, Linux          |    🟩     | Custom NetFlows                                                                      |       21 MB |         95 GB |
 | [AWSCTD](../datasets/awsctd)                                                                       |      Host      | Syscalls collected from  ~10k malware samples running on Windows 7, no user emulation                                                                             |      2018 | Single OS            | Windows                 |    🟩     | Sequences of syscall numbers                                                         |       10 MB |        558 MB |
 | [CDX CTF 2009](../datasets/cdx_2009)                                                               |    Network     | Dataset captured from a CTF event, generally intended to provide methods for reliable generating labeled datasets from such events                                |      2009 | Enterprise IT        | Windows, Linux          |    🟨     | pcaps, Snort IDS alerts, Apache logs, Splunk logs                                    |       12 GB |       15,3 GB |
+| [CIC DoS](../datasets/cic_dos)                                                                     |    Network     | Dataset focusing on different DoS attacks targeting the application layer (instead of network layer), but no longer available                                     |      2017 | Enterprise IT        | Linux                   |    🟩     | Network traffic (unknown format)                                                     |           - |        4,6 GB |
 | [CIC-IDS2017](../datasets/cic_ids2017)                                                             |    Network     | Simulation of medium-sized company network under attack, focuses solely on network traffic                                                                        |      2017 | Enterprise IT        | Windows, Linux          |    🟩     | pcaps, NetFlows, custom network features                                             |     48,4 GB |         50 GB |
 | [CIDD](../datasets/cidd)                                                                           |       -        | Spin on the DARPA'98 dataset, correlating user behavior over different systems/environments for behavior-based IDSs                                               |      2012 | Military IT          | Unix                    |    🟩     | Sequences of user "audits"                                                           |           - |         22 GB |
 | [CLUE-LDS](../datasets/clue_lds)                                                                   |       -        | Database of real user behavior without known attacks, for evaluation of methods detecting shifts in user behavior                                                 |      2022 | Enterprise Subsystem | - (hBox)                |    🟥     | Custom event logs                                                                    |      640 MB |       14,9 GB |

diff --git a/content/datasets/cic_dos.md b/content/datasets/cic_dos.md
@@ -0,0 +1,73 @@
+---
+title: CIC DoS
+---
+
+- [Overview](#overview)
+- [Environment](#environment)
+- [Activity](#activity)
+- [Contained Data](#contained-data)
+- [Papers](#papers)
+- [Links](#links)
+- [Related Entries](#related-entries)
+
+| <!-- -->                 | <!-- -->              |
+|--------------------------|-----------------------|
+| **Network Log Source**   | Unknown               |
+| **Network Logs Labeled** | Presumably            |
+| **Host Log Source**      | -                     |
+| **Host Logs Labeled**    | -                     |
+|                          |                       |
+| **Overall Setting**      | Single OS             |
+| **OS Types**             | Apache Linux          |
+| **Number of Machines**   | 1                     |
+| **Total Runtime**        | 24 hours              |
+| **Year of Collection**   | 2017                  |
+| **Attack Categories**    | Application-layer DoS |
+| **User Emulation**       | n/a                   |
+|                          |                       |
+| **Packed Size**          | n/a                   |
+| **Unpacked Size**        | 4,6 GB                |
+| **Download Link**        | Currently unavailable |
+
+***
+
+### Overview
+The Canadian Institute for Cybersecurity (CIC) DoS dataset focuses on Denial-of-Services attacks targeting the application layer (as opposed to the network layer).
+The authors argue that these types of DoS attacks commonly avoid traditional network-layer based detection mechanisms, requiring a novel approach.
+Specifically, they focus mostly on low-volume DoS attacks, which are characterized by "small amounts of attack traffic transmitted strategically to a victim", whereas high-volume attacks are more similar to traditional DoS attacks, relying on flooding the application layer with requests.
+As part of this research, and due to the lack of usable datasets of this kind, the authors introduce the CIC DoS dataset, which consists of 24 hours of traffic collected from a webserver being the victim of such attacks.
+However, the dataset is no longer available for unknown reasons, making it both difficult and somewhat pointless to provide a lot of detailed information here.
+
+### Environment
+The victim setup consists of a webserver running Apache Linux v2.2.22, PHP5 and Drupal v7 as a content management system.
+Further details are not available.
+
+### Activity
+The declared goal of executed attacks was to render services on the server side unresponsive while being as stealthy and resource-efficient as possible, including stopping attacks as soon as servers became unresponsive.
+The authors state that attacks were selected to match the most common types of application layer DoS, resulting in a mix of high- and log-volume attacks.
+These attacks were executed leveraging a several publicly available tools such as [Goldeneye](https://github.com/jseidl/GoldenEye) or [Slowloris](https://github.com/gkbrk/slowloris), for a total of eight attacks:
+- High-volume HTTP attacks:
+  - DoS improved GET
+  - DDoS GET
+  - DoS GET
+- Low-volume HTTP attacks
+  - slow-send body (twice with different tools)
+  - slow-send headers (twice with different tools)
+  - slow-read
+
+Additional details can be found in chapter 6 of the cited paper.
+
+### Contained Data
+Traffic from executed attacks was intermixed with benign traces from the [ISCX Intrusion Detection Evaluation Dataset](iscx_ids_2012.md).
+Attack traffic was presumably modified to target servers from the ISCX environment, for a total of 24 hours of attack traffic.
+In which format (pcaps, NetFlows, custom features, etc.) this data is available is unknown and also not detailed in the paper.
+I would assume data is labeled, but obviously have no way to confirm this.
+
+### Papers
+- [Detecting HTTP-based Application Layer DoS Attacks on Web Servers in the Presence of Sampling (2017)](https://doi.org/10.1016/j.comnet.2017.03.018)
+
+### Links
+- [Homepage](https://www.unb.ca/cic/datasets/dos-dataset.html)
+
+### Related Entries
+- [ISCX Intrusion Detection Evaluation Dataset](iscx_ids_2012.md)
diff --git a/content/related_work.md b/content/related_work.md
@@ -3,10 +3,10 @@ title: Related Work
 ---
 
 This page lists publications and collections covering IDS datasets.
-Related publications, sorted by year or release, are any academic work that at least partially covers the topic of available IDS datasets.
+Related publications, sorted by year of release, are any academic work that at least partially covers the topic of available IDS datasets.
 Collections, sorted alphabetically, simply features agglomerations of IDS-related datasets not backed by a scientific publication.
 
-Each entry consists of citation and a brief description of the survey's scope of selected datasets.
+Each entry consists of a citation and a brief description of the survey's scope of selected datasets.
 Additionally, for publications, all datasets discussed in the survey are also listed, linking to their respective entries on this website, if available.
 
 ## Contents
@@ -68,7 +68,7 @@ Referenced datasets:
 - [CIC-IDS 2017](/intrusion-detection-datasets/content/datasets/cic_ids2017)
 - [CSE-CIC-IDS 2018](/intrusion-detection-datasets/content/datasets/cse_cic_ids2018)
 - [CTU 13](/intrusion-detection-datasets/content/datasets/ctu_13)
-- CIC DoS
+- [CIC DoS](/intrusion-detection-datasets/content/datasets/cic_dos)
 - [DARPA'98 Intrusion Detection Program](/intrusion-detection-datasets/content/datasets/darpa98)
 - [gureKDDCup](/intrusion-detection-datasets/content/datasets/gure_kddcup)
 - [ISCX IDS 2012](/intrusion-detection-datasets/content/datasets/iscx_ids_2012)
@@ -165,7 +165,7 @@ Referenced datasets:
 - Booters Dataset
 - ISCX Botnet 2014
 - [CDX CTF 2009](/intrusion-detection-datasets/content/datasets/cdx_2009)
-- CIC DoS
+- [CIC DoS](/intrusion-detection-datasets/content/datasets/cic_dos)
 - [CIC-IDS 2017](/intrusion-detection-datasets/content/datasets/cic_ids2017)
 - CIDDS-001 & 002
 - [CSE-CIC-IDS 2018](/intrusion-detection-datasets/content/datasets/cse_cic_ids2018)