Scribd
Upload
47 views

ASNM-TUN Dataset: (HTTP://WWW - Fit.vutbr - CZ/ ihomoliak/asnm/ASNM-TUN - HTML)

The document describes three related datasets: ASNM-TUN, ASNM-NPBO, and ASNM-CDX 2009. ASNM-TUN contains network traffic with tunneling obfuscation techniques applied to malicious traffic. ASNM-NPBO contains non-payload based obfuscation techniques applied to malicious and some legitimate traffic. ASNM-CDX 2009 contains features extracted from traffic in the CDX-2009 dataset involving vulnerable network services. All three datasets were created to evaluate machine learning classifiers and contain labels to classify the traffic.

Uploaded by

Keseho
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
47 views

ASNM-TUN Dataset: (HTTP://WWW - Fit.vutbr - CZ/ ihomoliak/asnm/ASNM-TUN - HTML)

The document describes three related datasets: ASNM-TUN, ASNM-NPBO, and ASNM-CDX 2009. ASNM-TUN contains network traffic with tunneling obfuscation techniques applied to malicious traffic. ASNM-NPBO contains non-payload based obfuscation techniques applied to malicious and some legitimate traffic. ASNM-CDX 2009 contains features extracted from traffic in the CDX-2009 dataset involving vulnerable network services. All three datasets were created to evaluate machine learning classifiers and contain labels to classify the traffic.

Uploaded by

Keseho
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

ASNM-TUN Dataset:

(http://www.fit.vutbr.cz/~ihomoliak/asnm/ASNM-TUN.html)

The ASNM-TUN dataset (Advanced Security Network Metrics & Tunnelling Obfuscations) consists of
ASNM features extracted from tcpdump capture of contains tunnelling obfuscation techniques
applied onto malicious traffic and was created with the intention to evade and improve machine
learning classifiers, and besides legitimate network traffic samples

ASNM-TUN7 dataset was build in laboratory conditions8 using a custom virtual network architecture
(see Figure 2), where we simulated malicious TCP connections on a few selected vulnerable network
services. The selected vulnerabilities are presented in Table IV, which also contains Common
Vulnerabilities and Exposures (CVE) IDs and Common Vulnerability Scoring System (CVSS) values.

ASNM-TUN dataset contains four types of labels that are listed by increasing order of their level in
the following:

 label 2: is a two-class label, which indicates whether an actual sample represents a network
buffer overflow attack or a legitimate communication
 label 3: is a three-class label, which distinguishes among legitimate traffic (symbol 3), direct
attacks (symbols 1), and obfuscated network attacks (symbol 2)
 label poly: is a label that is composed of 2 parts: (a) a three-class label, and (b) acronym of a
network service. This label represents a type of communication on a particular network
service.
 label poly_s: is composed of 3 parts: (a) a three-class label, (b) an acronym of network
service, and (c) a network modification technique employed. This label has almost the same
interpretation as the previous one, but in addition, it introduces a network modification
technique employed

ASNM-NPBO Dataset:

(http://www.fit.vutbr.cz/~ihomoliak/asnm/ASNM-NPBO.html)

ANSM-NPBO (Advanced Security Network Metrics & Non-Payload-Based Obfuscations) dataset was
created with the intention to evade and improve machine learning classifiers. The dataset contains
non-payload-based obfuscation techniques (modifying the properties of network flows) applied onto
malicious traffic and onto several samples of legitimate traffic. Which is extracted from tcpdump
capture of obfuscated malicious and legitimate TCP communications on selected vulnerable network
services. The selection of vulnerable services was aimed on high severity of their successful
exploitation leading to remote shell code execution through established backdoor communication.

legitimate representatives of the dataset were collected from two sources. The first source
represented legitimate traffic simulation in our virtual network architecture and also employed non-
payload-based obfuscations for the purpose of real network simulation. As the second source,
common usage of all selected services was captured in campus network, and all traffic was
anonymized and further filtered on high severity alerts by signature-based NIDS Suricata and Snort
through virus total API. Note that SNORT was equipped with Sourcefire VRT ruleset and SURICATA
utilized Emerging Threats ETPro ruleset. The final composition of the dataset is depicted in table.
ASNM-CDX 2009 Dataset:

(http://www.fit.vutbr.cz/~ihomoliak/asnm/ASNM-CDX-2009.html)

The ASNM-CDX-2009 dataset (Advanced Security Network Metrics & CDX 2009 dataset) consists of
ASNM features extracted from tcpdump capture of malicious and legitimate TCP communications on
network services which are vulnerable to buffer overflow attacks and are included in CDX-2009
dataset of network traffic dumps. The final composition of the dataset is depicted in table

ASNM-CDX-2009 dataset contains two types of labels that are enumerated by increasing order of
their granularity in the following:

• label_2: is a two-class label, which indicates whether an actual sample represents a network
buffer overflow attack or legitimate traffic.
• label_poly: is composed of two parts that are delimited by a separator: (a) a two-class label
where legitimate and malicious communications are represented by symbols 0 and 1,
respectively, and (b) an acronym of network service. This label represents the type of
communication on a particular network service.

You might also like