KIS 2019 network traffic dataset
- Authors : Jana Uramová, Tomáš Mokoš, Patrik Rodina, Peter Seemann, Miroslav Kohútik
This article describes the KIS 2019 network traffic dataset. If you wish to access this dataset, contact us by e-mail at dataset[AT]kis.fri.uniza.sk.
The KIS 2019 dataset was created by Tomáš Mokoš as a part of his Diploma thesis at the Department of Information Networks on the University of Žilina’s Faculty of Management Science and Informatics.
The KIS 2019 dataset consists of one 12 GB PCAP file and a set of associated files concerning the traffic contained in the PCAP file. The network traffic in the dataset consists of attack and benign traffic, both of which which are correspondingly tagged in the PCAP file.
Data capture takes place on 23.4.2019 during a 6-hour window between 13:00 and 19:00. Five different operating systems have been used in the dataset and the attack scenarios also use several types of attacks. The dataset also includes the complete network traffic of both the attackers and victims thanks to the use of Wireshark and tcpdump. Moreover, to provide more information, in addition to the network traffic itself, the dataset also contains the victims’ log files, which should be helpful towards the analysis of their behavior during attacks.
During the creation of the KIS 2019 dataset we have used our knowledge derived from the analysis of datasets created by the Canadian Researchers from the Canadian Institute for Cybersecurity (CIC). CIC has been involved in the creation of publicly available network traffic datasets since 1998 and in 2016 they have identified eleven criteria that are necessary for creating a reliable benchmark dataset. KIS 2019 meets all of these criteria, which are expanded upon below.
Complete Network configuration:
There are several types of network devices used in the dataset, including routers, switches, a firewall, a web server and client PCs.
Complete Traffic:
The problem of network traffic generation was solved by supplementing additional network traffic from a Flowmon probe to the benign traffic from the cloud machines.
Labeled dataset:
Both the attack and benign traffic in the dataset have been distinctly tagged. Attack traffic contains additional tags, identifying the individual attacks.
Complete Interaction:
As a part of the communication capture in the individual networks, the devices were running Wireshark and tcpdump respectively, depending on their operating system.
Complete Capture:
Complete capture was ensured by using packet capture system Moloch, but Wireshark and tcpdump were used as well.
Available Protocols:
Several types of protocols are present in the dataset including HTTP, HTTPS, FTP, SSH and others.
Attack Diversity:
Dataset contains some of the most common attacks based on the 2016 McAfee report: a Web-based attack, Brute-force, DoS, DDoS, Backdoor Infiltration, Botnet and Network scan attacks.
Anonymity:
Public IP addresses were replaced by addresses in a private IP range.
Heterogenity:
Besides network traffic itself, the dataset also contains log files from the individual user devices.
Feature set:
CICFlowmeter was used to extract important network flow features, its output is a part of the dataset.
Metadata:
Documentation contains the decription of the network infrastructure, used devices, network traffic generation and attack scenarios.
Network infrastructure
Network infrastructure of the KIS 2019 dataset consists of two networks. The victims are located in a network in the school lab, while the attackers are located in the faculty department’s cloud.
Attackers’ network
The attackers’ network consists of three machines. The vast majority of the attacks were performed from the machine with Kali Linux operating system. The remaining two devices were used to perform web attacks and a DDoS attack.
| IP address | Operating system | Processor | RAM |
|---|---|---|---|
| 192.168.153.165 | Kali Linux | 2x Intel Core Processor (Skylake) 2.10GHz | 4GB |
| 192.168.153.143 | Windows 10 Pro 64bit | 2x Intel Core Processor (Skylake) 2.10GHz | 8GB |
| 192.168.153.176 | Windows 10 Pro 64bit | 2x Intel Core Processor (Skylake) 2.10GHz | 8GB |
Victims’ network
The victims’ network consists of one server with Ubuntu Server 16.04 operating system and three clients, with two having OS Ubuntu 18.04 and the third one having Windows 7.
| IP address | Operating system | Processor | RAM |
|---|---|---|---|
| 192.168.139.184 | Ubuntu Server 16.04 | i5-4460 , 3.20GHz, 1 Core | 4GB |
| 192.168.139.185 | Ubuntu 18.04 LTS | i5-4460 , 3.20GHz, 1 Core | 2GB |
| 192.168.139.187 | Ubuntu 18.04 LTS | i5-4460 , 3.20GHz, 1 Core | 2GB |
| 192.168.139.173 | Windows 7 32bit | i5-4460 , 3.20GHz, 1 Core | 2GB |
Attack scenarios
The following types of attacks and tools were used:
- DoS – Hulk, Slowhttptest, Xerxes, GoldenEye
- DDoS –LOIC
- Network scanning – Nmap
- Brute-force attack – Patator
- Web attacks – SQL Injection, XSS
- Botnet – Ares
- Infiltration – Metasploit
Network scanning
This type of attack was performed using Nmap. The attack originated from Kali Linux (192.168.153.165) against devices located in the Victims‘ network. First, we found out which devices were turned on, then we looked up open ports and finally we have detected running services and operating systems. The output uncovered that the network contained four devices that were turned on.
Brute-force SSH and FTP attack
We have used Patator to perform the brute-force attacks. This tool is used to perform brute-force attacks against several services e.g., SSH, FTP, SMB, Telnet. In this case, we have used Patator to attack SSH and FTP services of the Ubuntu Server (192.168.139.184). SSH has been broken at 14:22:15, while FTP was broken at 14:59:38. In the latter case, we have attacked SSH service of Ubuntu 18.04 TLS (192.168.139.187). SSH login was successful at 15:25:17.
SQL Injection
SQL Injection is a type of attack that exploits security flaws in applications that use an SQL database. We have installed DVWA (Damn vulnerable web application) on the Ubuntu Server (192.168.139.184). DVWA is a PHP/MySQL web application with deliberate built-in flaws that is used by security professionals to test their skills and tools in a legal environment. The attack originated from a Windows 10 machine (192.168.153.143). The attacker used several SQL queries e.g., „. %’ and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #“. Using these queries, the attacker found out logins, passwords and other data from the database.
Cross-site scripting
Cross-site scripting (XSS) is a type of attack that uses scripts to damage a webpage. In our case the attacker was one of the Windows 10 machines (192.168.153.143) and the victim was the Ubuntu Server (192.168.139.184). The attacker used scripts like „“ to damage the page.
DoS
Hulk, Slowhttptest, Xerxes and GoldenEye were used for this type of attack. The attacker was the Kali Linux machine (192.168.153.165) and the victim was the Ubuntu Server (192.168.139.184) with Apache httpd 2.4.18 installed. The server became unavailable in a matter of seconds.
DDoS
We have used LOIC to perform this scenario. The attack utilized the two Windows 10 machines (192.168.153.143, 192.168.153.176) and the victim was the Ubuntu Server (192.168.139.184) with Apache httpd 2.4.18. Just like in the case of DoS attack, the server became unavailable in a matter of seconds.
Infiltration
Infiltration involves the victim running a malicious software that grants the attacker access to the victim’s command line. In this scenario we have used the Metasploit framework to generate a malware that connects to the attacker’s machine (192.168.153.165). After running the malware, the attacker gained access to the victim’s file system and command line.
Botnet
We have used Ares Remote Access Tool to perform this attack. The attacker was the Kali Linux machine (192.168.153.165) and the victim was the Windows 7 machine (192.168.139.173). First, the victim has downloaded a malicious .exe file from the server. After running the file, the botnet has connected to its C&C server. At this point, the attacker could run a keylogger or capture screenshots and them to the server.
The following table contains the list of the attacks along with their duration, attackers and victims.
| Attack | Duration | Attacker | Victim |
|---|---|---|---|
| Nmap | 13:49:02 – 13:49:16 | 192.168.153.165 | 192.168.139.173 |
| 13:49:11 – 13:49:25 | 192.168.153.165 | 192.168.139.184 | |
| 13:49:25 – 13:49:39 | 192.168.153.165 | 192.168.139.185 | |
| 13:49:33 – 13:49:47 | 192.168.153.165 | 192.168.139.187 | |
| 13:51:20 – 13:51:39 | 192.168.153.165 | 192.168.139.184 | |
| 13:52:15 – 13:52:33 | 192.168.153.165 | 192.168.139.184 | |
| 13:55:05 – 13:55:27 | 192.168.153.165 | 192.168.139.185 | |
| 13:56:16 – 13:56:25 | 192.168.153.165 | 192.168.139.187 | |
| Brute-force SSH | 14:05:01 – 14:23:15 | 192.168.153.165 | 192.168.139.184 |
| Brute-force FTP | 14:28:46 – 15:00:17 | 192.168.153.165 | 192.168.139.184 |
| Brute-force SSH | 15:05:41 – 15:26:32 | 192.168.153.165 | 192.168.139.187 |
| SQL Injection | 16:13:10 – 16:14:40 | 192.168.153.143 | 192.168.139.184 |
| XSS | 16:25:02 – 16:31:10 | 192.168.153.143 | 192.168.139.184 |
| DoS Hulk | 16:35:31 – 16:50:54 | 192.168.153.165 | 192.168.139.184 |
| DoS Slowhttp | 16:55:40 – 16:59:55 | 192.168.153.165 | 192.168.139.184 |
| DoS GoldenEye | 17:20:17 – 17:26:51 | 192.168.153.165 | 192.168.139.184 |
| DDoS LOIC | 17:54:53 – 18:05:55 | 192.168.153.143 | 192.168.139.184 |
| 17:54:53 – 18:05:55 | 192.168.153.176 | 192.168.139.184 | |
| DoS Xerxes | 18:17:20 – 18:25:16 | 192.168.153.165 | 192.168.139.184 |
| Botnet | 18:49:23 – 18:51:52 | 192.168.153.165 | 192.168.139.173 |
| Infiltration | 18:52:49-18:55:37 | 192.168.153.165 | 192.168.139.173 |