{"id":5006,"date":"2019-11-06T18:17:40","date_gmt":"2019-11-06T17:17:40","guid":{"rendered":"https:\/\/nil.uniza.sk\/?p=5006"},"modified":"2021-10-16T23:09:36","modified_gmt":"2021-10-16T21:09:36","slug":"dataset-kis-2019_en","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/dataset-kis-2019_en\/","title":{"rendered":"KIS 2019 network traffic dataset"},"content":{"rendered":"<h1 class=\"wp-block-heading\">KIS 2019 network traffic dataset<\/h1>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Authors :<\/strong>  Jana Uramov\u00e1, Tom\u00e1\u0161 Moko\u0161, Patrik Rodina, Peter Seemann, Miroslav Koh\u00fatik<\/li><\/ul>\n\n\n\n<p><strong>This article describes the KIS 2019 network traffic dataset. If you wish to access this dataset, contact us by e-mail at dataset[AT]kis.fri.uniza.sk.<\/strong><\/p>\n\n\n\n<p><strong>The KIS 2019<\/strong> dataset was created by Tom\u00e1\u0161 Moko\u0161 as a part of his Diploma thesis at the Department of Information Networks on the University of \u017dilina&#8217;s Faculty of Management Science and Informatics.<\/p>\n\n\n\n<p>The KIS 2019 dataset consists of one <strong>12 GB PCAP file<\/strong> and a set of associated files concerning the traffic contained in the PCAP file. The network traffic in the dataset consists of attack and benign traffic, both of which which are correspondingly tagged in the PCAP file.<\/p>\n\n\n\n<p>Data capture takes place on <strong>23.4.2019<\/strong> during a <strong>6-hour window<\/strong> between <strong>13:00<\/strong> and <strong>19:00<\/strong>. Five different operating systems have been used in the dataset and the attack scenarios also use several types of attacks. The dataset also includes the complete network traffic of both the attackers and victims thanks to the use of Wireshark and tcpdump. Moreover, to provide more information, in addition to the network traffic itself, the dataset also contains the victims\u2019 log files, which should be helpful towards the analysis of their behavior during attacks.<\/p>\n\n\n\n<p>During the creation of the KIS 2019 dataset we have used our knowledge derived from the analysis of datasets created by the <strong>Canadian Researchers from the Canadian Institute for Cybersecurity<\/strong> (CIC). CIC has been involved in the creation of publicly available network traffic datasets since 1998 and in 2016 they have identified eleven criteria that are necessary for creating a reliable benchmark dataset. KIS 2019 meets all of these criteria, which are expanded upon below. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Complete Network configuration:<\/strong> <\/h3>\n\n\n\n<p>There are several types of network devices used in the dataset, including routers, switches, a firewall, a web server and client PCs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Complete Traffic:<\/strong> <\/h3>\n\n\n\n<p>The problem of network traffic generation was solved by supplementing additional network traffic from a Flowmon probe to the benign traffic from the cloud machines. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Labeled dataset:<\/strong> <\/h3>\n\n\n\n<p>Both the attack and benign traffic in the dataset have been distinctly tagged. Attack traffic contains additional tags, identifying the individual attacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Complete Interaction:<\/strong> <\/h3>\n\n\n\n<p>As a part of the communication capture in the individual networks, the devices were running Wireshark and tcpdump respectively, depending on their operating system.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Complete Capture:<\/strong> <\/h3>\n\n\n\n<p>Complete capture was ensured by using packet capture system Moloch, but Wireshark and tcpdump were used as well.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Available Protocols:<\/strong> <\/h3>\n\n\n\n<p>Several types of protocols are present in the dataset including HTTP, HTTPS, FTP, SSH and others.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Attack Diversity:<\/strong> <\/h3>\n\n\n\n<p>Dataset contains some of the most common attacks based on the 2016 McAfee report: a Web-based attack, Brute-force, DoS, DDoS, Backdoor Infiltration, Botnet and Network scan attacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Anonymity:<\/strong> <\/h3>\n\n\n\n<p>Public IP addresses were replaced by addresses in a private IP range.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Heterogenity:<\/strong> <\/h3>\n\n\n\n<p>Besides network traffic itself, the dataset also contains log files from the individual user devices.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Feature set:<\/strong> <\/h3>\n\n\n\n<p>CICFlowmeter was used to extract important network flow features, its output is a part of the dataset.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Metadata:<\/strong> <\/h3>\n\n\n\n<p>Documentation contains the decription of the network infrastructure, used devices, network traffic generation and attack scenarios.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Network infrastructure<\/h2>\n\n\n\n<p>Network infrastructure of the KIS 2019 dataset consists of two networks. The victims are located in a network in the school lab, while the attackers are located in the faculty department\u2019s cloud.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/aXbG574.png\" alt=\"Network topology of the dataset\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Attackers\u2019 network<\/h2>\n\n\n\n<p>The attackers\u2019 network consists of three machines. The vast majority of the attacks were performed from the machine with Kali Linux operating system. The remaining two devices were used to perform web attacks and a DDoS attack.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>IP address<\/th><th>Operating system<\/th><th>Processor<\/th><th>RAM<\/th><\/tr><\/thead><tbody><tr><td>192.168.153.165<\/td><td>Kali Linux<\/td><td>2x Intel Core Processor (Skylake) 2.10GHz<\/td><td>4GB<\/td><\/tr><tr><td>192.168.153.143<\/td><td>Windows 10 Pro 64bit<\/td><td>2x Intel Core Processor (Skylake) 2.10GHz<\/td><td>8GB<\/td><\/tr><tr><td>192.168.153.176<\/td><td>Windows 10 Pro 64bit<\/td><td>2x Intel Core Processor (Skylake) 2.10GHz<\/td><td>8GB<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Victims\u2019 network<\/h2>\n\n\n\n<p>The victims\u2019 network consists of one server with Ubuntu Server 16.04 operating system and three clients, with two having OS Ubuntu 18.04 and the third one having Windows 7.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>IP address<\/th><th>Operating system<\/th><th>Processor<\/th><th>RAM<\/th><\/tr><\/thead><tbody><tr><td>192.168.139.184<\/td><td>Ubuntu Server 16.04<\/td><td>i5-4460 , 3.20GHz, 1 Core<\/td><td>4GB<\/td><\/tr><tr><td>192.168.139.185<\/td><td>Ubuntu 18.04 LTS<\/td><td>i5-4460 , 3.20GHz, 1 Core<\/td><td>2GB<\/td><\/tr><tr><td>192.168.139.187<\/td><td>Ubuntu 18.04 LTS<\/td><td>i5-4460 , 3.20GHz, 1 Core<\/td><td>2GB<\/td><\/tr><tr><td>192.168.139.173<\/td><td>Windows 7 32bit<\/td><td>i5-4460 , 3.20GHz, 1 Core<\/td><td>2GB<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Attack scenarios<\/h2>\n\n\n\n<p>The following types of attacks and tools were used:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>DoS \u2013 Hulk, Slowhttptest, Xerxes, GoldenEye<\/li><li>DDoS \u2013LOIC<\/li><li>Network scanning \u2013 Nmap<\/li><li>Brute-force attack &#8211; Patator<\/li><li>Web attacks \u2013 SQL Injection, XSS<\/li><li>Botnet &#8211; Ares<\/li><li>Infiltration &#8211; Metasploit<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network scanning<\/h3>\n\n\n\n<p>This type of attack was performed using Nmap. The attack originated from Kali Linux (192.168.153.165) against devices located in the Victims\u2018 network. First, we found out which devices were turned on, then we looked up open ports and finally we have detected running services and operating systems. The output uncovered that the network contained four devices that were turned on.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Brute-force SSH and FTP attack<\/h3>\n\n\n\n<p>We have used Patator to perform the brute-force attacks. This tool is used to perform brute-force attacks against several services e.g., SSH, FTP, SMB, Telnet. In this case, we have used Patator to attack SSH and FTP services of the Ubuntu Server (192.168.139.184). SSH has been broken at 14:22:15, while FTP was broken at 14:59:38. In the latter case, we have attacked SSH service of Ubuntu 18.04 TLS (192.168.139.187). SSH login was successful at 15:25:17.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SQL Injection<\/h3>\n\n\n\n<p>SQL Injection is a type of attack that exploits security flaws in applications that use an SQL database. We have installed DVWA (Damn vulnerable web application) on the Ubuntu Server (192.168.139.184). DVWA is a PHP\/MySQL web application with deliberate built-in flaws that is used by security professionals to test their skills and tools in a legal environment. The attack originated from a Windows 10 machine (192.168.153.143). The attacker used several SQL queries e.g., \u201e. %&#8216; and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #\u201c. Using these queries, the attacker found out logins, passwords and other data from the database.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cross-site scripting<\/h3>\n\n\n\n<p>Cross-site scripting (XSS) is a type of attack that uses scripts to damage a webpage. In our case the attacker was one of the Windows 10 machines (192.168.153.143) and the victim was the Ubuntu Server (192.168.139.184). The attacker used scripts like \u201e\u201c to damage the page.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">DoS<\/h3>\n\n\n\n<p>Hulk, Slowhttptest, Xerxes and GoldenEye were used for this type of attack. The attacker was the Kali Linux machine (192.168.153.165) and the victim was the Ubuntu Server (192.168.139.184) with Apache httpd 2.4.18 installed. The server became unavailable in a matter of seconds.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">DDoS<\/h3>\n\n\n\n<p>We have used LOIC to perform this scenario. The attack utilized the two Windows 10 machines (192.168.153.143, 192.168.153.176) and the victim was the Ubuntu Server (192.168.139.184) with Apache httpd 2.4.18. Just like in the case of DoS attack, the server became unavailable in a matter of seconds.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Infiltration<\/h3>\n\n\n\n<p>Infiltration involves the victim running a malicious software that grants the attacker access to the victim&#8217;s command line. In this scenario we have used the Metasploit framework to generate a malware that connects to the attacker&#8217;s machine (192.168.153.165). After running the malware, the attacker gained access to the victim&#8217;s file system and command line.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Botnet<\/h3>\n\n\n\n<p>We have used Ares Remote Access Tool to perform this attack. The attacker was the Kali Linux machine (192.168.153.165) and the victim was the Windows 7 machine (192.168.139.173). First, the victim has downloaded a malicious .exe file from the server. After running the file, the botnet has connected to its C&amp;C server. At this point, the attacker could run a keylogger or capture screenshots and them to the server.<\/p>\n\n\n\n<p>The following table contains the list of the attacks along with their duration, attackers and victims.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Attack<\/th><th>Duration<\/th><th>Attacker<\/th><th>Victim<\/th><\/tr><\/thead><tbody><tr><td>Nmap<\/td><td>13:49:02 &#8211; 13:49:16<\/td><td>192.168.153.165<\/td><td>192.168.139.173<\/td><\/tr><tr><td><\/td><td>13:49:11 &#8211; 13:49:25<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td><\/td><td>13:49:25 &#8211; 13:49:39<\/td><td>192.168.153.165<\/td><td>192.168.139.185<\/td><\/tr><tr><td><\/td><td>13:49:33 &#8211; 13:49:47<\/td><td>192.168.153.165<\/td><td>192.168.139.187<\/td><\/tr><tr><td><\/td><td>13:51:20 \u2013 13:51:39<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td><\/td><td>13:52:15 \u2013 13:52:33<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td><\/td><td>13:55:05 \u2013 13:55:27<\/td><td>192.168.153.165<\/td><td>192.168.139.185<\/td><\/tr><tr><td><\/td><td>13:56:16 \u2013 13:56:25<\/td><td>192.168.153.165<\/td><td>192.168.139.187<\/td><\/tr><tr><td>Brute-force SSH<\/td><td>14:05:01 \u2013 14:23:15<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td>Brute-force FTP<\/td><td>14:28:46 \u2013 15:00:17<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td>Brute-force SSH<\/td><td>15:05:41 &#8211; 15:26:32<\/td><td>192.168.153.165<\/td><td>192.168.139.187<\/td><\/tr><tr><td>SQL Injection<\/td><td>16:13:10 \u2013 16:14:40<\/td><td>192.168.153.143<\/td><td>192.168.139.184<\/td><\/tr><tr><td>XSS<\/td><td>16:25:02 \u2013 16:31:10<\/td><td>192.168.153.143<\/td><td>192.168.139.184<\/td><\/tr><tr><td>DoS Hulk<\/td><td>16:35:31 \u2013 16:50:54<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td>DoS Slowhttp<\/td><td>16:55:40 \u2013 16:59:55<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td>DoS GoldenEye<\/td><td>17:20:17 \u2013 17:26:51<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td>DDoS LOIC<\/td><td>17:54:53 \u2013 18:05:55<\/td><td>192.168.153.143<\/td><td>192.168.139.184<\/td><\/tr><tr><td><\/td><td>17:54:53 \u2013 18:05:55<\/td><td>192.168.153.176<\/td><td>192.168.139.184<\/td><\/tr><tr><td>DoS Xerxes<\/td><td>18:17:20 \u2013 18:25:16<\/td><td>192.168.153.165<\/td><td>192.168.139.184<\/td><\/tr><tr><td>Botnet<\/td><td>18:49:23 &#8211; 18:51:52<\/td><td>192.168.153.165<\/td><td>192.168.139.173<\/td><\/tr><tr><td>Infiltration<\/td><td>18:52:49-18:55:37<\/td><td>192.168.153.165<\/td><td>192.168.139.173<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Sources:<\/h3>\n\n\n\n<p><a href=\"https:\/\/ieeexplore.ieee.org\/document\/8572201\/\" target=\"_blank\" rel=\"noreferrer noopener\">J. Uramova, P. Segec, M. Moravcik, J. Papan, M. Kontsek, and J. Hrabovsky, \u201cInfrastructure for Generating New IDS Dataset,\u201d in 2018 16th International Conference on Emerging eLearning Technologies and Applications (ICETA), 2018, pp. 603\u2013610.<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>KIS 2019 network traffic dataset Authors : Jana Uramov\u00e1, Tom\u00e1\u0161 Moko\u0161, Patrik Rodina, Peter Seemann, Miroslav Koh\u00fatik This article describes the KIS 2019 network traffic dataset. If you wish to access this dataset, contact us by e-mail at dataset[AT]kis.fri.uniza.sk. The KIS 2019 dataset was created by Tom\u00e1\u0161 Moko\u0161 as a part of his Diploma thesis&#8230;<\/p>","protected":false},"author":23,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[711,707],"tags":[],"class_list":["post-5006","post","type-post","status-publish","format-standard","hentry","category-network-security-attacks","category-network-security-en"],"taxonomy_info":{"category":[{"value":711,"label":"Attacks"},{"value":707,"label":"Network security"}]},"featured_image_src_large":false,"author_info":{"display_name":"dataset-kis","author_link":"https:\/\/nil.uniza.sk\/en\/author\/dataset-kis\/"},"comment_info":0,"category_info":[{"term_id":711,"name":"Attacks","slug":"network-security-attacks","term_group":0,"term_taxonomy_id":709,"taxonomy":"category","description":"","parent":707,"count":2,"filter":"raw","cat_ID":711,"category_count":2,"category_description":"","cat_name":"Attacks","category_nicename":"network-security-attacks","category_parent":707},{"term_id":707,"name":"Network security","slug":"network-security-en","term_group":0,"term_taxonomy_id":705,"taxonomy":"category","description":"","parent":0,"count":4,"filter":"raw","cat_ID":707,"category_count":4,"category_description":"","cat_name":"Network security","category_nicename":"network-security-en","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/5006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=5006"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/5006\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=5006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=5006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=5006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}