Skip to main content
Springer Nature Link
Log in

A Labeled Data Set for Flow-Based Intrusion Detection

  • Conference paper
IP Operations and Management (IPOM 2009)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 5843))

Included in the following conference series:

Abstract

Flow-based intrusion detection has recently become a promising security mechanism in high speed networks (1-10 Gbps). Despite the richness in contributions in this field, benchmarking of flow-based IDS is still an open issue. In this paper, we propose the first publicly available, labeled data set for flow-based intrusion detection. The data set aims to be realistic, i.e., representative of real traffic and complete from a labeling perspective. Our goal is to provide such enriched data set for tuning, training and evaluating ID systems. Our setup is based on a honeypot running widely deployed services and directly connected to the Internet, ensuring attack-exposure. The final data set consists of 14.2M flows and more than 98% of them has been labeled.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. CERT Coordination Center (January 2009), http://www.cert.org/certcc.html

  2. Mell, P., Hu, V., Lippmann, R., Haines, J., Zissman, M.: An overview of issues in testing intrusion detection systems. Technical Report NIST IR 7007, National Insititute of Standards and Technology (June 2003)

    Google Scholar 

  3. Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Wyschogrod, D., Cunningham, R., Zissman, M.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: Proc. of the DARPA Information Survivability Conf. and Exposition, DISCEX 2000 (2000)

    Google Scholar 

  4. Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34 (2000)

    Google Scholar 

  5. Haines, J., Lippmann, R., Fried, D., Zissman, M., Tran, E., Boswell, S.: 1999 DARPA Intrusion Detection Evaluation: Design and Procedures. Technical Report TR 1062, MIT Lincoln Laboratory (February 2001)

    Google Scholar 

  6. Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX). RFC 3917 (Informational)

    Google Scholar 

  7. Lakhina, A., Crovella, M., Doit, C.: Characterization of network-wide anomalies in traffic flows. In: Proc. of 4th ACM SIGCOMM Conf. on Internet measurement, IMC 2004 (2004)

    Google Scholar 

  8. Sperotto, A., Sadre, R., Pras, A.: Anomaly characterization in flow-based traffic time series. In: Akar, N., Pioro, M., Skianis, C. (eds.) IPOM 2008. LNCS, vol. 5275, pp. 15–27. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  9. Strayer, W., Lapsely, D., Walsh, R., Livadas, C.: Botnet Detection Based on Network Behavior. Advances in Information Security, vol. 36 (2008)

    Google Scholar 

  10. Ringberg, H., Soule, A., Rexford, J.: Webclass: adding rigor to manual labeling of traffic anomalies. In: SIGCOMM Computer Communication Review, vol. 38(1) (2008)

    Google Scholar 

  11. Ringberg, H., Roughan, M., Rexford, J.: The need for simulation in evaluating anomaly detectors. In: SIGCOMM Computer Communication Review, vol. 38(1) (2008)

    Google Scholar 

  12. Sommers, J., Yegneswaran, V., Barford, P.: A framework for malicious workload generation. In: Proc. of the 4th ACM SIGCOMM Conf. on Internet measurement, IMC 2004 (2004)

    Google Scholar 

  13. Brauckhoff, D., Wagner, A., Mays, M.: Flame: a flow-level anomaly modeling engine. In: Proc. of the Conf. on Cyber security experimentation and test, CSET 2008 (2008)

    Google Scholar 

  14. Pouget, F., Dacier, M.: Honeypot-based forensics. In: Asia Pacific Information technology Security Conference (AusCERT 2004) (May 2004)

    Google Scholar 

  15. 5, C.X.: (April 2009), http://www.citrix.com/

  16. OpenSSH: http://www.openssh.com/

  17. proftp: http://www.proftpd.org/

  18. Softflowd: (April 2009), http://www.mindrot.org/projects/softflowd/

  19. Moore, D., Shannon, C., Brown, D., Voelker, G., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. 24(2) (2006)

    Google Scholar 

  20. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proc. of the 4th ACM SIGCOMM Conf. on Internet measurement, IMC 2004 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Telematics and Information Technology Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, P.O. Box 217, 7500 AE, Enschede, The Netherlands

    Anna Sperotto, Ramin Sadre, Frank van Vliet & Aiko Pras

Authors
  1. Anna Sperotto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ramin Sadre
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frank van Vliet
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aiko Pras
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. NEC Europe Ltd., Kurfürsten-Anlage 36, 69115, Germany

    Giorgio Nunzi

  2. Electrical and Computer Engineering Department, Kansas State University, 2069 Rathbone Hall, Manhatten,, 66506-5204, Kansas, USA

    Caterina Scoglio

  3. Tsinghua University, CERNET Center, University of Beihing, Room 224, Mainbuilding, 10084, Tsinghua, China

    Xing Li

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sperotto, A., Sadre, R., van Vliet, F., Pras, A. (2009). A Labeled Data Set for Flow-Based Intrusion Detection. In: Nunzi, G., Scoglio, C., Li, X. (eds) IP Operations and Management. IPOM 2009. Lecture Notes in Computer Science, vol 5843. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04968-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04968-2_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04967-5

  • Online ISBN: 978-3-642-04968-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics