2009 CDX Data Sets Posted

Earlier this year I posted Thoughts on 2009 CDX. Greg Conti just sent me a notice that the West Point Information Technology and Operations Center just published, for free, their Intrusion Detection Labeled Data Sets. They include packet captures generated by NSA Red Team activity, packet captures from West Point defenders, and Snort, DNS, Web server, and host logs. This is great data. Stop using the 1999 DARPA data sets. Please.

Comments

Dan Weber said…
As someone who worked on creating those DARPA data sets, I must say: yes, please, stop using them!

You wouldn't try to use Windows 95A today. Don't use ancient datasets, especially when there were lots of lessons learned after we made them. (TTLs, sigh.)
2:53 PM
Erik H said…
Thanks for this info Richard! The data in the capture files look really useful (I haven't looked through them all yet though)!

I’ve added the link to the list of "Publicly available PCAP files" on the NetworkMiner wiki.
3:45 PM
James said…
I took a brief look as well, can’t wait to dig a little deeper. Do you know if there are explanations of the "attacks" and the corresponding captures?
7:40 PM
Richard Bejtlich said…
James, not sure. Maybe Greg will comment?
8:17 PM
Greg Conti said…
James, we have some more details in the paper (linked from the dataset page), but probably not to the level you'd like to see :) We requested detailed attack information from the red team (they have been very supportive), but their (hand generated) logs were a bit too informal to share. (they were in the heat of battle at their end too :) I view this data capture as an annual event. So, we are interested in ideas regarding what to type of data to capture in order to provide the most value. Next year, we plan on working with the red team to try and generate a solid attack log from the attacker's perspective, which would be very valuable.
9:15 PM
Greg Conti said…
After thinking about the idea of using competitions to generate valuable/labeled datasets for the past year or so, we believe it is possible, but not trivial to do it right. The first trick is instrumenting the competition correctly. It is reasonable to place sensors at strategic locations on the network, but a better solution would include instrumented workstations (think keystroke logging), hard drive image snapshots, firewall configuration file/log snapshots, etc, which would require more research to do correctly. The second trick is to incentivize participants so that they will participate and generate the type of data you hope to collect. We believe both challenges can largely be overcome, but success will require iterative attempts, and perhaps a set of canonical game design patterns will emerge.
9:31 PM
Alex Raitz said…
Great to see Splunk in use at these exercises! Let us know what we can do to improve the product in regard to this use case.
5:05 PM
Anonymous said…
This comment has been removed by a blog administrator.
7:22 AM
Toomas said…
Is there anywhere some paper, which explains, how exactly thoses data sets were created?
It would be good to test created neural networks with real network traffic but I did not yet find a way to convert raw network data to "DARPA dataset format".

Sorry for my bad english :)
6:21 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more