The CTU-AIP-Attacks-2022 dataset aggregates network attacks of 27 bare-metal Internet of Things (IoT) honeypots. The IoT devices were located in the same physical location. The data were captured from January 1st, 2022, to December 31st, 2023.
The raw network attacks were captured using Zeek [1], an open-source software network analysis framework. The raw network data was processed to aggregate network attacks. The network data was aggregated by the source IP address of the attacker per day. For each attacker, the following data were aggregated:
Every connection initiated by any IP to the honeypots is, by definition, an attack. However, we use an active probe service to alert when a honeypot is down. We removed those IPs corresponding to the probes. The list of IPs removed can be found listed below.
The resulting dataset is composed of one CSV file per day. The excerpt below shows a sample of one of the dataset files:
~ $ zcat attacks.2022-04-04.csv.gz | head -n20
# This file is part of the CTU-AIP-Attacks-2022 dataset
# Version: 1.0
# Publication Date: 2023-03
# Authors: Joaquin Bogado, Veronica Valeros, Sebastian Garcia
# Institution: Stratosphere Laboratory, AIC, FEL, Czech Technical University in Prague
# DOI: 10.5281/zenodo.7684550
# Zenodo: https://zenodo.org/record/7684550#.ZBLGCuzML0o
# Source: https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIP-Attacks-2022/
date,orig,flows,duration,packets,bytes
2022-04-04,1.0.234.65,1,5e-06,2,104
2022-04-04,1.10.172.211,1,0.0,1,52
2022-04-04,1.116.138.182,1,4.7e-05,2,80
2022-04-04,1.116.243.210,1,3e-06,2,80
2022-04-04,1.116.37.121,1,2e-06,2,80
2022-04-04,1.116.67.192,24,0.000173,48,1920
2022-04-04,1.116.73.236,22,0.000173,43,1720
2022-04-04,1.116.97.146,1,1e-06,2,120
2022-04-04,1.117.107.145,1,3e-06,2,126
2022-04-04,1.117.199.237,1,5e-06,2,80
2022-04-04,1.12.255.18,2,2e-05,4,160
Zeek connection logs were processed using the AIP tool to generate the aggregated data for this dataset. Zeek version 2.6-264 and AIP version 2.0 were used.
The IPs removed from the dataset corresponding to the active probe service were:
104.131.107.63
122.248.234.23
128.199.195.156
138.197.150.151
139.59.173.249
146.185.143.14
159.203.30.41
159.89.8.111
165.227.83.148
167.99.209.234
178.62.52.237
18.221.56.27
216.245.221.83
216.245.221.91
34.233.66.117
46.101.250.135
46.137.190.132
52.60.129.180
54.64.67.106
54.67.10.127
54.79.28.129
54.94.142.218
63.143.42.242
63.143.42.251
69.162.124.237
This dataset was created by the Stratosphere Laboratory, AIC, FEL, Czech Technical University in Prague. To cite this dataset, please use the following citation:
Joaquin Bogado, Veronica Valeros, & Sebastian Garcia. (2023). CTU-AIP-Attacks-2022 (1.0) [Data set]. Zenodo. https://doi.org/10.5281/zenodo.7684550
For information or questions about this dataset, contact us at stratosphere@aic.fel.cvut.cz with the subject: CTU-AIP-Attacks-2022.
[1] The Zeek Network Security Monitor, https://zeek.org/. Accessed on 03/03/2023.
[2] base/protocols/conn/main.zeek – Book of Zeek (git/master), https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html. Accessed on 03/03/2023.