CTU-AIP-Attacks-2022 Dataset

About

• Version: 1.0
• Publication Date: 2023-03
• Authors: Joaquin Bogado, Veronica Valeros, Sebastian Garcia
• Institution: Stratosphere Laboratory, AIC, FEL, Czech Technical University in Prague
• DOI: 10.5281/zenodo.7684550

Dataset description

The CTU-AIP-Attacks-2022 dataset aggregates network attacks of 27 bare-metal Internet of Things (IoT) honeypots. The IoT devices were located in the same physical location. The data were captured from January 1st, 2022, to December 31st, 2023.

The raw network attacks were captured using Zeek [1], an open-source software network analysis framework. The raw network data was processed to aggregate network attacks. The network data was aggregated by the source IP address of the attacker per day. For each attacker, the following data were aggregated:

• date: Date of the aggregation, in YYYY-MM-DD format
• orig: IP address attacking the IoT honeypots
• flows: Sum of all network flows from the attacking IP address to the IoT honeypots, calculated as the number of times the same IP (id.orig_h) appears in the Zeek conn.log file.
• duration: Sum of the “duration” column [2] of the Zeek conn.log file for all the rows with the same IP in the column “id.orig_h”. In Zeek, this column is the duration from the first packet to the last packet in the network flow.
• packets: Sum of the “orig_pkts” column [2] for all the rows with the same IP in the “id.orig_h” column. In Zeek, this column counts the number of packets sent by the originator, and not the total number of packets.
• bytes: Sum of the “orig_bytes” column [2] for all the rows with the same IP in the “id.orig_h” column. In Zeek, this column counts the number of bytes sent by the originator, and not the total number of bytes.

Every connection initiated by any IP to the honeypots is, by definition, an attack. However, we use an active probe service to alert when a honeypot is down. We removed those IPs corresponding to the probes. The list of IPs removed can be found listed below.

The resulting dataset is composed of one CSV file per day. The excerpt below shows a sample of one of the dataset files:

     ~ $ zcat attacks.2022-04-04.csv.gz | head -n20
# This file is part of the CTU-AIP-Attacks-2022 dataset
# Version: 1.0
# Publication Date: 2023-03
# Authors: Joaquin Bogado, Veronica Valeros, Sebastian Garcia
# Institution: Stratosphere Laboratory, AIC, FEL, Czech Technical University in Prague
# DOI: 10.5281/zenodo.7684550
# Zenodo: https://zenodo.org/record/7684550#.ZBLGCuzML0o
# Source: https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIP-Attacks-2022/
date,orig,flows,duration,packets,bytes
2022-04-04,1.0.234.65,1,5e-06,2,104
2022-04-04,1.10.172.211,1,0.0,1,52
2022-04-04,1.116.138.182,1,4.7e-05,2,80
2022-04-04,1.116.243.210,1,3e-06,2,80
2022-04-04,1.116.37.121,1,2e-06,2,80
2022-04-04,1.116.67.192,24,0.000173,48,1920
2022-04-04,1.116.73.236,22,0.000173,43,1720
2022-04-04,1.116.97.146,1,1e-06,2,120
2022-04-04,1.117.107.145,1,3e-06,2,126
2022-04-04,1.117.199.237,1,5e-06,2,80
2022-04-04,1.12.255.18,2,2e-05,4,160

Tools

Zeek connection logs were processed using the AIP tool to generate the aggregated data for this dataset. Zeek version 2.6-264 and AIP version 2.0 were used.

Data cleaning

The IPs removed from the dataset corresponding to the active probe service were:

104.131.107.63
122.248.234.23
128.199.195.156
138.197.150.151
139.59.173.249
146.185.143.14
159.203.30.41
159.89.8.111
165.227.83.148
167.99.209.234
178.62.52.237
18.221.56.27
216.245.221.83
216.245.221.91
34.233.66.117
46.101.250.135
46.137.190.132
52.60.129.180
54.64.67.106
54.67.10.127
54.79.28.129
54.94.142.218
63.143.42.242
63.143.42.251
69.162.124.237

Citation

This dataset was created by the Stratosphere Laboratory, AIC, FEL, Czech Technical University in Prague. To cite this dataset, please use the following citation:

Joaquin Bogado, Veronica Valeros, & Sebastian Garcia. (2023). CTU-AIP-Attacks-2022 (1.0) [Data set]. Zenodo. https://doi.org/10.5281/zenodo.7684550

Contact

For information or questions about this dataset, contact us at stratosphere@aic.fel.cvut.cz with the subject: CTU-AIP-Attacks-2022.

References

[1] The Zeek Network Security Monitor, https://zeek.org/. Accessed on 03/03/2023.

[2] base/protocols/conn/main.zeek – Book of Zeek (git/master), https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html. Accessed on 03/03/2023.