A little more casual cse cic ids2018 on AWSPosted by Eriksen Rutledge on February 9th, 2021 before NIDS is formally deployed on the network, it takes a whole lot of testing, evaluation and adjustment. This requires us to utilize the appropriate data set for these contents. Nevertheless , you will find two main problems in current data acquisition: (1) many data sets are internal non-public and can't be shared. (2) The anonymity of data makes them struggling to reflect the present situation, trend or some statistical characteristics. So we must find some sub optimal data sets that meet our requirements. However , with the change of network behavior and pattern and the development of intrusion, the investigation needs gradually shift from static and one-time data sets to dynamically generated data sets. They are able to not merely reflect the traffic composition and intrusion in those days, but also provide scalability and replicability, that is, they can be modified. CSE-CIC-IDS2017/2018 on AWS data set is a collaborative project between CSE and CIC. It is predicated on creating user profiles to create diverse and comprehensive benchmark data sets for intrusion detection. The profiles contain abstract representations of events and behaviors seen on the network, and the configuration files are combined to generate some different data sets, each which can be used for intrusion detection Each dataset has a unique set of functions that can cover an integral part of the evaluation domain. Attack infrastructure: 50 computers, the victim organization has five departments, including 420 computers and 30 servers. Datasets: capturingNetwork traffic and system logs of each computer, and 80 functions extracted from captured traffic using cicflow meter-v3. first, configuration file configuration file contains step by step description of intrusion and abstract distribution model for application, protocol or underlying network entity, which may be put on various network protocols with different topologies. Configuration files and profiles can be utilized together to create data sets for specific requirements. Two categories: - B-profiles: contains the abstract behavior of users. Various machine learning and statistical analysis methods (such as k-means, random forest, SVM and j48) are used to encapsulate the user's entity behavior. Encapsulation is characterized by the packet size of the protocol, how many packets per stream, some patterns in the payload, how big is the payload and the distribution of the request time of the protocol. In the test platform environment, the simulated protocols are: HTTPS, HTTP, SMTP, POP3, IMAP, SSH and FTP. Through the test, most of the traffic was HTTP and HTTPS. 2. M-profiles: describe the attack in a clear way. Knowing these attacks, you need to use the configuration file and execute it. The facts are shown in Dining table 1 ) 2. Attack scenarios this dataset contains seven different attack scenarios: 1Brute force (brute force attack) runs on the weak combination of user name and password to break into a free account. The style goal of the final scheme is always to obtain SSH and MySQL accounts by running dictionary brute force attacks on the main server. In this dataset, FTP and SSH on Kali Linux computer are used whilst the attacker's computer, and Ubuntu 14. 0 system is employed whilst the victim's computer. For the password list, a large dictionary containing 90 million words was used. Recommended cracking tool: patator (fully multithreaded), written in Python, is more reliable and flexible. Each response can be saved in a different log declare later viewing. 2. Heartbleed is among the famous last updated attacks (attacks based on certain vulnerabilities can be executed in a particular time, which sometimes affect countless servers or victims, and often take months to repair all the vulnerabilities). Heartleech is amongst the most famous tools for developing heartbled. It could scan systems which can be susceptible to the error and put it to use to exploit and steal data. OpenSSL version - 0. 1f can be used whilst the victim application. Attachment: some functions of heartleech about if the goal is easy or notAttacking conclusive / non conclusive adjudication down load a great deal of obnoxious data right into a large file quickly, to ensure that many threads can be used for offline processing automatically retrieve the private key without other steps some limited IDS avoidance starttls support IPv6 support tor / socks5n proxy support extensive connection diagnosis information 3. Botnet (botnet) uses Zeus, a Trojan horse malware package running on Microsoft Windows version, which will be usually used to steal bank information through keystroke records and forms in the browser, and will also be utilized to set up crypto locker blackmail pc software. Zeus is principally spread through stowaway downloads and phishing programs. As a supplement, Ares Botnet, an open source Botnet, has the following functions: handy remote control cmd. exe Shell persevere file upload / download screen capture key record this dataset uses the above mentioned two different botnets to infect computers, and requests screen capture from botnets every 400 seconds. 4. DOS (denial of service attack) & five. DDoS (distributed denial of service attack) HTTP denial of service attack: using slowloris and Loic as the main tools, these tools have now been turned out to be able to make use of a single attacker to create WThe EB server is totally inaccessible. Slowloris enables one computer to shut down another's web server with minimal bandwidth and side effects on unrelated services and ports. First, set up a complete TCP connection with the remote server. The tool keeps the bond open by sending valid, incomplete HTTP requests to the server frequently to prevent the socket from closing. Since any web server has limited capability to connect with services, it's only a matter of time before all sockets are exhausted no other connections can be established. Hoic can be an open source network stress testing and denial of service attack application written in basic. It may launch DoS attacks on websites online, aiming at attacking up to 256 URLs at precisely the same time. This data set uses 4 computers to attack DDoS. 6. Web Attacks (Web attacks) using web applications (DVWA) as victim web applications, the main goal of DVWA is always to help security professionals test their skills and tools in a legal environment, help web developers better understand the process of protecting web applications, and help teachers / students teach / learn web application security in a classroom environment It's also at risk of attack. The first faltering step is always to scan the website through the internet application vulnerability scanner, after which execute different types of Web attacks on the susceptible websites, including SQL injection, command injection and attackUnlimited file upload. 7. Infiltration of the network send malicious files to victims via e-mail and exploit application vulnerabilities. After successful use, the back door will be executed on the victim's computer, and his computer will be used to scan other susceptible applications in the internal network, and use them when possible. Attacks include IP scanning, full port scanning and service enumeration using nmap. Third, feature extraction the tool used here is cicflow meter, which is really a network traffic flow generator written in Java. It provides greater flexibility in selecting functions to be calculated, adding new functions and better controlling the flow timeout duration. It generates a biflow, where in fact the first packet determines the forward (from source to destination) and reverse (destination to source) guidelines. It has 83 statistical functions, such as duration, number of packets, quantity of bytes, period of packets, etc ., which are also calculated in the forward and reverse direction respectively. The output of the applying program is in CSV file format, and each stream has six column marks, which are flowid, sourceip, destinationip, sourceport, destinationport and protocols with an increase of than 80 network traffic functions. On average, TCP flows terminate when the connection is disconnected (via fin packets)And the UDP stream terminates if the stream timeout. The flow timeout value may be arbitrarily allocated by each scheme. For instance , for TCP and UDP, it's 600 seconds. After extracting features and making a CSV file, label the info. Here, the attack schedule, INTERNET PROTOCOL ADDRESS and port of source and target, protocol name are used to mark the info of each and every flow. How exactly to use it? Data sets are organized by day. Daily record of raw data, including each computer's network traffic (PCAPs) and event log (windows and Ubuntu event log). Along the way of feature extraction from the initial data, cicflow meter-v3 is employed to extract a lot more than 80 traffic features and save yourself them as a CSV file of each and every computer. 1 ) Using AI technology to investigate: you can down load the generated data (CSV) file and analyze the network traffic. 2. To utilize a new feature extractor: you should use the first captured files (pcap and log) to extract the features you will need. Then, data mining technology is employed to investigate the generated data. finally, cse-cic-ids2018 on AWS is attached https://www.unb.ca/cic/datasets/ids-2018.html this top spotoLike it? Share it! |