CIDDS - Coburg Intrusion Detection Data Sets

General idea of CIDDS

CIDDS (Coburg Intrusion Detection Data Sets) is a concept to create evaluation data sets for anomaly-based network intrusion detection systems. Since the IT industry is constantly evolving, attackers are forced to adapt and find new ways to penetrate their target of interest. Hence, the development of intrusion detection systems can be seen as a constantly evolving process between the attackers attempts and the triggered adjustments of the defenders. From this perspective, it is not expedient to test current intrusion detection systems with old data sets. Thus, the main objective of CIDDS is the generation of customizable and up-to-date data sets. In order to tackle this objective, the basic idea behind CIDDS is to create labelled flow-based data sets in a virtual environment using OpenStack.

Exemplary implementation

In the following, we want to explain the general idea of CIDDS with the exemplarily generated CIDDS-001 data set. For creating the CIDDS-001 data set, we emulated a small small business environment. This environment includes several clients and typical servers like an E-Mail server or Web servers (see adjacent figure). Python scripts are used for emulating benign user behaviour like browsing the web, sending and receiving emails, as well as exchanging files. To ensure as realistic user behaviour as possible, clients perform their activities with respect to an individual working schedule which considers working hours and lunch breaks. We are also taking into account that different employees tend to have different working tasks. A manager, for example, would be attending more meetings, thus generating less network traffic than a researcher who is constantly browsing. Hence, characteristics of every user are set using a configuration file.

For generating malicious traffic, Denial of Service (DoS), Brute Force attacks and Port Scans were executed within the network. Since origins, targets, and timestamps of the executed attacks are known, labelling of the recorded NetFlow data was easily possible. For inclusion of actual network traffic, which has its origin outside the OpenStack environment, an external server was deployed. It provides a file synchronization service (Seafile) and a HTTP webserver for the clients. Since this server had a publicly accessible IP address, it was exposed to real and up-to-date attacks from the internet. For further information about the individual data sets, we recommend you to read the corresponding technical report.

Ongoing research

Right now, we extend our user behavior scripts to generate even more realistic network traffic. For example, we plan to integrate additional servers like repository servers and want to add further user activities like Skype etc. Further, we plan to exploit more sophisticated attack scenarios (Browser-Exploits and Trojans) within our OpenStack environment.