Welcome to website of ASNM Datasets

In general, ASNM datasets include records consisting of many features, that express various properties and characteristics of TCP communications. These features are called Advanced Security Network Metrics (ASNM) and were designed with intention to discern legitimate and malicious connections (especially intrusions). ASNM features were proposed in paper [1], and later extended, while current description of ASNM features is available in Appendix D of dissertation thesis [2]. ASNM features are extracted from tcpdump captures and do not perform deep packet inspection during their computation.

Purpose of ASNM Datasets

ASNM datasets can be used for machine learning based Network Behavioral Anomaly Detection or analysis of network traffic characteristics based on the labels indicating presence and/or type of malicious/legitimate communication.

Enumeration of Datasets

ASNM datasets were created one by one during our long-term research. The following listing contains references to descriptions of particular datasets with their download locations:

ASNM-NPBO Dataset - contains non-payload-based obfuscation techniques applied onto malicious and some of legitimate traffic. It was created in 2015.

ASNM-TUN Dataset - contains tunneling obfuscation techniques applied onto malicious traffic. It was created in 2014.

ASNM-CDX-2009 Dataset - contains ASNM features extracted from tcpdumps of CDX 2009 dataset. It misses few newer ASNM features. It was created in 2013.

Limitations

Across all of the ASNM datasets, we aimed on selection of vulnerable network services with the high severity of their successful exploitation leading to remote shell code execution. Despite there exists plethora of publicly available exploit-codes and penetration testing frameworks for contemporary network vulnerabilities, the situation with corresponding available vulnerable SW is different due to understandable prevention reasons. Therefore, our datasets were built using older high-severity vulnerable services, which are outdated but may serve as testbed for Network Behavioral Anomaly Detection.

The next limitation is related to ASNM features, that can be intentionally influenced by an atacker in order to match behavioral characteristics of legitimate traffic. This limitation is addressed in the last ASNM dataset that deals with non-payload-based obfuscations of network traffic (ASNM-NPBO).

References

HOMOLIAK Ivan, BARABAS Maros, CHMELAR Petr, DROZD Michal a HANACEK Petr.: ASNM: Advanced Security Network Metrics for Attack Vector Description. In: Proceedings of the 2013 International Conference on Security & Management. Las Vegas: Computer Science Research, Education, and Applications Press, 2013, s. 350-358. ISBN 1-60132-259-3. Download link.
HOMOLIAK Ivan.: Intrusion Detection in Network Traffic. Dissertation thesis, University of Technology Brno, Faculty of Information Technology, 2016. Download link.