IMPORTANT: ADFA-WD as a standalone dataset does not seem to be available. This limits the usability of the other (SAA) dataset, as the benign baseline (which would be provided by ADFA-WD) is missing. In what follows, only ADFA-WD:SAA will be described. Info for ADFA-WD will be added if that data becomes available.
| Network Data Source | - |
| Network Data Labeled | - |
| Host Data Source | DLL calls, XML logs from Procmon |
| Host Data Labeled | “Yes”, as in SAA only contains attack data |
| Overall Setting | Single OS |
| OS Types | Windows XP Service Pack 2 |
| Number of Machines | 1 |
| Total Runtime | n/a |
| Year of Collection | 2014 |
| Attack Categories | Stealthy Shellcode |
| Benign Activity | n/a |
| Packed Size | 403 MB |
| Unpacked Size | 13,6 GB |
| Download Link | n/a |
Overview
The ADFA (Australian Defence Force Academy) datasets, specifically ADFA-LD (Linux Dataset) and ADFA-WD (Windows Dataset), are designed for the evaluation of anomaly-based intrusion detection systems (IDS). These datasets were introduced to address the limitations of older datasets, such as the KDD’99 dataset, which had become outdated given the evolution of cyber threats. Later, the Windows dataset was expanded with an addendum containing stealth attack traces named ADFA-WD:SAA (Stealth Attack Addendum).
Note: The provider this dataset was hosted on shut down in 2023. As of writing this, I am unaware of other download sources. Should you find one, please open a pull request.
Environment
The environment consists of a single host running Windows XP SP2. More information can (probably) be found scattered throughout the thesis the ADFA-WD:SAA dataset is based on, but is sadly not documented in a concise way.
Activity
ADFA-WD:SAA focuses on attacks categorized as “stealthy shellcode payloads”. While also made possible by some kind of overflow just as normal shellcode attacks, their stealthy variants differ in that they are restricted to only perform actions(in the form of system manipulation patterns) which also occur in the program’s natural baseline, very similar to something like ROP. The authors present four different classes of such stealthy shellcode, accompanied by an implementation of a payload for every class. Explaining their technical details goes beyond the purpose of this summary, and I suggest reading the cited paper for further details (p141 ff.).
Contained Data
Collected data consists of system call information, which in the case of Windows means a library name combined with an
offset, e.g. ntdll.dll+0x1652e.
For each shellcode implementation, sampling was performed from just before the exploitation act to just after, and the
content of the SAA is assumed to contain only attack data (p152 in cited paper).
Data is available in two formats:
.ghc: Text files containing only library name + offset..xmlGenerated by windows, superset of the above with some additional information.
Papers
Links
- Homepage
- (ADFA-WD download not available)
- (ADFA-WD-SAA download not available)
Note: At the time of writing, links on the official homepage have not been updated.
Related Entries
Data Examples
Snippet of library calls as <library_name.dll> + offset stored in .GHC files.
ntdll.dll+0x1652e ntdll.dll+0x1659e kernel32.dll+0x1d1f kernel32.dll+0xb50b ntdll.dll+0x1652e ntdll.dll+0x1659e
kernel32.dll+0x1d1f kernel32.dll+0xb50b ntdll.dll+0x1652e ntdll.dll+0x1659e kernel32.dll+0x1d1f kernel32.dll+0xb50b
ntdll.dll+0x1652e ntdll.dll+0x1659e kernel32.dll+0x1d1f kernel32.dll+0xb50b ntdll.dll+0x1652e ntdll.dll+0x1659e
kernel32.dll+0x1d1f kernel32.dll+0xb50b ntdll.dll+0x1652e ntdll.dll+0x1659e kernel32.dll+0x1d1f kernel32.dll+0xb50b
ntdll.dll+0x1652e ntdll.dll+0x1659e kernel32.dll+0x1d1f kernel32.dll+0xb50b ntdll.dll+0x1652e ntdll.dll+0x1659e [...]
Snippet of raw Windows logs in .xml files.
<frame>
<depth>22</depth>
<address>0x7c80b50b</address>
<path>C:\WINDOWS\system32\kernel32.dll</path>
<location>kernel32.dll + 0xb50b</location>
</frame>
<frame>
<depth>23</depth>
<address>0x0</address>
</frame>
</stack>
</event>
<event>
<ProcessIndex>33</ProcessIndex>
<Time_of_Day>11:41:30.6586676 AM</Time_of_Day>
<Process_Name>Procmon.exe</Process_Name>
<PID>1604</PID>
<Operation>FASTIO_NETWORK_QUERY_OPEN</Operation>
<Path>C:\WINDOWS\system32\secur32.dll</Path>
<Result>SUCCESS</Result>
<Detail>CreationTime: 8/4/2004 10:00:00 PM, LastAccessTime: 6/27/2013 11:41:25 AM, LastWriteTime: 8/4/2004 10:00:00 PM, ChangeTime: 12/1/2012 3:07:25 PM, AllocationSize: 57,344, EndOfFile: 55,808, FileAttributes: A</Detail>
<stack>
<frame>
<depth>0</depth>
<address>0xba6d5944</address>
<path>C:\WINDOWS\System32\Drivers\fltMgr.sys</path>
<location>fltMgr.sys + 0x1944</location>
</frame>
<frame>
<depth>1</depth>
<address>0xba6d7259</address>
<path>C:\WINDOWS\System32\Drivers\fltMgr.sys</path>
<location>fltMgr.sys + 0x3259</location>
</frame>