| Network Data Source | Firewall, Snort |
| Network Data Labeled | Ground truth provided |
| Host Data Source | OS Security Events |
| Host Data Labeled | Ground truth provided |
| Overall Setting | Enterprise IT |
| OS Types | n/a |
| Number of Machines | 11 + 150 |
| Total Runtime | ~3 days |
| Year of Collection | 2011 |
| Attack Categories | Reconnaissance DoS Persistence |
| Benign Activity | Present, but not further explained |
| Packed Size | 940 MB |
| Unpacked Size | 9,3 GB |
| Download Link | n/a (see links) |
Overview
The VAST Challenge (Visual Analytics Science and Technology)is an annual competition that is part of the IEEE VAST conference. It’s not necessarily focussed on cybersecurity, but rather designed to promote new approaches towards visual analytics tools and techniques - hence the name. However, one of the datasets used in the 2011 challenge stemmed from the simulation of a system under attack, and could be useful for purposes beyond its original one.
Environment
The simulated architecture is that of a medium-sized corporation (the “All Fright Corporation”). A detailed description of all relevant aspects like network details, port descriptions, data flows and policies is available as a separate document when downloading the dataset.
Activity
The following attacks were performed:
- Port scans
- DoS
- Social-Engineering leading to malicious authentication
- Persistence by adding a new machine to the network
Contained Data
The following logs were collected:
- Firewall logs
- IDS logs (Snort, aka NIDS)
- Nessus scan report (something like a vulnerability scan)
- Operating System Security Event Logs
Labels are indirectly available via a separate ground truth file (linked below). This file contains some information that could be used for signature-based labeling, but is probably not detailed enough to label all malicious events with absolute certainty. Notably, with this being a challenge dataset, there are some absences in the data, the main one being the lack of information about any IP addresses external to the company network.
Links
- Homepage & Download
- The link leads to the hub for all VAST datasets. At the time of writing, all of them are 404, but this may change
- Challenge Description)
- Ground Truth
Data Examples
Windows security event taken from MiniChallenge2 Core Data/20110415/security/20110415_VAST11MC2_SecurityLog.xml
<Event>
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Level>0</Level>
<Task>12544</Task>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-04-16T15:07:23.156250000Z" />
<EventRecordID>1410911</EventRecordID>
<Computer>DC01.AFC.com</Computer>
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-2795111079-3225111112-3329435632-1114</Data>
<Data Name="TargetUserName">todd.bradford</Data>
<Data Name="TargetDomainName">AFC</Data>
<Data Name="TargetLogonId">0x36752d0</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName"></Data>
<Data Name="LogonGuid">{43E18D74-2B32-7844-B258-3104A1901CE4}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.168.2.62</Data>
<Data Name="IpPort">3602</Data>
</EventData>
</Event>
Firewall logs taken from MiniChallenge2 Core Data/20110415/firewall/csv/20110415_VAST11MC2_firewall_log.csv.
A raw version is also available.
Date/time,Syslog priority,Operation,Message code,Protocol,Source IP,Destination IP,Source hostname,Destination hostname,Source port,Destination port,Destination service,Direction,Connections built,Connections torn down
15/Apr/2011 07:56:25,Info,Built,ASA-session-6-302013,TCP,192.168.2.98,192.168.1.6,(empty),(empty),3762,43025,43025_tcp,inbound,1,0
15/Apr/2011 07:56:25,Info,Built,ASA-session-6-302013,TCP,192.168.2.98,192.168.1.6,(empty),(empty),3763,43025,43025_tcp,inbound,1,0
15/Apr/2011 07:56:25,Info,Teardown,ASA-session-6-302014,TCP,192.168.2.98,192.168.1.6,(empty),(empty),3762,43025,43025_tcp,inbound,0,1
15/Apr/2011 07:56:25,Info,Teardown,ASA-session-6-302014,TCP,192.168.2.98,192.168.1.6,(empty),(empty),3763,43025,43025_tcp,inbound,0,1
15/Apr/2011 07:56:26,Info,Teardown,ASA-session-6-302021,ICMP,(empty),(empty),(empty),(empty),(empty),(empty),(empty)_icmp,(empty),0,1
15/Apr/2011 07:56:26,Info,Teardown,ASA-session-6-302021,ICMP,(empty),(empty),(empty),(empty),(empty),(empty),(empty)_icmp,(empty),0,1
[...]
IDS (Snort) reports taken from MiniChallenge2 Core Data/20110415/IDS
[...]
[**] [122:3:0] (portscan) TCP Portsweep [**]
[Priority: 3]
04/15-08:42:31.668158 192.168.2.63 -> 192.168.1.14
PROTO:255 TTL:0 TOS:0x0 ID:49067 IpLen:20 DgmLen:163 DF
[**] [122:3:0] (portscan) TCP Portsweep [**]
[Priority: 3]
04/15-08:42:43.156492 192.168.2.114 -> 192.168.1.2
PROTO:255 TTL:0 TOS:0x0 ID:61615 IpLen:20 DgmLen:159 DF
[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
04/15-08:42:44.354073 192.168.2.140 -> 192.168.1.2
PROTO:255 TTL:0 TOS:0x0 ID:316 IpLen:20 DgmLen:165 DF
[**] [122:3:0] (portscan) TCP Portsweep [**]
[Priority: 3]
04/15-08:42:44.486993 192.168.2.140 -> 192.168.1.14
PROTO:255 TTL:0 TOS:0x0 ID:366 IpLen:20 DgmLen:163 DF
[...]
Nessus scan results taken from MiniChallenge2 Core Data/Nessus/20110411_VAST11MiC2_Nessus.nbe
[...]
results|192.168.2|192.168.2.173|cifs (445/tcp)|51937|Security Hole|Synopsis :\n\nThe remote host contains an unsupported version of Flash Player.\n\nDescription :\n\nOne or more versions of Flash Player earlier than 10.x are installed\non the remote Windows host. Such versions are no longer supported by\nAdobe and are likely to contain security vulnerabilities.\n\nSee also :\n\nhttp://www.adobe.com/support/programs/policies/supported.html\nhttp://kb2.adobe.com/cps/406/kb406791.html\n\nSolution :\n\nEither upgrade or remove unsupported versions.\n\nRisk factor :\n\nHigh / CVSS Base Score : 9.3\n(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n\nPlugin output :\nThe following unsupported Flash player controls were detected :\n Product : ActiveX control (for Internet Explorer)\n Path : C:\\WINDOWS\\system32\\macromed\\flash\\flash.ocx\n Installed version : 6.0.79.0\n\n\n
results|192.168.2|192.168.2.173|cifs (445/tcp)|40434|Security Hole|Synopsis :\n\nThe remote Windows host contains a browser plugin that is affected by \nmultiple vulnerabilities.\n\nDescription :\n\nThe remote Windows host contains a version of Adobe Flash Player that \nis earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly \naffected by multiple vulnerabilities : \n\n - A memory corruption vulnerability that could potentially\n lead to code execution. (CVE-2009-1862) \n\n - A vulnerability in the Microsoft Active Template Library\n (ATL) which could allow an attacker who successfully\n exploits the vulnerability to take control of the\n affected system. (CVE-2009-0901, CVE-2009-2395,\n CVE-2009-2493) \n\n - A privilege escalation vulnerability that could \n potentially lead to code execution. (CVE-2009-1863)\n\n - A heap overflow vulnerability that could potentially\n lead to code execution. (CVE-2009-1864) \n\n - A null pointer vulnerability that could potentially\n lead to code execution. (CVE-2009-1865) \n\n - A stack overflow vulnerability that could potentially\n lead to code execution. (CVE-2009-1866) \n\n - A clickjacking vulnerability that could allow an\n attacker to lure a web browser user into unknowingly\n clicking on a link or dialog. (CVE-2009-1867 \n\n - A URL parsing heap overflow vulnerability that could\n potentially lead to code execution. (CVE-2009-1868)\n\n - An integer overflow vulnerability that could potentially\n lead to code execution. (CVE-2009-1869) \n\n - A local sandbox vulnerability that could potentially\n lead to information disclosure when SWFs are saved to\n the hard drive. CVE-2009-1870)\n\nSee also :\n\nhttp://www.adobe.com/support/security/bulletins/apsb09-10.html\n\nSolution :\n\nUpgrade to version 10.0.32.18 or later. If you are unable to upgrade\nto version 10, upgrade to version 9.0.246.0 or later.\n\nRisk factor :\n\nHigh / CVSS Base Score : 9.3\n(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n\nPlugin output :\nNessus has identified the following vulnerable instance of Flash\nPlayer installed on the remote host :\n\n - ActiveX control (for Internet Explorer) :\n C:\\WINDOWS\\system32\\macromed\\flash\\flash.ocx, 6.0.79.0\n\n\nCVE : CVE-2009-1862,CVE-2009-0901,CVE-2009-2493,CVE-2009-1863,CVE-2009-1864,CVE-2009-1865,CVE-2009-1866,CVE-2009-1867,CVE-2009-1868,CVE-2009-1869,CVE-2009-1870\nBID : 35759,35832,35846,35900,35901,35902,35903,35904,35905,35906,35907,35908\nOther references : OSVDB:56282,OSVDB:56696,OSVDB:56698,OSVDB:56771,OSVDB:56772,OSVDB:56773,OSVDB:56774,OSVDB:56775,OSVDB:56776,OSVDB:56777,OSVDB:56778,CWE:200\n
results|192.168.2|192.168.2.173|cifs (445/tcp)|22056|Security Hole|Synopsis :\n\nThe remote Windows host contains a browser plugin that is affected by\nmultiple issues.\n\nDescription :\n\nAccording to its version number, the instance of Flash Player on the\nremote Windows host is affected by arbitrary code execution and denial\nof service issues. By convincing a user to visit a site with a\nspecially-crafted SWF file, an attacker may be able to execute\narbitrary code on the affected host or cause the web browser to crash.\n\nSee also :\n\nhttp://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-20.html\nhttp://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-21.html\nhttp://www.kb.cert.org/vuls/id/474593\nhttp://www.adobe.com/support/security/bulletins/apsb06-11.html\n\nSolution :\n\nUpgrade to Flash Player version 9.0.16.0 / 8.0.33.0 / 7.0.66.0 /\n6.0.88.0 or later.\n\nRisk factor :\n\nCritical / CVSS Base Score : 10.0\n(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n\nPlugin output :\nNessus has identified the following vulnerable instance(s) of Flash\nPlayer installed on the remote host :\n\n - ActiveX control (for Internet Explorer) :\n C:\\WINDOWS\\system32\\macromed\\flash\\flash.ocx, 6.0.79.0\n\n\nCVE : CVE-2006-3014,CVE-2006-3311,CVE-2006-3587,CVE-2006-3588,CVE-2006-4640\nBID : 18894,19980\nOther references : OSVDB:27113,OSVDB:27507,OSVDB:28732,OSVDB:28733,OSVDB:28734,CWE:264\n
results|192.168.2|192.168.2.173|cifs (445/tcp)|51926|Security Hole|Synopsis :\n\nThe remote Windows host contains a browser plug-in that is affected\nby multiple vulnerabilities.\n\nDescription :\n\nThe remote Windows host contains a version of Adobe Flash Player\nearlier than 10.2.152.26. Such versions are potentially affected by\nmultiple vulnerabilities :\n\n - An integer overflow exists that could lead to code\n execution. (CVE-2011-0558)\n\n - Multiple memory corruption vulnerabilities exist that \n could lead to code execution. (CVE-2011-0559,\n CVE-2011-0560, CVE-2011-0561, CVE-2011-0571, \n CVE-2011-0572, CVE-2011-0573, CVE-2011-0574, \n CVE-2011-0578, CVE-2011-0607, CVE-2011-0608)\n\n - A library-loading vulnerability exists that could lead\n to code execution. (CVE-2011-0575)\n\n - A font-parsing vulnerability exists that could lead to\n code execution. (CVE-2011-0577)\n\nSee also :\n\nhttp://www.adobe.com/support/security/bulletins/apsb11-02.html\n\nSolution :\n\nUpgrade to Flash Player 10.2.152.26 or later.\n\nRisk factor :\n\nHigh / CVSS Base Score : 9.3\n(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n\nPlugin output :\n Product : ActiveX control (for Internet Explorer)\n Path : C:\\WINDOWS\\system32\\macromed\\flash\\flash.ocx\n Installed version : 6.0.79.0\n Fixed version : 10.2.152.26\n\n\nCVE : CVE-2011-0558,CVE-2011-0559,CVE-2011-0560,CVE-2011-0561,CVE-2011-0571,CVE-2011-0572,CVE-2011-0573,CVE-2011-0574,CVE-2011-0575,CVE-2011-0577,CVE-2011-0578,CVE-2011-0607,CVE-2011-0608\nBID : 46186,46188,46189,46190,46191,46192,46193,46194,46195,46196,46197,46282,46283\nOther references : OSVDB:70911,OSVDB:70913,OSVDB:70914,OSVDB:70915,OSVDB:70916,OSVDB:70917,OSVDB:70918,OSVDB:70919,OSVDB:70920,OSVDB:70921,OSVDB:70922,OSVDB:70923,OSVDB:70976\n
[...]