VAST Challenge 2012

Overview
Environment
Activity
Contained Data
Papers
Links
Data Examples


Network Data Source	Firewall and IDS logs
Network Data Labeled	Ground truth provided
Host Data Source	-
Host Data Labeled	-

Overall Setting	Enterprise IT
OS Types	Undisclosed
Number of Machines	~5000
Total Runtime	2 days
Year of Collection	2012
Attack Categories	BotNet
Benign Activity	Presumably synthetic, but not detailed

Packed Size	186 MB
Unpacked Size	2,9 GB
Download Link	goto

Overview

The VAST Challenge (Visual Analytics Science and Technology) is an annual competition that is part of the IEEE VAST conference. It’s not necessarily focussed on cybersecurity, but rather designed to promote new approaches towards visual analytics tools and techniques - hence the name. However, one of the datasets used in the 2012 challenge stemmed from the simulation of a system under attack, and could be useful for purposes beyond its original one.

Environment

The underlying scenario is that of a globally operating Bank (in a fictional world) with an IT infrastructure matching this. The scope of this dataset is one of the Banks networks, consisting of ~5000 machines, running an unspecified IDS.

Activity

Within the context of this challenge, the task for competitors was to recognize noteworthy security events, identify security-related trends and spot potential root causes for any incidents. The attack scenario consists of a botnet initially infecting a machine inside the banks network via a USB stick, then spreading within that network and attempting to exfiltrate information. Further details, although few, are available in the linked ground truth. The collection period lasted two days.

Contained Data

The dataset consists of IDS alerts and firewall logs. The IDS created an alert in the following three cases:

A computer is port scanning the network
An FTP session is started
An IRC session started

The firewall only logs traffic between inside and outside interface, and vice versa. Examples of this includes things like browsing, accessing external servers, or botnet activity. For both sources, data is available in .csv format.

Papers

Vast Challenge 2012: Visual Analytics for Big Data (2012)

Data Examples

Snippet of IDS logs taken from IDS-0407.csv

time, sourceIP, sourcePort, destIP, destPort, classification, priority,label,packet info,packet info cont'd, xref
[...]
4/7/2012 3:13,172.23.0.207,2441,172.23.0.10,445, Generic Protocol Command Decode,3, [1:2103003:7] GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt ,TCP TTL:128 TOS:0x0 ID:46618 IpLen:20 DgmLen:1500 DF,***A**** Seq: 0x1EB13CAA  Ack: 0xEC4EB318  Win: 0xFF3A  TcpLen: 20,[Xref => http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx][Xref => http://cgi.nessus.org/plugins/dump.php3?id=12065][Xref => http://cgi.nessus.org/plugins/dump.php3?id=12052][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818][Xref => http://www.securityfocus.com/bid/9635][Xref => http://www.securityfocus.com/bid/9633]
4/7/2012 3:13,172.23.0.207,2441,172.23.0.10,445, Generic Protocol Command Decode,3, [1:2102466:9] GPL NETBIOS SMB-DS IPC$ unicode share access ,TCP TTL:128 TOS:0x0 ID:46620 IpLen:20 DgmLen:138 DF,***AP*** Seq: 0x1EB1471A  Ack: 0xEC4EB49D  Win: 0xFDB5  TcpLen: 20,
4/7/2012 3:13,172.23.0.215,2464,172.23.0.10,445, Generic Protocol Command Decode,3, [1:2103003:7] GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt ,TCP TTL:128 TOS:0x0 ID:46603 IpLen:20 DgmLen:1500 DF,***A**** Seq: 0xC070A3E0  Ack: 0x66A5DE36  Win: 0xFF3A  TcpLen: 20,[Xref => http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx][Xref => http://cgi.nessus.org/plugins/dump.php3?id=12065][Xref => http://cgi.nessus.org/plugins/dump.php3?id=12052][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818][Xref => http://www.securityfocus.com/bid/9635][Xref => http://www.securityfocus.com/bid/9633]
4/7/2012 3:13,172.23.0.215,2464,172.23.0.10,445, Generic Protocol Command Decode,3, [1:2102466:9] GPL NETBIOS SMB-DS IPC$ unicode share access ,TCP TTL:128 TOS:0x0 ID:46605 IpLen:20 DgmLen:138 DF,***AP*** Seq: 0xC070AE50  Ack: 0x66A5DFBB  Win: 0xFDB5  TcpLen: 20,
4/7/2012 3:13,172.23.0.235,2471,172.23.0.10,445, Generic Protocol Command Decode,3, [1:2103003:7] GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt ,TCP TTL:128 TOS:0x0 ID:46791 IpLen:20 DgmLen:1500 DF,***A**** Seq: 0xB7C1832B  Ack: 0x33E0059F  Win: 0xFF3A  TcpLen: 20,[Xref => http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx][Xref => http://cgi.nessus.org/plugins/dump.php3?id=12065][Xref => http://cgi.nessus.org/plugins/dump.php3?id=12052][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818][Xref => http://www.securityfocus.com/bid/9635][Xref => http://www.securityfocus.com/bid/9633]
4/7/2012 3:13,172.23.0.233,2395,172.23.0.10,445, Generic Protocol Command Decode,3, [1:2103003:7] GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt ,TCP TTL:128 TOS:0x0 ID:46625 IpLen:20 DgmLen:1500 DF,***A**** Seq: 0x14D087FB  Ack: 0x1793F096  Win: 0xFF3A  TcpLen: 20,[Xref => http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx][Xref => http://cgi.nessus.org/plugins/dump.php3?id=12065][Xref => http://cgi.nessus.org/plugins/dump.php3?id=12052][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818][Xref => http://www.securityfocus.com/bid/9635][Xref => http://www.securityfocus.com/bid/9633]
4/7/2012 3:13,172.23.0.235,2471,172.23.0.10,445, Generic Protocol Command Decode,3, [1:2102466:9] GPL NETBIOS SMB-DS IPC$ unicode share access ,TCP TTL:128 TOS:0x0 ID:46793 IpLen:20 DgmLen:138 DF,***AP*** Seq: 0xB7C18D9B  Ack: 0x33E00724  Win: 0xFDB5  TcpLen: 20,
4/7/2012 3:13,172.23.0.233,2395,172.23.0.10,445, Generic Protocol Command Decode,3, [1:2102466:9] GPL NETBIOS SMB-DS IPC$ unicode share access ,TCP TTL:128 TOS:0x0 ID:46627 IpLen:20 DgmLen:138 DF,***AP*** Seq: 0x14D0926B  Ack: 0x1793F21B  Win: 0xFDB5  TcpLen: 20,

Snippet of firewall logs taken from Firewall-04072012.csv

Date/time,Syslog priority,Operation,Message code,Protocol,Source IP,Destination IP,Source hostname,Destination hostname,Source port,Destination port,Destination service,Direction,Connections built,Connections torn down
[...]
06/Apr/2012 23:57:44,Info,Teardown,ASA-6-302014,TCP,172.23.100.221,10.32.0.100,(empty),(empty),2484,80,http,outbound,0,1
06/Apr/2012 23:57:44,Info,Built,ASA-6-302013,TCP,172.23.91.44,10.32.0.100,(empty),(empty),2557,80,http,outbound,1,0
06/Apr/2012 23:57:44,Info,Teardown,ASA-6-302014,TCP,172.23.8.195,10.32.0.201,(empty),(empty),1445,80,http,outbound,0,1
06/Apr/2012 23:57:44,Info,Teardown,ASA-6-302014,TCP,172.23.19.76,10.32.0.206,(empty),(empty),1449,80,http,outbound,0,1
06/Apr/2012 23:57:44,Info,Built,ASA-6-302013,TCP,172.23.112.45,10.32.0.100,(empty),(empty),2500,80,http,outbound,1,0
06/Apr/2012 23:57:44,Info,Built,ASA-6-302013,TCP,172.23.19.147,10.32.0.205,(empty),(empty),1457,80,http,outbound,1,0
06/Apr/2012 23:57:44,Info,Built,ASA-6-302013,TCP,172.23.23.155,10.32.1.202,(empty),(empty),1483,80,http,outbound,1,0
06/Apr/2012 23:57:44,Info,Teardown,ASA-6-302014,TCP,172.23.106.137,10.32.0.100,(empty),(empty),2479,80,http,outbound,0,1
06/Apr/2012 23:57:44,Info,Teardown,ASA-6-302014,TCP,172.23.19.141,10.32.0.201,(empty),(empty),1450,80,http,outbound,0,1
06/Apr/2012 23:57:44,Info,Built,ASA-6-302013,TCP,172.23.39.81,10.32.0.100,(empty),(empty),1424,80,http,outbound,1,0
06/Apr/2012 23:57:44,Info,Teardown,ASA-6-302014,TCP,172.23.19.140,10.32.1.203,(empty),(empty),1452,80,http,outbound,0,1
06/Apr/2012 23:57:44,Info,Built,ASA-6-302013,TCP,172.23.79.139,10.32.0.100,(empty),(empty),2567,80,http,outbound,1,0
06/Apr/2012 23:57:44,Info,Built,ASA-6-302013,TCP,172.23.80.161,10.32.0.100,(empty),(empty),2525,80,http,outbound,1,0