@ Contents of Network Intrusion Collected Data
Contents of Network Intrusion Collected Data
The network traffic was collected via a program called tcpdump. Tcpdump prints
out the headers of network packets that pass by the network interface of the
host executing tcpdump. The host used for this data collection was connected
between the Enterprise LAN and external networks. Therefore, all network traffic
passing between the Enterprise LAN and external networks was capturable by tcpdump.
Because tcpdump prints out only header information, no user data was printed.
When executing tcpdump, several filters can be specified. With filters specified, tcpdump will only collect data that can pass through those filters. For the purposes of these tests, filters were established so that only Internet Transmission Control Protocol (TCP) and Internet User Datagram Protocol (UDP) packets were collected.
For each TCP packet, tcpdump prints the following information:
To protect the identity of the hosts that were communicating with each other while the network traffic was collected, all IP addresses have been modified. Each external host is assigned a "fake" IP address. All internal hosts (hosts on the Enterprise LAN) will share the same "fake" IP address.
Description of Simulated Attacks
The file called "baseline" contains the network traffic
that was collected while no simulated attack activity was taking place. It can
be used as a baseline. Four different attacks were simulated on the Enterprise
LAN with each attack corresponding to a file containing the network traffic
database. They are called respectively network1, network2,
network3, and network4.
These datasets were compressed using the UNIX utility "gzip". These files are
about 10% the size of the original ascii files and can be uncompressed by running
the program "gunzip" on UNIX (MS Windows® users may want to use
WinZip).
Well known tcp/udp port addresses for the non-network experts.
Copyright ©1996-2001 by the Institute for Visualization
and Perception Research. All rights reserved.
Please,
send comments and/or questions to Dr.
Georges Grinstein.
Last update:
April 4, 2001