Introducing UWF-ZeekData22: A Comprehensive Network Traffic Dataset Based on the MITRE ATT&CK Framework

• Published in: Data (Basel) Vol. 8; no. 1; p. 18
• Main Authors: Bagui, Sikha S., Mink, Dustin, Bagui, Subhash C., Ghosh, Tirthankar, Plenkers, Russel, McElroy, Tom, Dulaney, Stephan, Shabanali, Sajida
• Format: Journal Article
• Language: English
• Published: Basel MDPI AG 01.01.2023
• Subjects: Big Data; Communications traffic; Computer centers; Cybercrime; Cybersecurity; Datasets; Infrastructure; Internet service providers; Linux; Malware; Onions; Operating systems; Security; Servers; Software; Virtual environments
• ISSN: 2306-5729; 2306-5729
• DOI: 10.3390/data8010018

With the rapid rate at which networking technologies are changing, there is a need to regularly update network activity datasets to accurately reflect the current state of network infrastructure/traffic. The uniqueness of this work was that this was the first network dataset collected using Zeek and labelled using the MITRE ATT&CK framework. In addition to identifying attack traffic, the MITRE ATT&CK framework allows for the detection of adversary behavior leading to an attack. It can also be used to develop user profiles of groups intending to perform attacks. This paper also outlined how both the cyber range and hadoop’s big data platform were used for creating this network traffic data repository. The data was collected using Security Onion in two formats: Zeek and PCAPs. Mission logs, which contained the MITRE ATT&CK data, were used to label the network attack data. The data was transferred daily from the Security Onion virtual machine running on a cyber range to the big-data platform, Hadoop’s distributed file system. This dataset, UWF-ZeekData22, is publicly available at datasets.uwf.edu.