A Labeled Data Set for Flow-Based Intrusion Detection

  • Anna Sperotto
  • Ramin Sadre
  • Frank van Vliet
  • Aiko Pras
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5843)


Flow-based intrusion detection has recently become a promising security mechanism in high speed networks (1-10 Gbps). Despite the richness in contributions in this field, benchmarking of flow-based IDS is still an open issue. In this paper, we propose the first publicly available, labeled data set for flow-based intrusion detection. The data set aims to be realistic, i.e., representative of real traffic and complete from a labeling perspective. Our goal is to provide such enriched data set for tuning, training and evaluating ID systems. Our setup is based on a honeypot running widely deployed services and directly connected to the Internet, ensuring attack-exposure. The final data set consists of 14.2M flows and more than 98% of them has been labeled.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    CERT Coordination Center (January 2009),
  2. 2.
    Mell, P., Hu, V., Lippmann, R., Haines, J., Zissman, M.: An overview of issues in testing intrusion detection systems. Technical Report NIST IR 7007, National Insititute of Standards and Technology (June 2003)Google Scholar
  3. 3.
    Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Wyschogrod, D., Cunningham, R., Zissman, M.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: Proc. of the DARPA Information Survivability Conf. and Exposition, DISCEX 2000 (2000)Google Scholar
  4. 4.
    Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34 (2000)Google Scholar
  5. 5.
    Haines, J., Lippmann, R., Fried, D., Zissman, M., Tran, E., Boswell, S.: 1999 DARPA Intrusion Detection Evaluation: Design and Procedures. Technical Report TR 1062, MIT Lincoln Laboratory (February 2001)Google Scholar
  6. 6.
    Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX). RFC 3917 (Informational)Google Scholar
  7. 7.
    Lakhina, A., Crovella, M., Doit, C.: Characterization of network-wide anomalies in traffic flows. In: Proc. of 4th ACM SIGCOMM Conf. on Internet measurement, IMC 2004 (2004)Google Scholar
  8. 8.
    Sperotto, A., Sadre, R., Pras, A.: Anomaly characterization in flow-based traffic time series. In: Akar, N., Pioro, M., Skianis, C. (eds.) IPOM 2008. LNCS, vol. 5275, pp. 15–27. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Strayer, W., Lapsely, D., Walsh, R., Livadas, C.: Botnet Detection Based on Network Behavior. Advances in Information Security, vol. 36 (2008)Google Scholar
  10. 10.
    Ringberg, H., Soule, A., Rexford, J.: Webclass: adding rigor to manual labeling of traffic anomalies. In: SIGCOMM Computer Communication Review, vol. 38(1) (2008)Google Scholar
  11. 11.
    Ringberg, H., Roughan, M., Rexford, J.: The need for simulation in evaluating anomaly detectors. In: SIGCOMM Computer Communication Review, vol. 38(1) (2008)Google Scholar
  12. 12.
    Sommers, J., Yegneswaran, V., Barford, P.: A framework for malicious workload generation. In: Proc. of the 4th ACM SIGCOMM Conf. on Internet measurement, IMC 2004 (2004)Google Scholar
  13. 13.
    Brauckhoff, D., Wagner, A., Mays, M.: Flame: a flow-level anomaly modeling engine. In: Proc. of the Conf. on Cyber security experimentation and test, CSET 2008 (2008)Google Scholar
  14. 14.
    Pouget, F., Dacier, M.: Honeypot-based forensics. In: Asia Pacific Information technology Security Conference (AusCERT 2004) (May 2004)Google Scholar
  15. 15.
    5, C.X.: (April 2009),
  16. 16.
  17. 17.
  18. 18.
  19. 19.
    Moore, D., Shannon, C., Brown, D., Voelker, G., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. 24(2) (2006)Google Scholar
  20. 20.
    Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proc. of the 4th ACM SIGCOMM Conf. on Internet measurement, IMC 2004 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Anna Sperotto
    • 1
  • Ramin Sadre
    • 1
  • Frank van Vliet
    • 1
  • Aiko Pras
    • 1
  1. 1.Centre for Telematics and Information Technology Faculty of Electrical Engineering, Mathematics and Computer ScienceUniversity of TwenteEnschedeThe Netherlands

Personalised recommendations