Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets

14 September 2010 - Update:
Due to time constraints and technical hurdles, there are no data sets for CDX 2010. Plans are currently underway for capturing data from the CDX 2011 exercise. Please feel free to leave comments/suggestions/requests on our blog (linked below).

B. Sangster, T.J. O'Connor, T. Cook, R. Fanelli, E. Dean, J. Adams, C. Morrell, and G. Conti; "Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets;" USENIX Security's Workshop on Cyber Security Experimentation and Test (CSET); August 2009.


In this paper we demonstrate that network warfare competitions can be instrumented to generate modern labeled datasets. Below, we have archived both data capture and log files from the 2009 Inter-Service Academy Cyber Defense Competition. The annual competition pits the service academies, including West Point, against an actual National Security Agency Red Team. We release these data and log files in order to augment existing datasets to help develop better methods for detecting intrusions and attacks against our critical network infrastructure.

Acknowledgements

We would like to thank the following for their support, helpful ideas, and feedback: Army Research Labs, Michael Collins, Robert Cunningham, Carrie Gates, FLOCON, Richard Lippmann, Lisa Marvel, MIT Lincoln Labs, John McHugh, NSA, and Tamara Yu.

Permission

The National Security Agency permitted both the recording and release of the following datasets.

Datasets for the Research Community Blog

If you would like to provide feedback on the 2009 Inter-Service Academy Cyber Defense Exercise datasets, or would like to provide comments or suggestions for upcoming data captures engineered by the ITOC, please visit our blog.

Network Diagram (Pre-CDX 2009)

In an attempt to provide users of our dataset a means to correlate IP addresses found in the PCAP files with the IP addresses to hosts on the internal USMA network, we are including a link to the planning document used just prior to the execution of CDX 2009 (NOTE: USMA utilized network address translation).  Keep in mind this was a planning document.  Changes may have occurred to the USMA network that were not annotated on this document.  We hope to have the actual router configuration files uploaded to the website within the next week.

Pre-CDX 2009 Network Diagram (USMA Internal Network)

Data Capture from National Security Agency (NSA)

Data Capture Outside West Point Network Border

** Note - The exercise directive had the service academies change the clocks forward to Nov-08 2011 on the first day of the exercise. All timestamps in the log files reflect the date change. The actually time on the clocks remained the same.

Snort Intrusion Detection Log/strong: from 0700-Nov-08 to 1600-Nov-11 (Entire Exercise)

Domain Name Service Logs: from 0700-Nov-08 to 1600-Nov-11 (Entire Exercise)

Web Server Logs: 24-Hour Logs from 1600-Nov-10 to 1600-Nov-11 (Final Day of Exercise)

Our personal favorite:

Nov 11 09:36:55 www logger: 10.2.27.218 - -[11/Nov/2011:09:36:55 -0500]
 "GET /redteamsayshiplzblockmeagainandagainandagainandagain
	    HTTP/1.0" 302 261

Log Server Aggregate Log: from 0700-Nov-11 to 1600-Nov-11 (Final Day of Exercise)

CONTACT INFO

Please contact MAJ Benjamin Sangster (benjamin [dot] sangster [at] usma [dot] edu) for any further details about the enclosed datasets and logs.