SDN Evaluation Dataset (InSDN)

a. Copyright
This InSDN dataset (Insdndatast, http://iotseclab.ucd.ie/datasets/SDN/) is an open access and available for all researchers. This InSDN dataset is licensed under a Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) . If you are using this dataset, please cite to the following paper:
Mahmoud Said Elsayed, Nhien-An Le-Khac and Anca Jurcut, "InSDN: SDN Intrusion Dataset” IEEE Access Journal (in submission), 2020. 

b. Dataset brief description.

InSDN is a comprehensive Software-Defined Network (SDN) dataset for Intrusion detection system evaluation. The new dataset includes the benign and various attack categories  that can occur in different elements of the SDN standard. InSDN considers different attack, including DoS, DDoS, brute force attack, web applications, exploitation, probe, and botnet. Furthermore, the normal traffic in the generated data covers  various  popular  application services such as HTTPS, HTTP, SSL, DNS, Email, FTP, SSH, etc. The dataset was generated by using four virtual machines (VMs). The first virtual machine is a Kali Linux one and represents the attacker server. The secondary machine is a Ubuntu 16.4 one, and acts on the ONOS controller. Third is an Ubuntu 16.4 machine to serve for the Mininet and OVS switch. The forth virtual machine is a Linux one based on metasploitable 2 to provide vulnerable services for demonstrating common vulnerabilities. Furthermore, we created four virtual hosts (Vhost) using Mininet tool. The first two Vhosts (h1 and h2) generate malicious traffics. While h3 represents the normal activities and h4 acts as a simple web server. Further, we deployed Damn vulnerable web application server (DVWA), using Docker container in the same OVS machine. Additionally, we considered different attack scenarios from different sources coming from both outside and inside the SDN network.

c. Dataset structure

We divided the dataset into three groups based on the traffic types and the target machines. The first group includes the normal traffic only. The second group contains the attack traffics that target the mealsplotable 2 server. In the last group, we consider the attacks on OVS machine. Furthermore, we captured the traffic traces for each category at the target machine and simultaneously at the SDN controller interface. The data traffic was captured by using Wireshark tool and all captured files in PCAP format. 
Benign traffic: This group contains the normal traffic only, divided into 10 directories. The total size for normal data is 3.58 GB. 
Metsplotable-2_Group: contains the captured traffics that are target to Metsplotable 2 server. The total size of this group is 669 MB distributed on five directories, which represent five different attack classes i.e., DoS, DDoS, Exploit, probe, and brute force. 
OVS_Group: Represents the attack records inside the OVS server. It contains six directories, which include the traffic data for botnet, brute force attack, DoS, DDoS, web attack and probe attack. The total size for this group is 1.21 GB. 
Furthermore, we extracted the flow features for the proposed dataset by using CICFlowMeter [1][2]. The CICFlowMeter was generated by Canadian Institute of Cybersecurity team and has been written in Java to create network flow traffics from the PCAP file. The generated flows are calculated in Bidirectional, where the first packet in the flow determines the flow direction (forward or backward). The output of the CICFlowMeter is more than 80 statistical features CSV file format such as Protocol, Duration, Number of bytes, Number of packets, etc. The list of extracted features and descriptions are explained in [3].

For labelling processing, we used some features information such as Source IP and Destination IP. The total number of dataset instances are 343,939 for normal and attack traffic. Where the normal data brings a total of 68424, and attack traffic contains 275,515 instances. The CSV files format represents the data records for the previous three groups. The number of recodes in each group as the following:
Normal_data.csv: The total number of instance recodes is 68424 which represent 20% of the total data records. 
OVS.csv: The total number of recodes for OVS group data is 136743 (39.76%)
1.	DoS, 52471
2.	DDoS, 48413
3.	Probe, 36372
4.	brute-force-attack, 1110
5.	Web_attack, 192
6.	Botnet, 164
metasploitable-2.csv: The total number of recodes for OVS group data is 138772 (40.34%) 
1.	DoS, 1145
2.	DDoS,  73529
3.	Probe,  61757
4.	brute-force-attack, 295
5.	Exploitation (R2L), 17

==============================================================

 
d. Relevant paper Mahmoud Said Elsayed, Nhien-An Le-Khac and Anca 
Jurcut, "InSDN: SDN Intrusion Dataset” IEEE access Journal (in 
submission), 2020.
References
[1] A. H. Lashkari, G. Draper-Gil, M. S. I. Mamun, and A. A. Ghorbani, “Characterization of tor traffic using time based features.” in ICISSP, 2017, pp. 253–262. 
[2] G. Draper-Gil, A. H. Lashkari, M. S. I. Mamun, and A. A. Ghorbani, “Characterization of encrypted and vpn traffic using time-related,” in Proceedings of the 2nd international conference on information systems security and privacy (ICISSP), 2016, pp. 407–414.
[3] “Cicflowmeter, 2017,” http://www.netflowmeter.ca/netflowmeter. html/, Accessed 13 Feb 2020.