Dataset Open Access

Traffic and Log Data Captured During a Cyber Defense Exercise

Daniel Tovarňák; Stanislav Špaček; Jan Vykopal

This dataset was acquired during Cyber Czech – a hands-on cyber defense exercise (Red Team/Blue Team) held in March 2019 at Masaryk University, Brno, Czech Republic. Network traffic flows and a high variety of event logs were captured in an exercise network deployed in the KYPO Cyber Range Platform.

Contents

The dataset covers two distinct time intervals, which correspond to the official schedule of the exercise. The timestamps provided below are in the ISO 8601 date format. 

  • Day 1, March 19, 2019 
    • Start: 2019-03-19T11:00:00.000000+01:00 
    • End: 2019-03-19T18:00:00.000000+01:00 
  • Day 2, March 20, 2019 
    • Start: 2019-03-20T08:00:00.000000+01:00 
    • End: 2019-03-20T15:30:00.000000+01:00 

The captured and collected data were normalized into three distinct event types and they are stored as structured JSON. The data are sorted by a timestamp, which represents the time they were observed. Each event type includes a raw payload ready for further processing and analysis. The description of the respective event types and the corresponding data files follows.  

  • cz.muni.csirt.IpfixEntry.tgz – an archive of IPFIX traffic flows enriched with an additional payload of parsed application protocols in raw JSON. 
  • cz.muni.csirt.SyslogEntry.tgz – an archive of Linux Syslog entries with the payload of corresponding text-based log messages. 
  • cz.muni.csirt.WinlogEntry.tgz – an archive of Windows Event Log entries with the payload of original events in raw XML. 

Each archive listed above includes a directory of the same name with the following four files, ready to be processed. 

  • data.json.gz – the actual data entries in a single gzipped JSON file. 
  • dictionary.yml – data dictionary for the entries. 
  • schema.ddl – data schema for Apache Spark analytics engine. 
  • schema.jsch – JSON schema for the entries. 

Finally, the exercise network topology is described in a machine-readable NetJSON format and it is a part of a set of auxiliary files archive – auxiliary-material.tgz – which includes the following. 

  • global-gateway-config.json – the network configuration of the global gateway in the NetJSON format. 
  • global-gateway-routing.json – the routing configuration of the global gateway in the NetJSON format. 
  • redteam-attack-schedule.{csv,odt} – the schedule of the Red Team attacks in CSV and ODT format. Source for Table 2. 
  • redteam-reserved-ip-ranges.{csv,odt} – the list of IP segments reserved for the Red Team in CSV and ODT format. Source for Table 1.  
  • topology.{json,pdf,png} – the topology of the complete Cyber Czech exercise network in the NetJSON, PDF and PNG format. 
  • topology-small.{pdf,png} – simplified topology in the PDF and PNG format. Source for Figure 1. 

 

This research was supported by ERDF "CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence" (No. CZ.02.1.01/0.0/0.0/16_019/0000822). | The Cyber Czech exercise series was designed, developed and carried out in cooperation with the National Cyber and Information Security Agency (NCISA), the central body of Czech state administration for cybersecurity.
Files (274.5 MB)
Name Size
auxiliary-material.tgz
md5:f4fc4a5aa68f02a11a06310dfd6f337e
2.0 MB Download
cz.muni.csirt.IPFlowEntry.tgz
md5:e7719918e107812f97a6e9846ad7fe45
41.9 MB Download
cz.muni.csirt.SyslogEntry.tgz
md5:ba4f6c0ff89b12427ca38e7361753311
157.4 MB Download
cz.muni.csirt.WinlogEntry.tgz
md5:15a57cf0aa84bd5cb8cb2032dfe69a1d
73.1 MB Download
3,473
763
views
downloads
All versions This version
Views 3,4733,472
Downloads 763763
Data volume 52.0 GB52.0 GB
Unique views 2,7332,732
Unique downloads 439439

Share

Cite as