Dataset Open Access
This is a dataset of 63 PANDA traces, collected using the PANDAcap framework. The dataset aims to offer a starting point for the analysis of ssh brute force attacks. The traces were collected through the course of approximately 3 days from 21 to 23 February 2020. A VM was configured using PANDAcap so that it accepts all passwords for user
root. When an ssh session starts for the user, PANDA is signaled by the recctrl plugin to start recording for 30'.
You can read more details about the experimental setup and an overview of the dataset EuroSec 2020 publication:
Manolis Stamatogiannakis, Herbert Bos, and Paul Groth. PANDAcap: A Framework for Streamlining Collection of Full-System Traces. In Proceedings of the 13th European Workshop on Systems Security, EuroSec '20, Heraklion, Greece, April 2020. doi: 10.1145/3380786.3391396, preprint: vusec.net
The dataset is split in 3 zip files/directories:
ubuntu16-planb.qcow2) used to create the dataset, as well as the disk deltas for the 63 traces. These can be mounted to inspect the contents of the filesystem before and after each session. and disk deltas for the 63 traces. Quick instructions on how to mount and inspect a QCOW image can be found below.
Additionally, we provide the PANDA linux kernel profile
ubuntu16-planb-kernelinfo.conf, which can be used to analyze the traces using the PANDA osi_linux plugin.
for f in *.tar.gz; do tar -zxvf "$f" --exclude=PANDArr --xform='s%/%-%' --xform='s%-metadata%%' rm -f "$f" done