A Week-Long Capture Of 8 Million Intrusion Detection Alerts Obtained Via an Alert Sharing Platform Warden

The dataset contains intrusion detection alerts obtained via an alert sharing platform Warden for 7 consecutive days from 2021-01-11 to 2021-01-17. The alerts are stored in the Intrusion Detection Extensible Alert (IDEA) format and are serialized using JSON (one JSON-encoded item per line).

The dataset consists of almost 8 million alerts. The alerts are collected from nearly 30 detection systems, such as network behavioral analysis systems, honeypots, intrusion detection systems and similar data sources deployed in 5 large distinct organizations: national research and education network (NREN), two universities with large campus networks, a midsize cybersecurity vendor and an Internet service provider (ISP).

Alerts are anonymized by altering all information which could lead to the identification of the alert sources or targets. Sources are anonymized to protect the attackers' privacy. Targets are anonymized to hide the affected critical part of the infrastructure (alert targets are might be honeypots or other types of traps). IP addresses and networks are anonymized using the Prefix-Preserving IP Address Anonymization (Crypto-PAn) method [1]. Other identifiers are removed.

[1] Xu, Jun, et al. "Prefix-preserving IP address anonymization: Measurement-based security evaluation and a new cryptography-based scheme."