CESNET-TLS22: a large dataset for fine-grained classification of TLS services
Description
Please refer to the original article for further data description: Jan Luxemburk et al. Fine-grained TLS services classification with reject option, Computer Networks, 2023, 109467, ISSN 1389-1286, https://doi.org/10.1016/j.comnet.2022.109467
The recent success and proliferation of machine learning and deep learning have provided powerful tools, which are also utilized for encrypted traffic analysis, classification, and threat detection. These methods, neural networks in particular, are often complex and require a huge corpus of training data. Moreover, because most of the network traffic is being encrypted, the traditional deep-packet-inspecting (DPI) solutions are becoming obsolete, and there is an urgent need for modern classification methods capable of analyzing encrypted traffic. These methods have to forgo the packet’s opaque payload and focus on flow statistics and packet metadata sequences like packet sizes, directions, and inter-arrival times. The classification can be further extended with the task of “rejecting” unknown traffic, i.e., the traffic not seen during the training phase. This makes the problem more challenging, and neural networks offer superior performance for tackling this problem. When the factors of (1) the hardness of classification of encrypted traffic with unknown traffic detection and (2) the neural networks’ inherent need for large datasets are combined, the requirement for a rich, large, and up-to-date dataset is even stronger.
Therefore, we created a large dataset spanning two weeks, consisting of 141 million network flows, and having 191 fine-grained service labels. The dataset is intended as a benchmark for the task of identification of services in encrypted traffic with the detection of unknown services.
Data capture The data was captured in the flow monitoring infrastructure of the CESNET2 network. The capturing was done for two weeks between 4.10.2021 and 17.10.2021. The following table provides per-week flow count, capture period, and uncompressed size:
Name | Uncompressed Size | Capture Period | Flows |
---|---|---|---|
W-2021-40 | 22 GB | 4.10.2021 - 10.10.2021 | 73.2M |
W-2021-41 | 20 GB | 11.10.2021 - 17.10.2021 | 68.5M |
CESNET-TLS22 | 42 GB | 4.10.2021 - 17.10.2021 | 141.7M |
Dataset structure The dataset flows are delivered in compressed CSV files, which contain one flow per row. For each flow data file, there is a JSON file with the number of saved flows per service. There is also the stats-week.json file aggregating flow counts of a whole week and the stats-dataset.json file aggregating flow counts for the entire dataset. The following table describes flow data fields in CSV files:
Column Name | Column Description |
---|---|
ID | Unique identifier |
BYTES | Number of transmitted bytes from client to server |
BYTES_REV | Number of transmitted bytes from server to client |
PACKETS | Number of packets transmitted from client to server |
PACKETS_REV | Number of packets transmitted from server to client |
DURATION | Duration of the flow in seconds |
PPI | Packet metadata sequence in the format: [[inter-packet times], [packet directions], [packet sizes]] |
PPI_LEN | Number of packets in the PPI sequence |
PPI_DURATION | Duration of the PPI sequence in seconds |
PPI_ROUNDTRIPS | Number of roundtrips in the PPI sequence |
APP | Web service label |
CATEGORY | Service category |
TCP_FLAGS | TCP flags sent from client to server |
TCP_FLAGS_REV | TCP flags sent from server to client |
FLAG_CWR | Presence of the CWR flag |
FLAG_CWR_REV | Presence of the CWR flag in the reverse direction |
FLAG_ECE | Presence of the ECE flag |
FLAG_ECE_REV | Presence of the ECE flag in the reverse direction |
FLAG_URG | Presence of the URG flag |
FLAG_URG_REV | Presence of the URG flag in the reverse direction |
FLAG_ACK | Presence of the ACK flag |
FLAG_ACK_REV | Presence of the ACK flag in the reverse direction |
FLAG_PSH | Presence of the PSH flag |
FLAG_PSH_REV | Presence of the PSH flag in the reverse direction |
FLAG_RST | Presence of the RST flag |
FLAG_RST_REV | Presence of the RST flag in the reverse direction |
FLAG_SYN | Presence of the SYN flag |
FLAG_SYN_REV | Presence of the SYN flag in the reverse direction |
FLAG_FIN | Presence of the FIN flag |
FLAG_FIN_REV | Presence of the FIN flag in the reverse direction |
Link to other CESNET datasets
Please cite the original article:
@article{luxemburk_fine-grained-tls_2023,
author = {Jan Luxemburk and Tomáš Čejka},
title = {Fine-grained TLS services classification with reject option},
journal = {Computer Networks},
volume = {220},
pages = {109467},
year = {2023},
issn = {1389-1286},
doi = {https://doi.org/10.1016/j.comnet.2022.109467},
url = {https://www.sciencedirect.com/science/article/pii/S1389128622005011}
}
Notes
Files
cesnet-tls22.zip
Files
(9.5 GB)
Name | Size | Download all |
---|---|---|
md5:5b15a7543ef71c3e64efde5d5cf08e08
|
9.5 GB | Preview Download |