Published April 15, 2020 | Version 1.0.0
Dataset Open

Traffic and Log Data Captured During a Cyber Defense Exercise

  • 1. Masarykova Univerzita, Brno, CZ


This dataset was acquired during Cyber Czech – a hands-on cyber defense exercise (Red Team/Blue Team) held in March 2019 at Masaryk University, Brno, Czech Republic. Network traffic flows and a high variety of event logs were captured in an exercise network deployed in the KYPO Cyber Range Platform.


The dataset covers two distinct time intervals, which correspond to the official schedule of the exercise. The timestamps provided below are in the ISO 8601 date format. 

  • Day 1, March 19, 2019 
    • Start: 2019-03-19T11:00:00.000000+01:00 
    • End: 2019-03-19T18:00:00.000000+01:00 
  • Day 2, March 20, 2019 
    • Start: 2019-03-20T08:00:00.000000+01:00 
    • End: 2019-03-20T15:30:00.000000+01:00 

The captured and collected data were normalized into three distinct event types and they are stored as structured JSON. The data are sorted by a timestamp, which represents the time they were observed. Each event type includes a raw payload ready for further processing and analysis. The description of the respective event types and the corresponding data files follows.  

  • cz.muni.csirt.IpfixEntry.tgz – an archive of IPFIX traffic flows enriched with an additional payload of parsed application protocols in raw JSON. 
  • cz.muni.csirt.SyslogEntry.tgz – an archive of Linux Syslog entries with the payload of corresponding text-based log messages. 
  • cz.muni.csirt.WinlogEntry.tgz – an archive of Windows Event Log entries with the payload of original events in raw XML. 

Each archive listed above includes a directory of the same name with the following four files, ready to be processed. 

  • data.json.gz – the actual data entries in a single gzipped JSON file. 
  • dictionary.yml – data dictionary for the entries. 
  • schema.ddl – data schema for Apache Spark analytics engine. 
  • schema.jsch – JSON schema for the entries. 

Finally, the exercise network topology is described in a machine-readable NetJSON format and it is a part of a set of auxiliary files archive – auxiliary-material.tgz – which includes the following. 

  • global-gateway-config.json – the network configuration of the global gateway in the NetJSON format. 
  • global-gateway-routing.json – the routing configuration of the global gateway in the NetJSON format. 
  • redteam-attack-schedule.{csv,odt} – the schedule of the Red Team attacks in CSV and ODT format. Source for Table 2. 
  • redteam-reserved-ip-ranges.{csv,odt} – the list of IP segments reserved for the Red Team in CSV and ODT format. Source for Table 1.  
  • topology.{json,pdf,png} – the topology of the complete Cyber Czech exercise network in the NetJSON, PDF and PNG format. 
  • topology-small.{pdf,png} – simplified topology in the PDF and PNG format. Source for Figure 1. 



This research was supported by ERDF "CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence" (No. CZ.02.1.01/0.0/0.0/16_019/0000822). | The Cyber Czech exercise series was designed, developed and carried out in cooperation with the National Cyber and Information Security Agency (NCISA), the central body of Czech state administration for cybersecurity.


Files (274.5 MB)

Name Size Download all
2.0 MB Download
41.9 MB Download
157.4 MB Download
73.1 MB Download

Additional details

Related works

Is referenced by
Journal article: 10.1016/j.dib.2020.105784 (DOI)