ID2T-toolkit: Intrusion Detection Dasaset Toolkit
ID2T – Intrusion Detection Dataset Toolkit
A toolkit for injecting synthetic attacks into PCAP files.
As Intrusion Detection Systems encounter growing importance in the area of network security, the need for high-quality network datasets for evaluation against real-world attacks rises.
Comparability of the results must be ensured by the use of publicly available datasets. Existing datasets, however, suffer from several disadvantages. Often they do not provide ground truth knowledge, consist of outdated traffic and do not contain any payload because of privacy reasons. Moreover, frequently datasets do not contain the latest attacks and missing attack labels make it difficult to identify existing attacks and enable a transparent comparison of Intrusion Detection Systems.
The ID2T toolkit was first proposed in [1] and [2] and targets the injection of attacks into existing network datasets. At first, it analyzes a given dataset and collects statistics from it. These statistics are stored in a local database. Next, these statistics can be used to define attack parameters for the injection of one or multiple attacks. Finally, the application creates the required attack packets and injects them into the existing file. Resulting in a new PCAP with the injected attacks and a label file indicating the position (timestamps) of the first and last attack packet.
ID2T was also presented in Blackhat Europe 2017 as part of the Arsenal session
Installation
git clone https://git.tk.informatik.tu-darmstadt.de/SPIN/ID2T-toolkit
./build.sh
Usage
Injecting an attack into an existing dataset
In the following we inject the PortscanAttack into the dataset pcap_capture.pcap:
./id2t -i /home/user/pcap_capture.pcap -a PortscanAttack ip.src=192.168.178.2 mac.src=32:08:24:DC:8D:27 inject.at-timestamp=1476301843
Explanation: The parameter -i/–input takes the path to the PCAP file. This triggers the statistics calculation of the file. After the calculation, the statistics are stored in an SQLite database. If the statistics were already computed in an earlier run, the data is retrieved from the generated database. This saves time as the calculation of the statistics may take a long time – depending on the PCAP file size.
An attack can be injected by providing -a/–attack followed by the attack name and the attack parameters. The available attacks and the allowed attack parameters vary, see the attack-specific wiki articles for a reference of supported attack parameters. The parameter -a/–attack can be provided multiple times for injection of multiple attacks. In this case, the attacks are injected sequentially.
After injecting the attack, the application generates an XML label file containing the timestamps of the first and last attack packet. The file name is equal to the output file, except with _labels.xml as a suffix. The toolkit recognizes if the input dataset has an associated label file. This requires a file naming according to the aforementioned scheme, e.g., mydataset.pcap and mydataset_labels.xml. In this case, ID2T parses the label file and the resulting output label file contains the labels from the input label file plus the labels from the recently added attack(s).
Copyright (c) 2017: Emmanouil Vasilomanolakis, Carlos Garcia
