NCC-2 Dataset: Simultaneous Botnet Dataset

Published: 8 September 2022| Version 2 | DOI: 10.17632/8dpt85jrhp.2


This dataset simulates botnet assaults by utilizing botnet activity from CTU-13 [1] and NCC [2]. The simulation extracts all scenarios from the two datasets to determine attack activity, attack phases, and the time difference between attacks and normal activities [3]. The output of the dataset is stored as bidirectional network flow (binetflow) files. The proposed dataset contains 18 features that are used to identify network traffic as network headers. This dataset contains simultaneous botnet activity compared to the case of multiple attack activity carried out in short time intervals. Simultaneous attack activity is a more advanced analytical characteristic compared to sporadic attacks on CTU-13 and periodic attacks on NCC. Sporadic botnets carry out attack activities that peak at random periods. Periodic botnets have organized assault arrival times to identify attack activity in each time segment [4]. Botnet attacks with simultaneous characteristics are significantly more intense than sporadic and periodic attacks. The characteristics of simultaneous attacks will compel a security system with limited resources to deal with many attacks at the same time in a very short time period. Different sensor detection methods can identify the same type of bot or attack behavior in parallel with simultaneous activities.


Steps to reproduce

The dataset was created by simulating a botnet attack on the network using activity patterns extracted from the CTU-13 and NCC datasets. Any sequentially correlated attack activity combined with normal traffic is known as an attack pattern. The Python programming language is used to develop the simulation method.


Institut Teknologi Sepuluh Nopember


Intrusion Detection