DAST scanning sessions dataset

Published: 16 August 2022| Version 3 | DOI: 10.17632/ctkh2zy6s3.3


This dataset consists of network flow features generated by the tool CICFlowMeter on network captures collected at the University of Belgrade, School of Electrical Engineering. The samples include scanning sessions of 4 DAST tools - Nikto, Vega, OWASP ZAP and Arachni targeted at the OWASP WebGoat application. DAST tools were installed on one virtual machine, while the target was placed on another, with all traffic being routed through a third machine which captured it using the tcpdump utility. For each of the scanners one session was captured, except Arachni, whose scanning phase was divided into 3 sessions. After processing the .pcap files with CICFlowMeter, the output for each of the sessions was split randomly into training, validation and test sets in 60:20:20 ratio, respectively. In addition to the scanning, OWASP ZAP and Vega offer built-in proxy servers for HTTP traffic examination. Interactions of these utilities and Webgoat application were also captured and are present in the dast proxies folder. Finally, in shortened flows, for each of the the scanning sessions, a subset of flows was pruned to 10, 15, 20, 25 and 50 packets. Features were extracted using CICFlowMeter once again, to allow for analysis of flow statistics at different points in time


Steps to reproduce

Firstly, three virtual machines need to be set up. DAST tools Nikto, Vega, OWASP ZAP and Arachni are installed on one. The second machine routes all the traffic to the third, while capturing it with the tcpdump or similar utility. On the third machine, victim applications are deployed. After acquiring the .pcap files, these need to be fed to the CICFlowMeter tool which as a result produces .csv files with features for each of the network flows present in the network capture.


Machine Learning, Information Security, Intrusion Detection