TSD-DDoS: A Time-Series Dataset for TCP Flooding Attack Detection and Severity Assessment for Server Health Monitoring
Description
Distributed Denial of Service (DDoS) attacks aim to disrupt networked services by overwhelming server resources, thereby preventing legitimate users from accessing critical applications. Among various attack vectors, TCP-based flooding attacks remain particularly impactful due to the widespread use of the Transmission Control Protocol in reliable Internet services such as web applications, cloud back-end systems, databases, and enterprise platforms. This dataset presents a time-series representation of TCP flooding attack traffic, derived from the widely used benchmark dataset CICDDoS2019. Unlike the original CICDDoS2019 flow-based CSV files, which describe traffic characteristics at the individual TCP flow level, the proposed dataset aggregates network traffic over fixed 5-second time windows, enabling temporal analysis of server load and attack progression. The dataset was generated by replaying selected CICDDoS2019 packet capture (pcap) files using tcpreplay at varying network speeds of up to 20 Gbps. Network traffic was captured using Wireshark, segmented into consecutive 5-second intervals, and processed to extract time-dependent TCP packet statistics for each interval. This processing strategy enables direct observation of how TCP flooding attacks evolve over time and how they affect server-side traffic intensity. The resulting dataset focuses on TCP-based flooding behaviors, including TCP-SYN, TCP-SYN-ACK, TCP-ACK, and TCP-RST packet activity. Each time window is represented by a compact set of aggregated features that quantify TCP control packet counts and overall TCP traffic volume. The structured, labeled, and time-indexed nature of the data makes the dataset particularly suitable for the development and evaluation of machine learning–based intrusion detection systems (IDS), including both attack detection and severity assessment models. The dataset consists of six CSV files. Two primary files represent time-series traffic captured on 12 January and 11 March, corresponding to the training and testing days defined in CICDDoS2019. These files include the following attributes: pcap file identifier, time window index, counts of SYN, SYN-ACK, ACK, and RST packets, and the total number of TCP packets per interval. Additional CSV files are derived from these base datasets and provide labeled samples for TCP-SYN flooding attack detection and attack severity classification. By providing time-window–based TCP traffic characteristics, this dataset supports research on machine learning–driven intrusion detection, server health monitoring, and adaptive resource management in cloud and virtualized environments, where scaling and mitigation decisions depend on the temporal behavior of incoming traffic rather than individual flow statistics.
Files
Institutions
Categories
Funders
- ISEA Project Phase III, MeitY, Government of India.