BH-KSU23: A Novel Dataset for Evaluating and Enhancing Intrusion Detection Systems Targeting Command-and-Control Traffic
The increasing prevalence of sophisticated cyber-attacks, particularly those orchestrated by state-sponsored threat actors, has highlighted the need for enhanced intrusion detection capabilities. One notable limitation in existing intrusion detection system (IDS) datasets is the lack of realistic and comprehensive representation of command-and-control (C2) framework traffic. This paper introduces BH-KSU23, a novel dataset designed to address this gap, enabling researchers and practitioners to better understand and detect such advanced cyber threats. The dataset was generated using an environment that mimicked real-world infrastructure and incorporated seven different C2 frameworks. Various attack types, including enumeration, exploitation, and post-exploitation, were conducted, resulting in 142GB of raw network traffic. Relevant features were extracted using CIC-Flowmeter, producing a set of 76 features. BH-KSU23 comprises approx. 400,000 records, with an near-equal distribution of benign and malicious samples. A comparison with other datasets, such as NSL-KDD, KDD CUP, and DARPA, reveals that BH-KSU23 offers a more accurate representation of C2 traffic, with a better malicious-to-benign ratio and no duplicate or null records. By providing a dataset that specifically represents C2 traffic, BH-KSU23 aims to facilitate the development of more effective intrusion detection systems and countermeasures against sophisticated cyber-attacks.