Abstract Flow-based anomaly detection is gaining momentum because it can be deployed for real time detection as it analyses only packet headers. To evaluate anomaly detection techniques, labeled dataset is required as unlabeled dataset is not useful for the evaluation. Many packet based network traffic datasets are available but flow-based datasets are sparsely available. In this paper, we present a comprehensive review of the existing flow-based datasets, making emphasis on their main shortcomings. Then a new labeled flow-based DNS dataset viz. PUF Dataset is presented for detecting compromised hosts in a network. The dataset consists of real flows captured from the Computer Centre of Panjab University that handles the entire campus network. All the flows are labeled using logs which are captured for the signatures implemented in Intrusion Prevention System. The implemented signatures are for DNS anomalies. The final dataset consists of 298463 flows with 260343 benign and 38120 anomalous flows. Profiles have been generated for sub-networks for benign as well as anomalous flows using both statistically derived and entropy based features. These profiles can be used to detect anomalous sub-networks thereby helping to isolate compromised host(s).
[1]
Ch. Aswani Kumar,et al.
A Note on Implementing Recurrence Quantification Analysis for Network Anomaly Detection
,
2012
.
[2]
Aiko Pras,et al.
A Labeled Data Set for Flow-Based Intrusion Detection
,
2009,
IPOM.
[3]
Harish Kumar,et al.
An intrusion detection system using network traffic profiling and online sequential extreme learning machine
,
2015,
Expert Syst. Appl..
[4]
Joel J. P. C. Rodrigues,et al.
Autonomous profile-based anomaly detection system using principal component analysis and flow analysis
,
2015,
Appl. Soft Comput..
[5]
Ajay Guleria,et al.
Characterizing Network Flows for Detecting DNS, NTP, and SNMP Anomalies
,
2018
.