LANDER:NCCDC logs-20120420 From Predict README version: 8427, last modified: 2018-02-13. This file describes the trace dataset "NCCDC_logs-20120420" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Dataset Generation • 3.1 Background • 3.2 Setup • 4 Citation • 5 Results Using This Dataset • 6 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ NCCDC_logs-20120420 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ 2012 NC Cyber Defense Competition │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ These log files are packet captures from the 2012 National Collegiate Cyber │ │ │ Defense Competition (nccdc,org). CCDC is a multi-day competition that specifically │ │ │ focuses on the operational aspects of managing and protecting an existing │ │ │ "commercial" network infrastructure. Teams of undergraduate/graduate students are │ │ │ provided with a fully functional (but insecure) small business network they must │ │ │ secure, maintain, and defend against a live Red Team. │ │ │ │ │ │ Teams must also respond to business tasks called "injects" throughout the │ │ │ competition. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Quasi-Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2012-04-20 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2012-04-22 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2018-03-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ none │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:synthetically-generated-data, subcategory:experimental-data, synthetic │ │ │ data, nccdc │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ NCCDC Logs │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 403773063168 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ 686702304202 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ 10.23721/115/1354740 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See https://ant.isi.edu/datasets/#getting-datasets for information on obtaining │ │ │ this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents NCCDC_logs-20120420.README.txt     copy of this README dayone/     dayone.NNN.pcap.gz sequentially numbered pcap traces from the first day of competition     sniffit.sh shell script used to drive tcpdump to capture the data     .sha1sum SHA-1 checksum daytwo/     daytwo.NNN.pcap.gz sequentially numbered pcap traces from the second day of competition     sniffit.sh shell script used to drive tcpdump to capture the data     .sha1sum SHA-1 checksum Pcap The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. Dataset Generation Background These packet captures were obtained from the 2012 National Collegiate Cyber Defense Competition (NCCDC) held April 20-22 in San Antonio, TX (http://www.nccdc.org). The NCCDC is the National Championship event for the Collegiate Cyber Defense Competition (CCDC) program. CCDC is the first competition system that focuses on the operational aspect of managing and protecting an existing commercial network infrastructure. CCDC allows teams of undergraduate and graduate students at universities across the United States to exercise their academic and technical education and compete in a business oriented, defensive information assurance competition. CCDC is a tiered competition with qualifying and regional events leading to a national championship. CCDC competitions ask student teams to assume administrative and protective duties for an existing commercial network typically a small company with 50+ users, 10 to 12 servers, and common Internet services such as a web server, mail server, and an e-commerce site. Each team begins the competition with an identical set of hardware and software and is scored on their ability to detect and respond to outside threats, maintain availability of existing services, respond to business requests such as the creation of a new e-commerce site, and balance security best practices against business needs. The competition is scored based on several factors including availability of services, response to business tasks, and defense of the network against attack. A Red Team provides the real-world, external threat all Internet based services face and allows the teams to match their defensive skills against live opponents. Setup The NCCDC network is organized in a star configuration. Each competing team, the Red Team, the Orange Team, Operations, etc. is connected to a port on a central switch so that all traffic flowing between each entity can be captured and logged. These packet captures were obtained from the SPAN port on the central switch. While this traffic capture should contain all communications between the different groups, it will not contain any communications that occurred internally within each group. The 2012 NCCDC had 10 competing teams assigned to the following networks: Teams are assigned IP blocks as listed below: Team 1 10.10.10.0 and 172.16.10.0 Team 2 10.20.20.0 and 172.16.20.0 Team 3 10.30.30.0 and 172.16.30.0 Team 4 10.40.40.0 and 172.16.40.0 Team 5 10.50.50.0 and 172.16.50.0 Team 6 10.60.60.0 and 172.16.60.0 Team 7 10.70.70.0 and 172.16.70.0 Team 8 10.80.80.0 and 172.16.80.0 Team 9 10.90.90.0 and 172.16.90.0 Team 10 10.100.100.0 and 172.16.100.0 Subnet mask: 255.255.255.0 Default gateway: 10.X.X.1 or 172.16.X.1 The 10.X.X.X networks resided on physical hardware in the same room as the team. The teams did have the ability to implement local filtering and a hardware based firewall on their local networks. The 172.16.X.X networks existed in a cloud environment and were only accessible remotely. Each team was required to maintain the following critical services throughout the competition: • SMTP and POP3 services on 10.X.X.16 • DNS services on 10.X.X.15 and 172.16.X.203 • HTTP/S services on 10.X.X.20 and 172.16.X.202 • ICMP echo reply and request from all sources • Connectivity between 10.X.X.252 and a virtual PBX located in the 10.110.0.X subnet An automated scoring engine is used to check the availability and functionality of required services. The scoring engine runs at randomized intervals between 3 and 5 minutes and randomly chooses either a new source address from a large pool of available subnets for each check or chooses to reuse a previously selected address. At the 2012 NCCDC, competing teams were required to use a proxy (10.120.0.200) to access the Internet. Citation If you use this trace to conduct additional research, please cite it as: NCCDC Logs, IMPACT ID: USC-LANDER/NCCDC_logs-20120420/rev8427 . Traces taken 2012-04-20 to 2012-04-22. Provided by the Center for Infrastructure Assurance and Security (UTSA/CIAS) and hosted by the USC/LANDER project (http://www.isi.edu/ant/lander). Results Using This Dataset No results yet. User Annotations Currently no annotations. Categories: • LANDER • LANDER:Datasets • LANDER:Datasets:PCH • LANDER:Datasets:NCCDCLogs • Datasets