LANDER:NCCDC logs-20150424 From Predict README version: 8426, last modified: 2018-02-13. This file describes the trace dataset "NCCDC_logs-20150424" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Dataset Generation • 3.1 Background • 3.2 Setup • 4 Citation • 5 Results Using This Dataset • 6 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ NCCDC_logs-20150424 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ 2015 NC Cyber Defense Competition │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ These log files are packet captures from the 2015 National Collegiate Cyber │ │ │ Defense Competition (nccdc.org). CCDC is a multi-day competition that specifically │ │ │ focuses on the operational aspects of managing and protecting an existing │ │ │ "commercial" network infrastructure. Teams of undergraduate/graduate students are │ │ │ provided with a fully functional (but insecure) small business network they must │ │ │ secure, maintain, and defend against a live Red Team. │ │ │ │ │ │ Teams must also respond to business tasks called "injects" throughout the │ │ │ competition. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Quasi-Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2015-04-24 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2015-04-26 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2018-03-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ none │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:synthetically-generated-data, subcategory:experimental-data, synthetic │ │ │ data, nccdc │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 1082581319680 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ 1242852919607 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ 10.23721/115/1354743 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See https://ant.isi.edu/datasets/#getting-datasets for information on obtaining │ │ │ this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents NCCDC_logs-20150424.README.txt     copy of this README dayone/     dayone.NNNN.pcap.gz sequentially numbered pcap traces from the first day of competition     .sha1sum SHA-1 checksum daytwo/     daytwo.NNNN.pcap.gz sequentially numbered pcap traces from the second day of competition     .sha1sum SHA-1 checksum The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. Dataset Generation Background These packet captures were obtained from the 2015 National Collegiate Cyber Defense Competition (NCCDC) held om April in San Antonio, TX (http://www.nccdc.org). The NCCDC is the National Championship event for the Collegiate Cyber Defense Competition (CCDC) program. CCDC is the first competition system that focuses on the operational aspect of managing and protecting an existing commercial network infrastructure. CCDC allows teams of undergraduate and graduate students at universities across the United States to exercise their academic and technical education and compete in a business oriented, defensive information assurance competition. CCDC is a tiered competition with qualifying and regional events leading to a national championship. CCDC competitions ask student teams to assume administrative and protective duties for an existing commercial network typically a small company with 50+ users, 10 to 12 servers, and common Internet services such as a web server, mail server, and an e-commerce site. Each team begins the competition with an identical set of hardware and software and is scored on their ability to detect and respond to outside threats, maintain availability of existing services, respond to business requests such as the creation of a new e-commerce site, and balance security best practices against business needs. The competition is scored based on several factors including availability of services, response to business tasks, and defense of the network against attack. A Red Team provides the real-world, external threat all Internet based services face and allows the teams to match their defensive skills against live opponents. Setup The NCCDC uses a star topology where each competing team and each major group (Red Team, Orange Team, White Team, etc.) are connected to a core switch. These logs were captured from the SPAN port on that core switch. As there was over 1 TB of captured traffic, the packet captures are serialized into 500MB files and divided between day one and day two of the competition. Packet captures were accomplished using tcpdump with DNS resolution disabled and were gzipped at the end of the competition to save space. These packet captures contain traffic from automated scoring systems, traffic generators, live users, a live Red Team, and the competition. For more information on the NCCDC please visit nccdc.org. The 2015 NCCDC had 10 competing teams, Teams 1 through 10, which were tasked with operating and securing assets on the following subnets: Team 1 10.10.10.0 and 172.16.10.0 Team 2 10.20.20.0 and 172.16.20.0 Team 3 10.30.30.0 and 172.16.30.0 Team 4 10.40.40.0 and 172.16.40.0 Team 5 10.50.50.0 and 172.16.50.0 Team 6 10.60.60.0 and 172.16.60.0 Team 7 10.70.70.0 and 172.16.70.0 Team 8 10.80.80.0 and 172.16.80.0 Team 9 10.90.90.0 and 172.16.90.0 Team 10 10.100.100.0 and 172.16.100.0 On the "10" nets, each team was provided with a "core" network consisting of 8 servers (running a mix of BSD, Debian, Fedora, Windows Server 2008, ESXi 5.5, Windows 2008 R2, and Solaris X86), 6 workstations (running a mix of Windows 10, Windows XP, Ghost BSD, and Windows 7), 1 Cisco VoIP phone, 1 Juniper EX2200, and 1 Juniper SRX210. Each core network contained a "canary" box on the 10.X.X.250 address that was not under the team's control and was used by the competition staff to monitor the status of the team's networks. On the "172" networks, each team was provided with two "remote" networks simulating a Control Center and Plant facility for a small electrical utility company. Both the Plant and Control networks were NAT'd behind a Juniper SRX240 for each team with the Plant network only accessible from within the Control Center network. The Control Center network consisted of an RDP server, an FTP server, an HMI Workstation, an HMI server, an Engineering Workstation, an OPC server, and NMIS server, and an IDS. Teams were required to have the following core services available to any IP address at all times during the competition: DNS service on 10.X.X.5 HTTP service on 10.X.X.10 (webmail) SMTP service on 10.X.X.10 POP3 service on 10.X.X.10 HTTP service on 10.X.X.15 (e-commerce site) HTTP service on 10.X.X.205 (ticket system) SSH service on 172.16.X.204 (OPC server) SSH service on 172.16.X.210 (end works) FTP service on 172.16.X.203 (historian) HTTP service on 172.16.X.211 (audit) Citation If you use this trace to conduct additional research, please cite it as: NCCDC Logs, IMPACT ID: USC-LANDER/NCCDC_logs-20150424/rev8426 . Traces taken 2015-04-24 to 2015-04-26. Provided by the Center for Infrastructure Assurance and Security (UTSA/CIAS) and hosted by the USC/LANDER project (http://www.isi.edu/ant/lander). Results Using This Dataset No results yet. User Annotations Currently no annotations. Categories: • LANDER • LANDER:Datasets • LANDER:Datasets:PCH • LANDER:Datasets:NCCDCLogs • Datasets