LANDER:NCCDC logs-20160422 From Predict README version: 8424, last modified: 2018-02-13. This file describes the trace dataset "NCCDC_logs-20160422" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Dataset Generation • 3.1 Background • 3.2 Setup • 4 Citation • 5 Results Using This Dataset • 6 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ NCCDC_logs-20160422 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ 2016 NC Cyber Defense Competition │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ These log files are packet captures from the 2016 National Collegiate Cyber │ │ │ Defense Competition (nccdc.org). CCDC is a multi-day competition that specifically │ │ │ focuses on the operational aspects of managing and protecting an existing │ │ │ commercial" network infrastructure. Teams of undergraduate/graduate students are │ │ │ provided with a fully functional (but insecure) small business network they must │ │ │ secure; maintain; and defend against a live Red Team.Teams must also respond to │ │ │ business tasks called "injects" throughout the competition. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Quasi-Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2016-04-22 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2016-04-24 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2018-03-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ none │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:synthetically-generated-data, subcategory:experimental-data, synthetic │ │ │ data, nccdc │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 1992676081664 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 365 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ 1992675117934 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ 10.23721/115/1354744 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See https://ant.isi.edu/datasets/#getting-datasets for information on obtaining │ │ │ this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents NCCDC_logs-20160422.README.txt     copy of this README dayone/     dayone.NNN.pcap.gz sequentially numbered pcap traces from the first day of competition     .sha1sum SHA-1 checksum daytwo/     daytwo.NNN.pcap.gz sequentially numbered pcap traces from the second day of competition     .sha1sum SHA-1 checksum The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. Dataset Generation Background These packet captures were obtained from the 2016 National Collegiate Cyber Defense Competition (NCCDC) held om April in San Antonio, TX (http://www.nccdc.org). The NCCDC is the National Championship event for the Collegiate Cyber Defense Competition (CCDC) program. CCDC is the first competition system that focuses on the operational aspect of managing and protecting an existing commercial network infrastructure. CCDC allows teams of undergraduate and graduate students at universities across the United States to exercise their academic and technical education and compete in a business oriented, defensive information assurance competition. CCDC is a tiered competition with qualifying and regional events leading to a national championship. CCDC competitions ask student teams to assume administrative and protective duties for an existing commercial network typically a small company with 50+ users, 10 to 12 servers, and common Internet services such as a web server, mail server, and an e-commerce site. Each team begins the competition with an identical set of hardware and software and is scored on their ability to detect and respond to outside threats, maintain availability of existing services, respond to business requests such as the creation of a new e-commerce site, and balance security best practices against business needs. The competition is scored based on several factors including availability of services, response to business tasks, and defense of the network against attack. A Red Team provides the real-world, external threat all Internet based services face and allows the teams to match their defensive skills against live opponents. Setup The NCCDC uses a star topology where each competing team and each major group (Red Team, Orange Team, White Team, etc.) are connected to a core switch. These logs were captured from the SPAN port on that core switch. As there was almost 2 TB of captured traffic, the packet captures are serialized into 2 GB files and divided between day one and day two of the competition. Packet captures were accomplished using tcpdump with DNS resolution disabled. These packet captures contain traffic from automated scoring systems, traffic generators, live users, a live Red Team, and the competition (such as Internet traffic from the teams). Internet traffic from the teams was routed through a Squid proxy located at 10.120.0.200 on port 8080. There will be exploit and system compromise traffic in these logs as well as persistent connections from compromised systems. For more information on the NCCDC please visit nccdc.org. The 2016 NCCDC had 10 competing teams, Teams 1 through 10, which were tasked with operating and securing assets on the following subnets: Team 1 10.10.10.0, 172.16.10.0, and 172.16.11.0 Team 2 10.20.20.0, 172.16.20.0, and 172.16.21.0 Team 3 10.30.30.0, 172.16.30.0, and 172.16.31.0 Team 4 10.40.40.0, 172.16.40.0, and 172.16.41.0 Team 5 10.50.50.0, 172.16.50.0, and 172.16.51.0 Team 6 10.60.60.0, 172.16.60.0, and 172.16.61.0 Team 7 10.70.70.0, 172.16.70.0, and 172.16.71.0 Team 8 10.80.80.0, 172.16.80.0, and 172.16.81.0 Team 9 10.90.90.0, 172.16.90.0, and 172.16.91.0 Team 10 10.100.100.0, 172.16.100.0, and 172.16.101.0 The subnet mask for each network was 255.255.255.0 with the .1 address of each subnet serving as the gateway. On the "10" nets, each team was provided with a "core" network consisting of 8 servers (running a mix of FreeBSD, openSUSE, Windows Server 2008, ESXi 6.0, Centos, and Solaris X86), 5 workstations (running a mix of Windows 10, Windows XP, and Windows 7), 1 Cisco VoIP phone, 1 Juniper EX2200, and 1 Juniper SRX210. On the "172" networks, each team was provided with two "remote" networks simulating a remote office facility and a secure data storage network. The remote office network was hosted on the 172.16.X.0 network and consisted of 7 virtual machines running Windows 7, Windows 10, Windows 8, Windows XP, Windows 2003, Debian, and ubuntu. The secure data storage network was housed on the 172.16.X1.0 network for each team and was only accessible from systems in the 172.16.X.0 network. For example, Team 1's remote office network was 172.16.10.0 and their secure data storage network was 172.16.11.0. The secure data storage network was only accessible from 172.16.10.0 addresses for Team 1, the Red Team, and the Orange Team. Teams were required to have the following core services available to any IP address at all times during the competition: DNS service on 10.X.X.5, POP3 service on 10.X.X.10, SMTP service on 10.X.X.10, HTTP service on 10.X.X.15, SSH service on 10.X.X.15, HTTP service on 10.X.X.201, HTTP service on 10.X.X.205, SSH service on 172.16.X.204, FTP service on 172.16.X.205, SSH service on 172.16.X.210, and HTTP service on 172.16.X.211. Citation If you use this trace to conduct additional research, please cite it as: NCCDC Logs, IMPACT ID: USC-LANDER/NCCDC_logs-20160422/rev8424 . Traces taken 2016-04-22 to 2016-04-24. Provided by the Center for Infrastructure Assurance and Security (UTSA/CIAS) and hosted by the USC/LANDER project (http://www.isi.edu/ant/lander). Results Using This Dataset No results yet. User Annotations Currently no annotations. Categories: • LANDER • LANDER:Datasets • LANDER:Datasets:PCH • LANDER:Datasets:NCCDCLogs • Datasets