the mcfp
The Malware Capture Facility Project is an effort from the Czech Technical University ATG Group for capturing, analyzing and publishing real and long-lived malware traffic.
The goals of the project are:
The goals of the project are:
- To execute real malware for long periods of time.
- To analyze the malware traffic manually and automatically.
- To assign ground-truth labels to the traffic, including several botnet phases, attacks, normal and background.
- To publish these dataset to the community to help develop better detection methods.
topology
The topology used in the project was designed to be as simple as possible. It uses VirtualBox to execute Windows virtual machines on Linux Hosts. The only two restrictions applied to the traffic are a bandwidth control to prevent DDoS and a redirection of all the SMTP traffic to prevent SPAM sending. More details can be found on the Topology page.
Publishing
The complete dataset is published and can be downloaded from the Dataset menu. The published files include:
- The pcap files of the malware traffic.
- The argus binary flow file.
- The text argus flow file.
- The text web logs
- A text file with the explanation of the experiment
- Several related files, such as the histogram of labels.
COLlABORATION
If you find this project or the dataset useful please consider collaborating with it. Among the things that need more attention are a better labeling, more screenshots of the traffic and information about which malware it really is. Feel free to send an email to sebastian.garcia@agents.fel.cvut.cz.
botnet analysis
This dataset is directly feeding the CTU efforts for modelling and detecting botnets behavior on the network. As such, the Botnet Analysis blog page includes some analysis of their behaviors.
