Find security dataset with 3 to 5 variables to analyze

[sewardlee337]

@wayward710 Find a network security file with interesting variables to analyze/sonify, plus any additional relevant info.

@sewardlee337 To look at data afterwards and play around with it.

[sewardlee337]

@wayward710 Is it possible to get a subset of the data as a CSV to play around with?

[sewardlee337]

Possible resources -- posting here to keep track:

• http://vizsec.org/data/
• https://www.kdnuggets.com/2017/01/machine-learning-cyber-security.html
• https://www.netresec.com/index.ashx?page=PcapFiles
• http://www.secrepo.com/
• https://www.dropbox.com/sh/7fo4efxhpenexqp/AABMYQdTOPpsQTF7emQVtuUZa/PUBLIC%20FROM%20WWW%20-%20Collected%20for%20testing.%20Big%20thanks%20to%20the%20authors.%20See%20credits%20in%20the%20file%20names/EXPLOITS%20AND%20SCANS?dl=0

[sewardlee337]

These look like CSV files -- will inspect to see if these files are interest: https://nesg.ugr.es/nesg-ugr16/index.php#CAL

[sewardlee337]

I think the following file is a good candidate for input for a first attempt at sonification: https://nesg.ugr.es/nesg-ugr16/march_week3.php#INI (the file attack_ts_march_week3.csv)

[lj42]

I took the data and just changed the colours to quickly see where there was a 1 and a 0

For the purposes of this exercise: sounds are STATE (LOOPS) : Stable / Monitoring/ Yellow / Red DING (ONESHOTS): Ding Stable, Ding Monitoring, Ding Yellow, Ding Red

As part of the exercise we could have 1min realtime = 0.375sec for musical purposes making a BPM of 90, around about the tempo of slow hiphop / R&B music. 90BPM would mean the loops will fit together perfectly.

The eventual aim would be do to this live i.e. direct triggers of sound as a result of incident.

Musically this data might work as follows: Blacklist: a simple state change from stable to attack and then back to stable I think. when Blacklist = 1, state goes from stable to monitoring. When Blacklist = 0 state goes back to stable unless there are other anomalies.

Below is a screenshot from later on in the data (minute 488ish) where there are 2 events we can sonify alongside the stable/attack state.

Anomaly-spam: a one-shot 'Ding' notice that there's something up. When Anomaly-spam = 1 and Blacklist = 1, state goes from monitoring to Yellow. If Blacklist = 0, these Dings are Monitoring

Anomaly-sshscan: a one-shot 'Ding' from Red. If Anomaly-sshscan=1, state goes directly Red, regardless of other data. 5mins after Anomaly-sshscan = 0, Ding goes Yellow. 10 mins, Ding = Monitoring.

[sewardlee337]

Looks like we've decided upon our first dataset to use:

https://nesg.ugr.es/nesg-ugr16/march_week3.php#INI (the file attack_ts_march_week3.csv)

Closing...