This is for BGP anomaly analysis


Gaming consoles are very common connected devices which have evolved in functionality and applications (games and beyond) they support. This diversity of traffic generated from these consoles has diverse quality of service (QoS) requirements. However, in order to offer diverse QoS, ISPs and operators must be able to classify this traffic. To enable research in traffic classification (Machine Learning based or other), we have generated and collected this dataset. This is a labelled dataset collected from a gaming console, PlayStation 4.


Download Microsoft Network Monitor (at the following link: to be able to access the data. Open the capture file and then wait for all the collected frames to be loaded. The data set was collected using Microsoft Network Monitor 3.4. The traffic is Labelled by number, time and day, Source and Destination IP, Protocol, length and description. Using Microsoft Network Monitor, there is a way to Filter by Media type (check the following link: To navigate the data easily, you can apply a filter on the media type by putting it Ethernet meaning that only the data exchanged between the Laptop and the PlayStation will show. The Excel sheet included with the dataset contains the date and the time of each capture and also when each activity was running and when it was stopped making it easy to identify the data. Refer to the time delay report attached for more information about the time synchronization aspects between the data capture and the PlayStation.


The data are four Xilinx ISE projects for Montgomery modualr multiplication and modular exponentiation.


There are 4 directions in the data, the first 2 of which are Montgomery modular multiplications, and the last 2 of which are modular exponentiations.


The CHU Surveillance Violence Dataset (CSVD) is a collection of CCTV footage of violent and non-violent actions aiming to characterize the composition of violent actions into more specific actions. We produced several simple action classes for violent and non-violent actions do add variety and better distribution among simple and complex action classes for RGB and Action Silhouette Videos (enhanced Optical Flow Images) with their localized actions.


Due to the large number of vulnerabilities in information systems and the continuous activity of attackers, techniques for malicious traffic detection are required to identify and protect against cyber-attacks. Therefore, it  is important to intentionally operate a cyber environment to be invaded and compromised in order to allow security professionals to analyze the evolution of the various attacks and exploited vulnerabilities.

This dataset includes 2016, 2017 and 2018 cyber attacks in the HoneySELK environment.


PCAPs contain attacks targeting several honeypots configured with the following protocols/ports:

  - SSH: 22/TCP

  - HTTP: 80/TCP

  - HTTPS: 443/TCP

  - MYSQL: 3306/TCP

  - FTP: 21/20/TCP

  - DNS: 53/TCP/UDP

  - NTP: 123/UDP

  - TELNET: 23/TCP

  - MSRPC: 135/TCP




This dataset contains a list of popular websites and their privacy statements. The websites belong to the three largest South Asian economies, namely, India, Pakistan, and Bangladesh. Each website is categorized into 10 sectors, namely, e-commerce, finance/banking, education, healthcare, news, government, telecom, buy and sell, job/freelance, blogging/discussion. We hope that this dataset will help researchers in investigating website privacy compliance.


We build an original dataset of thermal videos and images that simulate illegal movements around the border and in protected areas and are designed for training machines and deep learning models. The videos are recorded in areas around the forest, at night, in different weather conditions – in the clear weather, in the rain, and in the fog, and with people in different body positions (upright, hunched) and movement speeds (regu- lar walking, running) at different ranges from the camera.



About 20 minutes of recorded material from the clear weather scenario, 13 minutes from the fog scenario, and about 15 minutes from rainy weather were processed. The longer videos were cut into sequences and from these sequences individual frames were extracted, resulting in 11,900 images for the clear weather, 4,905 images for the fog, and 7,030 images for the rainy weather scenarios.

A total of 6,111 frames were manual annotated so that could be used to train the supervised model for person detection. When selecting the frames, it was taken into account that the selected frames include different weather conditions so that in the set there were 2,663 frames shot in clear weather conditions, 1,135 frames of fog, and 2,313 frames of rain.

The annotations were made using the open-source Yolo BBox Annotation Tool that can simultaneously store annotations in the three most popular machine learning annotation formats YOLO, VOC, and MS COCO so all three annotation formats are available. The image annotation consists of a centroid position of the bounding box around each object of interest, size of the bounding box in terms of width and height, and corresponding class label (Human or Dog).



Presented here is a dataset used for our SCADA cybersecurity research. The dataset was built using our SCADA system testbed described in our paper below [*]. The purpose of our testbed was to emulate real-world industrial systems closely. It allowed us to carry out realistic cyber-attacks.



Provided dataset is cleased, pre-processed, and ready to use. The users may modify as they wish, but please cite the dataset as below.

M. A. Teixeira, M. Zolanvari, R. Jain, "WUSTL-IIOT-2018 Dataset for ICS (SCADA) Cybersecurity Research," 2018. [Online]. Available:


It is the HDL files with a submisstion to the IEEE journal.

Last Updated On: 
Fri, 05/01/2020 - 05:55

This repository contains the results of running more than 70 samples of ransomware, from different families, dating  since 2015. It contains the network traffic (DNS and TCP) and the Input/Output (I/O) operations generated by the malware while encrypting a network shared directory. These data are contained in three files for each ransomware sample: one with the information from the DNS requests, other with the TCP connections another one containing the I/O operations. This information can be useful for testing new and old ransomware detection tools and compare their results.


The dataset is organised as one zip file for all text files organised in one directory for each ransomware sample. Although another zip file could be uploaded with all the trace files organised in the same manner as the previous zip file, it was extremely large file (more than 650GB after compression). In order to make the download easier, we have uploaded the trace files in separated zip files, one for each directory or scenario. We have also published in an external website (link) the trace files available to download individually. If a single trace file download is desired, we recommend to visit the website and download it.

For each malware sample three text files are generated (dnsInfo.txt, TCPconnInfo.txt and IOops.txt) and placed in the directory with the ransomware strain’s name. Structure of all the directory and subdirectories are shown in README.pdf file and in the text file “repositoryStructure.txt”.

The I/O operations file contains one text line for each operation (open or close file, read, write, rename, delete, etc). Each line contains fields separated by the blank space character (ASCII 0x20), with the useful metadata about the operation (file name, read and write offset and length, timestamp, etc). The file README.pdf explains all the fields in the I/O operations file.

The DNS info file has one line per each DNS request made by the user machine. The DNS server is ‘’ for all traces. The file README.pdf explains each column. The TCP info file has one line per each TCP connection. In case the connection contains a HTTP request, the method, response code and url are present in this file. As in previous cases, in the README file the columns and structure of file is explained.

We started downloading ransomware samples in 2015 from and The samples were executed in one machine and the DNS and HTTP petitions were collected by a traffic probe mirroring the traffic. The ‘infected’ machine has a mounted directory, shared by a server. The content of this directory is encrypted by the ransomware during its activity. The operations over this directory were captured by the same traffic probe and processed with specialised software to extract the I/O operations in the format explained in the README.pdf file.

In order to analyse the ransomware behaviour, we made different shared directories and we ran some samples in both directories. These shared directories follow an statistic distribution for the file sizes and location of each one, trying to simulate users’ fileset. Changing the seed in the generation of the directory we can make similar directories with different number of files, distribution and subdirectories. The trace files of ransomwares run in this cases can be found in zip files named ‘’ where X goes from 2 to 10. We have also run samples with shared directory of 10GB size, which trace files are placed in zip file called ‘10Gdirectory’.

We have also run one sample sweeping the network speed for simulating ransomware encrypting the files slowly. These traces can be found in ‘’ file. Finally, the samples run in scenario with Windows 10 user and server generated traffic traces placed in the file ‘’. There is not text files for these samples as the traffic is encrypted in the version 3 of SMB protocol (used in Windows 10 machines).

As we have explained above, the traces files can be downloaded individually from an external link but the text files associated to them are placed in a single zip file (it is possible to download them all together due to its smaller size).