Spaces:
Sleeping
Sleeping
File size: 8,443 Bytes
6233f1d | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 | import json
from dataclasses import dataclass
from pathlib import Path
from typing import Dict, List, Tuple
import pandas as pd
from scapy.all import IP, TCP, UDP, Raw, wrpcap
ROOT = Path(__file__).resolve().parents[1]
CSV_DIR = ROOT.parent / "csv"
OUTPUT_DIR = ROOT / "pcaps"
OUTPUT_DIR.mkdir(exist_ok=True)
@dataclass(frozen=True)
class TaskSpec:
name: str
source_csv: str
samples: Dict[str, int]
seed: int
description: str
TASK_SPECS = [
TaskSpec(
name="easy_task",
source_csv="Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv",
samples={"BENIGN": 32, "DDoS": 36},
seed=7,
description="Easy DDoS vs benign traffic.",
),
TaskSpec(
name="medium_task",
source_csv="Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv",
samples={
"BENIGN": 40,
"Web Attack ? Brute Force": 16,
"Web Attack ? XSS": 12,
"Web Attack ? Sql Injection": 8,
},
seed=11,
description="Medium web attack traffic with three attack types.",
),
TaskSpec(
name="hard_task",
source_csv="Wednesday-workingHours.pcap_ISCX.csv",
samples={
"BENIGN": 48,
"DoS Hulk": 18,
"DoS GoldenEye": 12,
"DoS slowloris": 12,
"DoS Slowhttptest": 12,
"Heartbleed": 8,
},
seed=19,
description="Hard high-noise DoS dataset with a rare Heartbleed stream.",
),
]
def clean_columns(frame: pd.DataFrame) -> pd.DataFrame:
frame.columns = [column.strip() for column in frame.columns]
if "Label" in frame.columns:
frame["Label"] = frame["Label"].astype(str).map(normalize_source_label)
return frame
def normalize_source_label(label: str) -> str:
cleaned = label.replace("\ufffd", "?").strip()
cleaned = " ".join(cleaned.split())
replacements = {
"Web Attack ?Brute Force": "Web Attack ? Brute Force",
"Web Attack ?Sql Injection": "Web Attack ? Sql Injection",
}
return replacements.get(cleaned, cleaned)
def normalize_label(label: str) -> str:
label = normalize_source_label(label)
mapping = {
"BENIGN": "benign",
"DDoS": "ddos",
"Web Attack ? Brute Force": "web_bruteforce",
"Web Attack ? XSS": "web_xss",
"Web Attack ? Sql Injection": "web_sql_injection",
"DoS Hulk": "dos_hulk",
"DoS GoldenEye": "dos_goldeneye",
"DoS slowloris": "dos_slowloris",
"DoS Slowhttptest": "dos_slowhttptest",
"Heartbleed": "heartbleed",
}
return mapping.get(label, label.lower().replace(" ", "_"))
def payload_for(label: str, flow_index: int) -> bytes:
role = normalize_label(label)
templates = {
"ddos": f"HTTP flood burst {flow_index} / GET /index.html",
"web_bruteforce": f"POST /login username=admin attempt={flow_index}",
"web_xss": f"GET /search?q=<script>alert({flow_index})</script>",
"web_sql_injection": f"GET /items?id=1%20OR%201=1-- flow={flow_index}",
"dos_hulk": f"HULK spray {flow_index} keepalive burst",
"dos_goldeneye": f"GoldenEye header flood {flow_index}",
"dos_slowloris": f"Slowloris partial header flow={flow_index}",
"dos_slowhttptest": f"SlowHTTPTest chunked body {flow_index}",
"heartbleed": f"TLS heartbeat malformed payload leak={flow_index}",
"benign": f"normal application traffic flow={flow_index}",
}
return templates[role].encode("utf-8")
def choose_port(label: str, dst_port: int) -> int:
role = normalize_label(label)
if role.startswith("web_") or role.startswith("dos_"):
return 80
if role == "heartbleed":
return 443
if role == "ddos":
return 80
return dst_port if dst_port > 0 else 443
def make_ip_pair(label: str, group_index: int) -> Tuple[str, str]:
role = normalize_label(label)
victim = f"192.168.10.{10 + (group_index % 40)}"
if role == "benign":
src = f"10.0.{group_index % 8}.{20 + (group_index % 180)}"
dst = f"172.16.{group_index % 6}.{30 + (group_index % 180)}"
return src, dst
attacker = f"203.0.113.{50 + (group_index % 150)}"
return attacker, victim
def make_packets_for_flow(row: pd.Series, label: str, flow_index: int) -> List:
total_fwd = max(1, min(int(float(row.get("Total Fwd Packets", 2))), 4))
total_bwd = max(0, min(int(float(row.get("Total Backward Packets", 1))), 3))
dst_port = choose_port(label, int(float(row.get("Destination Port", 80))))
base_ttl = int(float(row.get("Init_Win_bytes_forward", 64)) or 64)
ttl = 64 if base_ttl <= 0 else max(32, min(base_ttl, 128))
src_ip, dst_ip = make_ip_pair(label, flow_index)
payload = payload_for(label, flow_index)
protocol = UDP if dst_port == 53 else TCP
packets = []
timestamp = 1.0 + flow_index * 0.01
for offset in range(total_fwd):
if protocol is TCP:
l4 = TCP(
sport=40000 + ((flow_index + offset) % 20000),
dport=dst_port,
flags="PA" if normalize_label(label) != "benign" else "A",
)
else:
l4 = UDP(
sport=40000 + ((flow_index + offset) % 20000),
dport=dst_port,
)
packet = IP(src=src_ip, dst=dst_ip, ttl=ttl) / l4 / Raw(load=payload[:64])
packet.time = timestamp + offset * 0.0001
packets.append(packet)
for offset in range(total_bwd):
if protocol is TCP:
l4 = TCP(
sport=dst_port,
dport=40000 + ((flow_index + offset) % 20000),
flags="A",
)
else:
l4 = UDP(
sport=dst_port,
dport=40000 + ((flow_index + offset) % 20000),
)
packet = IP(src=dst_ip, dst=src_ip, ttl=64) / l4 / Raw(load=b"ACK")
packet.time = timestamp + (total_fwd + offset) * 0.0001
packets.append(packet)
return packets
def load_sample(spec: TaskSpec) -> pd.DataFrame:
path = CSV_DIR / spec.source_csv
frame = clean_columns(pd.read_csv(path, encoding="utf-8-sig", low_memory=False))
sampled = []
for label, sample_size in spec.samples.items():
subset = frame[frame["Label"] == label]
sampled.append(subset.sample(n=min(sample_size, len(subset)), random_state=spec.seed))
result = pd.concat(sampled, ignore_index=True)
return result.sample(frac=1.0, random_state=spec.seed).reset_index(drop=True)
def build_task(spec: TaskSpec) -> None:
frame = load_sample(spec)
packets = []
annotation = {
"pcap_file": f"{spec.name}.pcap",
"source_csv": spec.source_csv,
"description": spec.description,
"malicious_packets": [],
"packet_roles": {},
"sessions": {},
"session_roles": {},
"entry_point": None,
}
packet_counter = 0
session_counter: Dict[str, int] = {}
for flow_index, row in frame.iterrows():
label = row["Label"]
role = normalize_label(label)
flow_packets = make_packets_for_flow(row, label, flow_index)
packet_ids = []
for packet in flow_packets:
packet_counter += 1
packet_ids.append(f"pkt_{packet_counter:04d}")
packets.append(packet)
if role != "benign":
annotation["malicious_packets"].extend(packet_ids)
for packet_id in packet_ids:
annotation["packet_roles"][packet_id] = role
session_counter[role] = session_counter.get(role, 0) + 1
session_name = f"{role}_session_{session_counter[role]:02d}"
annotation["sessions"][session_name] = packet_ids
annotation["session_roles"][session_name] = role
if annotation["entry_point"] is None:
annotation["entry_point"] = packet_ids[0]
pcap_path = OUTPUT_DIR / f"{spec.name}.pcap"
json_path = OUTPUT_DIR / f"{spec.name}.json"
wrpcap(str(pcap_path), packets)
json_path.write_text(json.dumps(annotation, indent=2), encoding="utf-8")
print(f"Wrote {pcap_path.name} with {len(packets)} packets")
print(f"Wrote {json_path.name} with {len(annotation['sessions'])} sessions")
def main() -> None:
for spec in TASK_SPECS:
build_task(spec)
if __name__ == "__main__":
main()
|