UWF-ZeekData22 Dataset

UWF-ZeekData22

The complete set of files are in Pcap and parquet format, available at: https://datasets.uwf.edu/data/. This dataset consists of Zeek data files labelled using the MITRE ATT&CK Framework. The files in csv format are a subset of the files in parquet format, mainly made available for people who do not have access to "Big Data" technologies.

Details about the CSV files:

Due to the fact that Excel's display limit is 1 million rows, the CSV file has only 1 million rows of data. Other details:

• The data is of the period: Feb 10, 2022, hour 3 to hour 5, hour 9 and hour 14. Each hour was made a separate csv file that has a benign/attack ratio of roughly 80/20. Only the Reconnaissance and Discovery tactics that were kept.

• Due to Excel's row limitations, as well as a very low number of other tactics, other tactics besides Reconnaissance and Discovery were not included.

This document contains:

1. Zeek Files and File Descriptions
2. Attributes in Zeek Files
3. Number of Records in Each File
4. Distribution of Malicious Traffic in UWF-Zeekdata22
5. MITRE ATT&CK Techniques in UWF-ZeekData22
6. MITRE ATT&CK Tactics in UWF-ZeekData22 Dataset
7. Un-flattened Tactics Count
8. Individual File Descriptions

*Disclaimer* The Labeled PCAPs are in a custom binary format, not traditional PCAP format. This is because security onion uses Stenographer and Stenographer uses AF-PACKET for its packet acquisition. You will need to view them using stenoread or use a Query Language.

Related web pages: https://docs.securityonion.net/en/latest/stenographer.html

If you use any of this material or data, please cite our work:

1. Bagui, S.S.; Carvalho, G.C.S.D.; Mishra, A.; Mink, D.; Bagui, S.C.; Eager, S. Detecting Cyber Threats in UWF-ZeekDataFall22 Using K-Means Clustering in the Big Data Environment. Future Internet 2025, 17, 267. https://doi.org/10.3390/fi17060267

2. Elam, M.; Mink, D.; Bagui, S.S.; Plenkers, R.; Bagui, S.C. Introducing UWF-ZeekData24: An Enterprise MITRE ATT&CK Labeled Network Attack Traffic Dataset for Machine Learning/AI. Data 2025, 10, 59. https://doi.org/10.3390/data10050059

3. Krebs, R.; Bagui, S.S.; Mink, D.; Bagui, S.C. Applying Multi-CLASS Support Vector Machines: One-vs.-One vs. One-vs.-All on the UWF-ZeekDataFall22 Dataset. Electronics 2024, 13, 3916. https://doi.org/10.3390/electronics13193916 (Feature Paper)

4. Charkhabi, S.; Samimi, P.; Bagui, S.S.; Mink, D.; Bagui, S.C. Node Classification of Network Threats Leveraging Graph-Based Characterizations Using Memgraph. Computers 2024, 13, 171. https://doi.org/10.3390/computers13070171

5. Moomtaheen, F.; Bagui, S.S.; Bagui, S.C.; Mink, D. Extended Isolation Forest for Intrusion Detection in Zeek Data. Information 2024, 15, 404. https://doi.org/10.3390/info15070404

6. Bagui, S.S.; Mink, D.; Bagui, S.C.; Subramaniam, S. Resampling to Classify Rare Attack Tactics in UWF-ZeekData22. Knowledge 2024, 4, 96-119. https://doi.org/10.3390/knowledge4010006

7. Bagui, S.S.; Mink, D.; Bagui, S.C.; Sung, D.H.; Mahmud, F. Graphical Representation of UWF-ZeekData22 Using Memgraph. Electronics 2024, 13, 1015. https://doi.org/10.3390/electronics13061015

8. Bagui, S.S.; Mink, D.; Bagui, S.C.; Madhyala, P.; Uppal, N.; McElroy, T.; Plenkers, R.; Elam, M.; Prayaga, S. Introducing the UWF-ZeekDataFall22 Dataset to Classify Attack Tactics from Zeek Conn Logs Using Spark's Machine Learning in a Big Data Framework. Electronics 2023, 12, 5039. https://doi.org/10.3390/electronics12245039

9. Bagui, S.S.; Mink, D.; Bagui, S.C.; Subramaniam, S. Determining Resampling Ratios Using BSMOTE and SVM-SMOTE for Identifying Rare Attacks in Imbalanced Cybersecurity Data. Computers 2023, 12, 204. https://doi.org/10.3390/computers12100204 (Editor's Choice)

10. Bagui, S.S.; Mink, D.; Bagui, S.C.; Plain, M.; Hill, J.; Elam, M. Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22. Future Internet 2023, 15, 236. https://doi.org/10.3390/fi15070236

11. Bagui, S.; Mink, D.; Bagui, S.; Subramaniam, S.; Wallace, D. Resampling Imbalanced Network Intrusion Datasets to Identify Rare Attacks. Future Internet 2023, 15, 130. https://doi.org/10.3390/fi15040130

12. Bagui, S.S.; Mink, D.; Bagui, S.C.; Ghosh, T.; Plenkers, R.; McElroy, T.; Dulaney, S.; Shabanali, S. Introducing UWF-ZeekData22: A Comprehensive Network Traffic Dataset Based on the MITRE ATT&CK Framework. Data 2023, 8, 18. https://doi.org/10.3390/data8010018 (Editor's Choice)

13. Bagui, S.; Mink, D.; Bagui, S.; Ghosh, T.; McElroy, T.; Paredes, E.; Khasnavis, N.; Plenkers, R. Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark's Machine Learning in the Big Data Framework. Sensors 2022, 22, 7999. https://doi.org/10.3390/s22207999

For any questions about these files, please email:

Dr. Sikha Bagui at bagui@uwf.edu
Dr. Dustin Mink at dmink@uwf.edu
Dr. Subhash Bagui at sbagui@uwf.edu

Members of this Cyber Analytics Research Group (CAR) (past and present):
Faculty: Dr. Sikha Bagui, Dr. Dustin Mink, and Dr. Subhash Bagui
Graduate Research Assistants: Marshall Elam, Andrew Palmer, and Thomas Thibaut
Undergrade Research Assistants: Mohammed Alquraishi, Stephan Dulaney, Molly Ferguson, Jadarius Hill, Jiya Huang, Nitisha Khanavis, Pooja Madhalya, Farooq Mahmud. Tom McElroy, Esteban Paredes, Michael Plain, Ricky Salinas, Sajida Shabanali, Sakthi Subramaniam, Emily Summers, Neha Uppal, and Daniel Wallace