1998 DARPA Intrusion Detection Evaluation Dataset
There were two parts to the 1998 DARPA Intrusion Detection Evaluation: an off-line evaluation and a real-time evaluation.
Intrusion detection systems were tested in the off-line evaluation using network traffic and audit logs collected on a simulation network. The systems processed these data in batch mode and attempted to identify attack sessions in the midst of normal activities.
Intrusion detection systems were delivered to the Air Force Research Laboratory (AFRL) for the real-time evaluation. These systems were inserted into the AFRL network test bed and attempted to identify attack sessions in real time during normal activities.
Intrusion detection systems were tested as part of the off-line evaluation, the real-time evaluation, or both.
Sample Data
A sample of the network traffic and audit logs that were used for evaluating systems. These data were first made available in February 1998.
- README file
- Sample dataset [3,000 Kb tar/gzip]
Four-Hour Subset of Training Data
A somewhat larger sample of training data. These data were first made available in May 1998.
- README file
- Tcpdump data [38 MB gzip]
- BSM data [5 MB gzip]
- ASCII BSM data [6 MB gzip]
- File system dump (ufsdump) - /root [40 MB gzip]
- File system dump (ufsdump) - /usr [87 MB gzip]
- File system dump (ufsdump) - /home [1 MB gzip]
- File system dump (ufsdump) - /opt [93 MB gzip]
Training Data
Seven weeks of network-based attacks in the midst of normal background data. Listings of attacks and anomalies are available in the documentation section below.
- First week of training data
- Second week of training data
- Third week of training data
- Fourth week of training data
- Fifth week of training data
- Sixth week of training data
- Seventh week of training data
Testing Data
Two weeks of network-based attacks in the midst of normal background data.
- First week of test data
- Second week of test data
- First week truth [13.7 MB tar gzip]
- Second week truth [13.1 MB tar gzip]
Documentation
1998 DARPA Intrusion Detection Evaluation
The following three talks presented by MIT Lincoln Laboratory in December 1998 summarize the evaluation.
The official guidelines for the 1998 DARPA evaluation were first made available in March 1998 and were updated throughout the following year.
- Evaluation schedule
- Off-line Evaluation Plan [txt]
- Off-line Evaluation Network Diagram [GIF] [PS] [ppt]
- List of simulation network hosts (names and IP addresses)
- Real-time Evaluation Plan [txt]
- Real-time Evaluation Network [GIF] [PS] [ppt]
Documentation for the first sample of network traffic and audit logs that was first made available in February 1998.
Documentation for a four-hour sample of network traffic and audit logs that was first made available in May 1998.
A list of attacks and a list of anomalies, with descriptions, provide further documentation of the seven weeks of training data used in the 1998 evaluation.