Added labels for this dataset

README.md

@@ -17,11 +17,6 @@ As an example, labels created by the provider for the
 
     B/B_Root_Anomaly-20190907/provider-uscisiant
 
-When citing labels, please use the label name (omit "provider" if present)
-and dataset name. For example provider-uscisiant labels from the above
-example could be cited as "uscisiant labels for B_Root_Anomaly-20190907
-dataset".
-
 In each subdirectory containing labels, please refer to the specific
 README file that describes the associated labels or tools to create
 the labels and how to use them.
@@ -46,3 +41,10 @@ tools from the "tools/usc-isi-antlab/ddos" directory and are
 referenced in the B/B_Root_Anomaly-20190907/provider/README.md file.
 These are generic tools that are used for many of the datasets
 prefixed with /B_Root_Anomaly-/.
+
+## Citing labels
+
+When citing labels, please use the label name (omit "provider" if present)
+and dataset name. For example provider-uscisiant labels from the above
+example could be cited as "uscisiant labels for B_Root_Anomaly-20190907
+dataset".

ddos_hackathon-20200511/provider-peakflow/README.md

@@ -0,0 +1,29 @@
+# Provenance information
+
+Peakflow (now NetScout) appliance was running at FRGP network during
+dataset collection and it was generating alerts, which we collected
+as well. We pre-filtered these alerts to keep only reflection DDoS
+attacks and we have anonymized the alerts to match the dataset
+anonymization. Each alert shows the epoch start and stop time of
+the attack, and the attack type(s) as reported by Peakflow. The
+start time is the actual attack detection time and the stop time
+is when the mitigation was stopped.
+
+# Tools required for generating labels
+
+The provider (usc-isi) has produced the tool to use the provided
+event labels in this folder and Netflow data from the dataset to
+produce per-flow labels (B for benign, A for attack). The tool prints
+output of nfdump -o pipe and attaches the label at the end of the line.
+The tool can be found in /tools/usc-isi/netflow-ddos/ directory
+in the COMUNDA git repository.  Please refer to the
+README.md file in that directory for how to run the tool. The
+instructions below describe how to use the tool to generate the
+provider given labels for this dataset.
+
+
+# How to run the labeling code
+
+```
+perl tag_flows.pl path-to-folder-w-netflow path-to-this-folder
+```

ddos_hackathon-20200511/provider-peakflow/README.md~

@@ -0,0 +1,29 @@
+# Provenance information
+
+Peakflow (now NetScout) appliance was running at FRGP network during
+dataset collection and it was generating alerts, which we collected
+as well. We pre-filtered these alerts to keep only reflection DDoS
+attacks and we have anonymized the alerts to match the dataset
+anonymization. Each alert shows the epoch start and stop time of
+the attack, and the attack type(s) as reported by Peakflow. The
+start time is the actual attack detection time and the stop time
+is when the mitigation was stopped.
+
+# Tools required for generating labels
+
+The provider (usc-isi) has produced the tool to use the provided
+event labels in this folder and Netflow data from the dataset to
+produce per-flow labels (B for benign, A for attack). The tool prints
+output of nfdump -o pipe and attaches the label at the end of the line.
+The tool can be found in /tools/usc-isi/netflow-ddos/ directory
+in the COMUNDA git repository.  Please refer to the
+README.md file in that directory for how to run the tool. The
+instructions below describe how to use the tool to generate the
+provider given labels for this dataset.
+
+
+# How to run the labeling code
+
+```
+perl tag_flows.pl tag -s 1581581100 -e 1581581360 -r <path-to-folder-w-traces> -E sin -q 8.8.8.8 
+```

ddos_hackathon-20200511/provider-peakflow/aug/peak.1

@@ -0,0 +1,4 @@
+Target 17.20.107.182
+start 1598219145
+end 1598219391
+type mDNSAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.10

@@ -0,0 +1,4 @@
+Target 17.20.122.67
+start 1597986765
+end 1597987014
+type NTPAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.11

@@ -0,0 +1,4 @@
+Target 17.77.201.1
+start 1598572185
+end 1598572671
+type UDP IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.12

@@ -0,0 +1,4 @@
+Target 17.77.52.118
+start 1598572097
+end 1598572397
+type UDP IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.2

@@ -0,0 +1,4 @@
+Target 26.27.154.249
+start 1598542091
+end 1598542371
+type DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.3

@@ -0,0 +1,4 @@
+Target 17.20.127.110
+start 1598543745
+end 1598544291
+type mDNSAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.4

@@ -0,0 +1,4 @@
+Target 116.231.92.155
+start 1597777605
+end 1597778095
+type CLDAPAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.5

@@ -0,0 +1,4 @@
+Target 16.73.76.89
+start 1597888485
+end 1597888792
+type CLDAPAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.6

@@ -0,0 +1,4 @@
+Target 17.20.123.89
+start 1598045205
+end 1598045693
+type CLDAPAmplification IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.7

@@ -0,0 +1,4 @@
+Target 17.20.120.126
+start 1598597925
+end 1598598292
+type UDP CLDAPAmplification IPFragmentation TotalTraffic DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.8

@@ -0,0 +1,4 @@
+Target 17.20.120.126
+start 1598661332
+end 1598662133
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/aug/peak.9

@@ -0,0 +1,4 @@
+Target 26.14.91.190
+start 1597811745
+end 1597812113
+type chargenAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.1

@@ -0,0 +1,4 @@
+Target 46.148.120.155
+start 1589247121
+end 1589247471
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.10

@@ -0,0 +1,4 @@
+Target 46.148.123.147
+start 1589603325
+end 1589603739
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.11

@@ -0,0 +1,4 @@
+Target 46.148.120.155
+start 1589328634
+end 1589329180
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.12

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589271345
+end 1589271645
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.13

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589289558
+end 1589297143
+type TCPSYN/ACKAmplification ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.14

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589297180
+end 1589297564
+type TCPSYN/ACKAmplification TotalTraffic ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.15

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589297610
+end 1589298043
+type TCPSYN/ACKAmplification TotalTraffic ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.16

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589298091
+end 1589298463
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.17

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589298501
+end 1589298883
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.18

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589298912
+end 1589299303
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.19

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589299344
+end 1589299723
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.2

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589246985
+end 1589247285
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.20

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589299760
+end 1589300143
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.21

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589300174
+end 1589302901
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.22

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589302937
+end 1589303320
+type TCPSYN/ACKAmplification ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.23

@@ -0,0 +1,4 @@
+Target 40.40.133.46
+start 1589509363
+end 1589509660
+type CLDAPAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.3

@@ -0,0 +1,4 @@
+Target 16.52.125.25
+start 1589281845
+end 1589282145
+type CLDAPAmplification IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.4

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589268498
+end 1589268798
+type ICMP 

ddos_hackathon-20200511/provider-peakflow/may/peak.5

@@ -0,0 +1,4 @@
+Target 16.52.125.25
+start 1589358449
+end 1589358820
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.6

@@ -0,0 +1,4 @@
+Target 40.40.133.46
+start 1589509005
+end 1589509300
+type CLDAPAmplification DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.7

@@ -0,0 +1,4 @@
+Target 113.41.244.95
+start 1589673765
+end 1589674059
+type TCPRST 

ddos_hackathon-20200511/provider-peakflow/may/peak.8

@@ -0,0 +1,4 @@
+Target 26.27.120.177
+start 1589658703
+end 1589659180
+type CLDAPAmplification IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/may/peak.9

@@ -0,0 +1,4 @@
+Target 40.40.133.46
+start 1589509005
+end 1589509300
+type CLDAPAmplification DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.1

@@ -0,0 +1,4 @@
+Target 116.254.8.57
+start 1599762285
+end 1599762790
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.10

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1599976545
+end 1599977032
+type CLDAPAmplification IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.11

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1600023226
+end 1600023620
+type NTPAmplification UDP TotalTraffic 

ddos_hackathon-20200511/provider-peakflow/sep/peak.12

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1600036425
+end 1600036940
+type NTPAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.13

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1600036425
+end 1600036940
+type NTPAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.14

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1600037445
+end 1600038080
+type NTPAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.15

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1600037445
+end 1600038080
+type NTPAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.16

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1600121725
+end 1600122430
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.17

@@ -0,0 +1,4 @@
+Target 17.94.222.59
+start 1600146151
+end 1600147690
+type UDP IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.18

@@ -0,0 +1,4 @@
+Target 17.94.222.59
+start 1600146151
+end 1600147690
+type UDP IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.19

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600155705
+end 1600156210
+type CLDAPAmplification IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.2

@@ -0,0 +1,4 @@
+Target 116.254.8.57
+start 1599764968
+end 1599765268
+type CLDAPAmplification IPFragmentation 

ddos_hackathon-20200511/provider-peakflow/sep/peak.20

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600200765
+end 1600201039
+type CLDAPAmplification DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.21

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600203105
+end 1600203620
+type DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.22

@@ -0,0 +1,4 @@
+Target 17.20.123.4
+start 1599944504
+end 1599944812
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.23

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1600121725
+end 1600122430
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.24

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600330524
+end 1600330939
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.25

@@ -0,0 +1,4 @@
+Target 17.20.107.182
+start 1600355767
+end 1600356079
+type DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.26

@@ -0,0 +1,4 @@
+Target 17.20.123.4
+start 1600376554
+end 1600377500
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.27

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600402425
+end 1600402939
+type CLDAPAmplification IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.28

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600406080
+end 1600406720
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.29

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600406080
+end 1600406720
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.3

@@ -0,0 +1,4 @@
+Target 17.20.116.236
+start 1599779257
+end 1599779550
+type IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.30

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600406948
+end 1600407440
+type UDP IPFragmentation TotalTraffic DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.31

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600424325
+end 1600425079
+type CLDAPAmplification IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.32

@@ -0,0 +1,4 @@
+Target 17.20.127.115
+start 1600424325
+end 1600425079
+type CLDAPAmplification IPFragmentation DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.33

@@ -0,0 +1,4 @@
+Target 17.20.107.182
+start 1600445485
+end 1600445780
+type DNSAmplification 

ddos_hackathon-20200511/provider-peakflow/sep/peak.34

@@ -0,0 +1,4 @@
+Target 17.20.107.182
+start 1600446920
+end 1600447221
+type mDNSAmplification