1998 Anomaly Training Data

The simulation featured 6 users whose activity can be used to test anomaly detection systems.

Overview

The activity of these six users remains consistent from day to day, but on some days, the users exhibit anomalous behavoir in ways that should be detectable to an anomaly detection system. The users include two programmers who edit and compile C programs, a secretary who edits latex files, a system administator who keeps tabs on processes and system files, and two managers. Each user logs in twice a day via telnet, 5 days a week, and the users' login hours vary little from day to day. Most users log in once in the morning and once in the afternoon. The anomalies that are introduced into the users' sessions include logging in from a different source, logging in at an unusual time, executing new commands, and changing identity. In the training data, all anomalies were introduced during the 6th week. The schedule for these anomalies is shown below.

Schedule

Week/
Day		 User Username Starttime Source Dest Anomaly Description
6-0 programmer2 franko 14:57:10 beta pascal logs in from beta
6-0 secretary georgeb 20:03:39 alpha pascal logs in at night
6-1 sysadm janes 08:29:48 jupiter pascal logs in from jupiter
6-1 programmer1 fredd 08:52:15 alpha pascal becomes a secretary
6-2 secretary georgeb 08:16:01 alpha pascal becomes a manager
6-2 programmer1 fredd 21:09:24 alpha pascal logs in at night
6-3 sysadm janes 08:54:53 alpha pascal becomes a programmer
6-3 manager1 williamf 23:59:11 alpha pascal logs in at midnight (see note)
6-4 manager1 williamf 08:11:12 alpha pascal becomes a sysadm
6-4 manager2 donaldh 08:42:52 pluto pascal logs in from pluto

 

User Descriptions

sysadm: A system administrator named Jane Steinberg who logs in as root, cats the password file and runs commands such as top.
programmer1: A programmer named Fred Dunmeyer who writes public domain C code using a vi editor, compiles the C code (sometimes successfully), reads and sends mail, and executes unix commands.
programmer2: Another programmer named Frank Orlando with a similar user profile, except that he works afternoons and evenings.
secretary: A secretary named George Belliard who edits latex files, runs latex, reads mail, and sends mail.
manager1: A manager named William Finchley who reads and sends mail
manager2: A manager named Donald Hershey who reads mail.

 

Notes

Note: The tcpdump data for this day (Thursday, week six) is truncated due to the sniffer crashing just after 6pm. Therefore, this anomaly is only present in the BSM data.

 

top of page