Attacks Inventory
Full list:
attacks.csv
This document lists every executed experiment/attack included in the dataset. Each row is an entry describing a single recorded run (attack or benign capture) with its category, human-readable start/end timestamps (UTC) and epoch millisecond timestamps for easy programmatic use. Use this file to locate PCAPs, correlate labels, and align attack windows with sensor streams.
Column descriptions
- filename
A unique identifier for the capture/attack entry. This matches the naming convention used for PCAPs/indices (e.g.,attack_ddos_syn-flood-port-80_edge1).
Pattern for filename is: {data_type}_{attack_category}_{attack_name}_{target_device}.
Some attacks have different variations like targeting specific ports, etc. Such attacks are identified by -port-x at the end of attack name, not all attacks have such part.
- data_type
Type of the record: attack for malicious experiments, or benign for normal traffic captures.
-
category
Broad attack category (e.g.,ddos,recon,bruteforce,mitm) or blank for benign captures. -
attack_name
Short descriptive name of the attack type (e.g.,syn-flood-port-80,udp-flood-port-80). Blank for benign captures. -
attack_target
Thedevice_name(as shown indevices.csv) targeted by the attack (e.g.,edge1,light-sensor,router). Blank if not applicable. -
doc_count
Approximate number of documents/packets/lines indexed for this capture in the dataset (useful to gauge volume). -
start
ISO 8601 human-readable start timestamp in UTC (e.g.,2025-01-23T15:31:10.709Z). -
end
ISO 8601 human-readable end timestamp in UTC. -
start_timestamp
Start time as epoch milliseconds (floating or integer) — helpful for fast numeric comparisons and windowing. -
end_timestamp
End time as epoch milliseconds.
Notes & best practices
- All timestamps are in UTC and follow ISO 8601 in the
start/endcolumns.start_timestamp/end_timestampare epoch milliseconds. When joining with sensor streams, prefer epoch ms to avoid parsing differences. - Multi-target or multi-file attacks should have one entry per target/file (this inventory uses that approach).
- The
doc_countcolumn provides a rough size; use checksums or file sizes for integrity checks. - For reproducibility, include the exact script and commit hash used to run each attack in a supplementary
attack_scripts/folder or an extended CSV column (not present in this minimal view).
Sample / Full table (rows provided)
| filename | data_type | category | attack_name | attack_target | doc_count | start | end | start_timestamp | end_timestamp |
|---|---|---|---|---|---|---|---|---|---|
| attack_ddos_syn-flood-port-80_edge1 | attack | ddos | syn-flood-port-80 | edge1 | 7907037 | 2025-01-23T15:31:10.709Z | 2025-01-23T15:32:12.789Z | 1737646270709.0 | 1737646332789.0 |
| attack_ddos_push-ack-flood-port-80_edge1 | attack | ddos | push-ack-flood-port-80 | edge1 | 7888985 | 2025-01-24T20:15:17.562Z | 2025-01-24T20:16:19.565Z | 1737749717562.0 | 1737749779565.0 |
| attack_ddos_rst-fin-flood-port-1883_light-sensor | attack | ddos | rst-fin-flood-port-1883 | light-sensor | 7886989 | 2025-01-25T14:52:26.685Z | 2025-01-25T14:53:28.661Z | 1737816746685.0 | 1737816808661.0 |
| attack_ddos_rst-fin-flood-port-80_router | attack | ddos | rst-fin-flood-port-80 | router | 7883402 | 2025-01-25T15:13:14.519Z | 2025-01-25T15:14:16.564Z | 1737817994519.0 | 1737818056564.0 |
| attack_ddos_rst-fin-flood-port-80_edge1 | attack | ddos | rst-fin-flood-port-80 | edge1 | 7879480 | 2025-01-25T15:20:10.535Z | 2025-01-25T15:21:12.470Z | 1737818410535.0 | 1737818472470.0 |
| attack_ddos_rst-fin-flood-port-80_switch | attack | ddos | rst-fin-flood-port-80 | switch | 7879052 | 2025-01-25T15:23:38.361Z | 2025-01-25T15:24:40.381Z | 1737818618361.0 | 1737818680381.0 |
| attack_ddos_udp-flood-port-80_switch | attack | ddos | udp-flood-port-80 | switch | 7877568 | 2025-01-23T20:55:16.795Z | 2025-01-23T20:56:18.793Z | 1737665716795.0 | 1737665778793.0 |
| attack_ddos_rst-fin-flood-port-80_wisenet-camera | attack | ddos | rst-fin-flood-port-80 | wisenet-camera | 7870773 | 2025-01-25T15:47:53.896Z | 2025-01-25T15:48:55.881Z | 1737820073896.0 | 1737820135881.0 |
| attack_ddos_udp-flood-port-80_router | attack | ddos | udp-flood-port-80 | router | 7870560 | 2025-01-23T20:47:09.900Z | 2025-01-23T20:48:11.908Z | 1737665229900.0 | 1737665291908.0 |
| attack_ddos_udp-flood-port-80_yi-camera | attack | ddos | udp-flood-port-80 | yi-camera | 7870351 | 2025-01-23T22:45:18.351Z | 2025-01-23T22:46:20.355Z | 1737672318351.0 | 1737672380355.0 |
| attack_ddos_udp-flood-port-80_ap | attack | ddos | udp-flood-port-80 | ap | 7869986 | 2025-01-23T20:57:17.970Z | 2025-01-23T20:58:20.050Z | 1737665837970.0 | 1737665900050.0 |
| benign_whole-network3 | benign | benign | benign | whole-network | 2281956 | 2025-09-09T14:09:40.400Z | 2025-09-10T02:09:39.933Z | 1757426980400.0 | 1757470179933.0 |
Reference to the full CSV
The authoritative, machine-readable inventory is stored at:
Full list:
attacks.csv