Federated TON_IoT Windows Datasets for Evaluating AI-based Security Applications

TL;DR

This paper introduces federated IoT datasets from Windows and Linux sources, designed to evaluate AI-based cybersecurity solutions across a multi-layered testbed with real attack and normal activity data.

Contribution

It presents new federated datasets from Windows IoT environments, along with a comprehensive multi-layered testbed using SDN and NFV for cybersecurity research.

Findings

Datasets include diverse attack and normal activity data from Windows systems.

The testbed integrates edge, fog, and cloud layers for realistic environment simulation.

Datasets are publicly accessible for cybersecurity research and evaluation.

Abstract

Existing cyber security solutions have been basically developed using knowledge-based models that often cannot trigger new cyber-attack families. With the boom of Artificial Intelligence (AI), especially Deep Learning (DL) algorithms, those security solutions have been plugged-in with AI models to discover, trace, mitigate or respond to incidents of new security events. The algorithms demand a large number of heterogeneous data sources to train and validate new security systems. This paper presents the description of new datasets, the so-called ToN_IoT, which involve federated data sources collected from telemetry datasets of IoT services, operating system datasets of Windows and Linux, and datasets of network traffic. The paper introduces the testbed and description of TON_IoT datasets for Windows operating systems. The testbed was implemented in three layers: edge, fog and cloud. The edge layer involves IoT and network devices, the fog layer contains virtual machines and gateways, and the cloud layer involves cloud services, such as data analytics, linked to the other two layers. These layers were dynamically managed using the platforms of software-Defined Network (SDN) and Network-Function Virtualization (NFV) using the VMware NSX and vCloud NFV platform. The Windows datasets were collected from audit traces of memories, processors, networks, processes and hard disks. The datasets would be used to evaluate various AI-based cyber security solutions, including intrusion detection, threat intelligence and hunting, privacy preservation and digital forensics. This is because the datasets have a wide range of recent normal and attack features and observations, as well as authentic ground truth events. The datasets can be publicly accessed from this link [1].