KDD是数据挖掘与知识发现(DataMiningandKnowledgeDiscovery)的简称,KDDCUP是由ACM(AssociationforComputingMachiner)的SIGKDD(SpecialInterestGrouponKnowledgeDiscoveryandDataMining)组织的年度竞赛。竞赛主页在这里。下面是历届KDDCUP的题目:KDD-Cup2008,BreastcancerKDD-Cup2007,ConsumerrecommendationsKDD-Cup2006,PulmonaryembolismsdetectionfromimagedataKDD-Cup2005,InternetusersearchquerycategorizationKDD-Cup2004,Particlephysics;plusProteinhomologypredictionKDD-Cup2003,NetworkminingandusageloganalysisKDD-Cup2002,BioMeddocument;plusGeneroleclassificationKDD-Cup2001,Molecularbioactivity;plusProteinlocaleprediction.KDD-Cup2000,OnlineretailerwebsiteclickstreamanalysisKDD-Cup1999,ComputernetworkintrusiondetectionKDD-Cup1998,DirectmarketingforprofitoptimizationKDD-Cup1997,Directmarketingforliftcurveoptimization”KDDCUP99dataset”就是KDD竞赛在1999年举行时采用的数据集。从这里下载KDD99数据集。1998年美国国防部高级规划署(DARPA)在MIT林肯实验室进行了一项入侵检测评估项目。林肯实验室建立了模拟美国空军局域网的一个网络环境,收集了9周时间的TCPdump(*)网络连接和系统审计数据,仿真各种用户类型、各种不同的网络流量和攻击手段,使它就像一个真实的网络环境。这些TCPdump采集的原始数据被分为两个部分:7周时间的训练数据(**)大概包含5,000,000多个网络连接记录,剩下的2周时间的测试数据大概包含2,000,000个网络连接记录。一个网络连接定义为在某个时间内从开始到结束的TCP数据包序列,并且在这段时间内,数据在预定义的协议下(如TCP、UDP)从源IP地址到目的IP地址的传递。每个网络连接被标记为正常(normal)或异常(attack),异常类型被细分为4大类共39种攻击类型,其中22种攻击类型出现在训练集中,另有17种未知攻击类型出现在测试集中。4种异常类型分别是:1.DOS,denial-of-service.拒绝服务攻击,例如ping-of-death,synflood,smurf等;2.R2L,unauthorizedaccessfromaremotemachinetoalocalmachine.来自远程主机的未授权访问,例如guessingpassword;3.U2R,unauthorizedaccesstolocalsuperuserprivilegesbyalocalunpivilegeduser.未授权的本地超级用户特权访问,例如bufferoverflowattacks;4.PROBING,surveillanceandprobing,端口监视或扫描,例如port-scan,ping-sweep等。随后来自哥伦比亚大学的SalStolfo教授和来自北卡罗莱纳州立大学的WenkeLee教授采用数据挖掘等技术对以上的数据集进行特征分析和数据预处理,形成了一个新的数据集。该数据集用于1999年举行的KDDCUP竞赛中,成为著名的KDD99数据集。虽然年代有些久远,但KDD99数据集仍然是网络入侵检测领域的事实Benckmark,为基于计算智能的网络入侵检测研究奠定基础。数据特征描述KDD99数据集中每个连接(*)用41个特征来描述:2,tcp,smtp,SF,1684,363,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,104,66,0.63,0.03,0.01,0.00,0.00,0.00,0.00,0.00,normal.0,tcp,private,REJ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,38,1,0.00,0.00,1.00,1.00,0.03,0.55,0.00,208,1,0.00,0.11,0.18,0.00,0.01,0.00,0.42,1.00,portsweep.0,tcp,smtp,SF,787,329,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,76,117,0.49,0.08,0.01,0.02,0.00,0.00,0.00,0.00,normal.上面是数据集中的3条记录,以CSV格式写成,加上最后的标记(label),一共有42项,其中前41项特征分为4大类,下面按顺序解释各个特征的含义:1.TCP连接基本特征(共9种)基本连接特征包含了一些连接的基本属性,如连续时间,协议类型,传送的字节数等。(1)duration.连接持续时间,以秒为单位,连续类型。范围是[0,58329]。它的定义是从TCP连接以3次握手建立算起,到FIN/ACK连接结束为止的时间;若为UDP协议类型,则将每个UDP数据包作为一条连接。数据集中出现大量的duration=0的情况,是因为该条连接的持续时间不足1秒。(2)protocol_type....
VIP
