A case study on the representativeness of public DoS network traffic data for cybersecurity research

The availability of ready-to-use public security datasets is fostering measurement-driven research by a wide community of academics and practitioners. Recent trends in this area put forth a substantial body of literature on anomaly and attack detection on the top of public labelled datasets. Much of this literature blindly reuses existing datasets by overlooking the cybersecurity facets of the network traffic therein, in terms of its real impact on service availability and performance of operations. This paper addresses the representativeness of network traffic data provided by public datasets for cybersecurity research. To this aim, it proposes an initial exploration of the topic by means of a case study on Denial of Service (DoS) traffic of CICIDS2017, which is a recent dataset collected in a controlled environment that gained massive attention over the past two years. DoS traffic, which is available in CICIDS2017 in the form of packet data files, is replayed against a victim server in a controlled testbed. Measurements indicate that the DoS traffic, although somewhat relevant at network-level, has limited impact at application-level (i.e., by taking into account the performance of the victim under attack). The findings provide some key insights into the limitations of the data assessed in the study, paving the way for the construction of more rigorous datasets conceived with a multilayer perspective and that reflect actual traffic conditions under normative operations and disruptive attacks.