In the fourth quarter of 2024, around 512,000 DDoS attacks were registered worldwide. The figure has gradually increased from 274,000 incidents in the first quarter of 2023.

2018.

In the first half of 2024, DDoS attacks on web search portals and all other information services in Indonesia had the highest average duration, amounting to around 375 minutes per attack. DDoS attack, also known as a Distributed Denial-of-Service attack, is a type of cybercrime where the attacker overwhelms a server with internet traffic in an effort to prevent people from accessing linked websites and online services.

The Real-Time DDoS Traffic Dataset for ML is designed to support the development, testing, and validation of machine learning models focused on detecting Distributed Denial of Service (DDoS) attacks in real-time. As cybersecurity threats evolve, particularly in the realm of network traffic anomalies like DDoS, having access to labeled data that mirrors real-world attack scenarios is essential. This dataset aims to bridge this gap by providing comprehensive, structured network traffic data that includes both normal and DDoS attack instances, facilitating machine learning research and experimentation in DDoS detection and prevention.

The dataset is compiled from network traffic that either replicates real-time conditions or is simulated under carefully controlled network configurations to generate authentic DDoS attack traffic. This data encompasses variations in packet transmission and byte flow, which are key indicators in distinguishing between typical network behavior and DDoS attack patterns. The primary motivation behind this dataset is to aid machine learning practitioners and cybersecurity experts in training models that can effectively differentiate between benign and malicious traffic, even under high-stress network conditions.

Data Source and Collection: Include information on how the data was collected, whether it was simulated or recorded from real systems, and any specific tools or configurations used.

Dataset Structure: List and explain the features or columns in the dataset. For instance, you might describe columns such as:

• traffic_type: Indicates whether the traffic is normal or DDoS.
• packet_count: The number of packets in a session.
• packet_count_per_second: The rate of packets over time.
• byte_count: Total data in bytes for a session.
• byte_count_per_second: The data transfer rate over time.

This dataset is ideal for a range of applications in cybersecurity and machine learning:

1.Training DDoS Detection Models: The dataset is specifically structured for use in supervised learning models that aim to identify DDoS attacks in real time. Researchers and developers can train and test models using the labeled data provided.

2.Real-Time Anomaly Detection: Beyond DDoS detection, the dataset can serve as a foundation for models focused on broader anomaly detection tasks in network traffic monitoring.

3.Benchmarking and Comparative Studies: By providing data for both normal and attack traffic, this dataset is suitable for benchmarking various algorithms, allowing comparisons across different detection methods and approaches.

4.Cybersecurity Education: The dataset can also be used in educational contexts, allowing students and professionals to gain hands-on experience with real-world data, fostering deeper understanding of network anomalies and cybersecurity threats.

Limitations and Considerations While the dataset provides realistic DDoS patterns, it is essential to note a few limitations:

Data Origin: The dataset may contain simulated attack patterns, which could differ from real-world DDoS attack traffic in more complex network environments.

Sampling Bias: Certain features or types of attacks may be overrepresented due to the specific network setup used during data collection. Users should consider this when generalizing their models to other environments.

Ethical Considerations: This dataset is intended for educational and research purposes only and should be used responsibly to enhance network security.

Acknowledgments This dataset is an open-source contribution to the cybersecurity and machine learning communities, and it is designed to empower researchers, educators, and industry professionals in developing stronger defenses against DDoS attacks.

In 2023, the estimated number of distributed denial-of-service (DDoS) cyberattacks in Italy was of approximately 13,000. This represents a decrease from the 2,000 attacks registered in 20212. In 2019 and 2020, the country registered the peak of DDoS attacks, with over 15,000 cyberattacks reported.

Distributed Denial of Service (DDoS) attack is a menace to network security that aims at exhausting the target networks with malicious traffic. Although many statistical methods have been designed for DDoS attack detection, designing a real-time detector with low computational overhead is still one of the main concerns. On the other hand, the evaluation of new detection algorithms and techniques heavily relies on the existence of well-designed datasets. In this paper, first, we review the existing datasets comprehensively and propose a new taxonomy for DDoS attacks. Secondly, we generate a new dataset, namely CICDDoS2019, which remedies all current shortcomings. Thirdly, using the generated dataset, we propose a new detection and family classification approach based on a set of network flow features. Finally, we provide the most important feature sets to detect different types of DDoS attacks with their corresponding weights.

The dataset offers an extended set of Distributed Denial of Service attacks, most of which employ some form of amplification through reflection. The dataset shares its feature set with the other CIC NIDS datasets, IDS2017, IDS2018 and DoS2017

original paper link: https://ieeexplore.ieee.org/abstract/document/8888419 kaggle dataset link: https://www.kaggle.com/datasets/dhoogla/cicddos2019

Context

This is a dataset of DDoS Botnet attacks from IOT devices.

Content

Contains all features about packets from bots.

Inspiration:

For making DDoS attack preventable.

In the first half of 2024, DDoS attacks on wireless telecommunication carriers in Indonesia amounted to around 14,558. DDoS attack, also known as a Distributed Denial-of-Service attack, is a type of cybercrime where the attacker overwhelms a server with internet traffic in an effort to prevent people from accessing linked websites and online services.

NCSRD-DS-5GDDos v2.0 Dataset
===
NCSRD-DS-5GDDos is a comprehensive dataset recorded in a real-world 5G testbed that aligns with the 3GPP specifications. The dataset captures Distributed Denial of Service (DDoS) attacks initiated by malicious connected users (UEs).

The setup comprises of 3 cells with a total of 9 UEs connected to the same core network. The 5G network is implemented by the Amarisoft Callbox Mini solution (cell 2), and we further employ a second cell using the Amarisoft Classic (cell 1 & 3), that also hosts the 5G core.

The setup utilizes a broad set of UE devices comprising a set of smart phones (Huawei P40), microcomputers (Raspberry Pi 4 - Waveshare 5G Hat M2), industrial 5G routers (Industrial Waveshare 5G Router), a WiFi-6 mobile hotspot (DWR-2101 5G Wi-Fi 6 Mobile Hotspot) and a CPE box (Waveshare 5G CPE Box). All UEs are being operated by subsidiary hosts which are responsible for the traffic generation, occurring from scheduled communications times.

All identifiers are artificially generated and do not represent or based on personal data. We identify each UE through its ‘imeisv’ ID, that corresponds to the device in use, due to vendor implementation, that uses the same IMSI for all UEs.

This dataset captures attack data from a total of 5 malicious User Equipment (UE) devices that initiated various flooding attacks on a 5G network. Each record includes key identifiers such as the IMEISV (International Mobile Equipment Identity Software Version number) and IP address of the attacking UE, along with the device type. The file "summary_report.csv" summarizes this information. The traffic types used in the attacks include syn flooding, UDP flooding, ICMP flooding, DNS flooding, and GTP-U flooding. The benign users stream YouTube and Skype traffic.

The dataset is recorded through the use of a data collector that interfaces with the 5G network and gathers data regarding UEs, gNBs and the Core Network. The data are recorded in an InfluxdB and pre-processed into three separate tabular .csv files for more efficient processing: “amari_ue_data.csv”, “enb_counters.csv” and “mme_counters.csv”. In this version, we use an Amarisoft Classic (cells 1 & 3, Core Network) and an Amarisoft Mini (cell 2) (more information on the products can be found in https://www.amarisoft.com/).

The ”amari_ue_data.csv” provides information on the UEs regarding identification (“imeisv”, “5g_tmsi”, “rnti”), IP addressing, bearer information, cell information (“tac”, “ran_plmn”), and cell information (“ul_bitrate”, “dl_bitrate”, “cell_id”, retransmissions per user per cell “ul_retx” as well as aggregated bit rates for each cell).

The ”enb_counters.csv” focuses on cell-level information, providing downlink and uplink bitrates, usage ratio per user, cpu load of the gNB.

We provide separate files of ”amari_ue_data.csv” and ”enb_counters.csv” generated from each gNB (Amarisoft Classic and Mini).

The “mme_counters.csv” provides information on the Non-Access Stratum (NAS) of the 5G Network and focuses on session status reports (e.g., number of PDU session establishments, paging, context setup. This part gives an overview of the connection management throughout the recording session, and provides information on features suggested by 3GPP for abnormal user behavior.

We also provide a separate pre-processed dataset, that merges the two "amari_ue_data_*.csv" file, including labeling of the malicious/benign samples, and may be more flexible for interested data scientists.

Please refer to README.txt for the features included in each file.

To cite the dataset please reference it as Y. Kim, S. Hakak, and A. Ghorbani. "DDoS Attack Dataset (CICEV2023) against EV Authentication in Charging Infrastructure," in 2023 20th Annual International Conference on Privacy, Security and Trust (PST), IEEE Computer Society, pp. 1-9, August 2023.

Explore a comprehensive dataset capturing DDoS attack scenarios within electric vehicle (EV) charging infrastructure. This dataset features diverse machine learning attributes, including packet access counts, system status details, and authentication profiles across multiple charging stations and grid services. Simulated attack scenarios, authentication protocols, and extensive profiling results offer invaluable insights for training and testing detection models in safeguarding EV charging systems against cyber threats.

https://www.googleapis.com/download/storage/v1/b/kaggle-user-content/o/inbox%2F5737185%2F2dec3a047fec426e0b6d2f7672d25016%2Fadjusted-5221113.jpg?generation=1743055158796994&alt=media" alt=""> Figure 1: Proposed simulator structure, source: Y. Kim, S. Hakak, and A. Ghorbani.

Acknowledgment :

The authors sincerely appreciate the support provided by the Canadian Institute for Cybersecurity (CIC), as well as the funding received from the Canada Research Chair and the Atlantic Canada Opportunities Agency (ACOA).

Reference :

Y. Kim, S. Hakak, and A. Ghorbani. "DDoS Attack Dataset (CICEV2023) against EV Authentication in Charging Infrastructure," in 2023 20th Annual International Conference on Privacy, Security and Trust (PST), IEEE Computer Society, pp. 1-9, August 2023.

a Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack can severely damage the performance and functionality of network slices. Furthermore

In 2023, organizations in finance industry in the Americas saw the highest share of DDoS attacks, 25.8 percent of detected attacks. The healthcare industry followed closely, with over 24 percent, while tech industry followed, with 17 percent.

DDoS Attack Protection Service Market Outlook

The global DDoS Attack Protection Service market size was valued at approximately USD 3.2 billion in 2023 and is projected to reach nearly USD 7.5 billion by 2032, growing at a compound annual growth rate (CAGR) of 10.1% during the forecast period. The increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks, coupled with the expanding digital footprint of enterprises, are significant growth factors for the market.

One of the critical drivers for the DDoS Attack Protection Service market is the exponential growth in internet traffic and the increasing reliance on digital platforms for business operations. As more organizations move their critical operations to the cloud and adopt remote working models, the vulnerability to DDoS attacks has surged. Additionally, the rising incidences of high-profile cyber-attacks have heightened awareness and driven the demand for robust DDoS protection solutions. Companies across various industry verticals are increasingly investing in these services to safeguard their digital assets.

Advancements in technology are another significant market growth factor. The development of sophisticated DDoS protection solutions, such as artificial intelligence (AI) and machine learning (ML)-based systems, has enhanced the ability to detect and mitigate threats in real-time. These advanced systems can analyze vast amounts of data and identify unusual patterns that may indicate an impending attack. This technological progression is expected to accelerate the adoption of DDoS protection services, further propelling market growth.

Regulatory requirements and compliance standards are also contributing factors to market expansion. Governments and regulatory bodies across the globe are imposing stringent cybersecurity regulations that mandate the implementation of adequate protective measures against DDoS attacks. Compliance with these regulations is critical for organizations to avoid hefty fines and reputational damage, prompting them to adopt comprehensive DDoS protection services.

From a regional perspective, North America is anticipated to hold a significant market share owing to the high adoption rate of advanced technologies and the presence of major market players in the region. The Asia Pacific region is expected to witness substantial growth due to the rapid digital transformation and increasing cyber threats in countries such as China, India, and Japan. Europe also demonstrates a strong market potential, driven by stringent data protection regulations and an elevated focus on cybersecurity.

The integration of an Anti DDoS System Ads Platform is becoming increasingly vital for businesses aiming to protect their digital advertising infrastructure. As digital platforms continue to expand, they become more susceptible to DDoS attacks, which can disrupt advertising operations and lead to significant financial losses. By incorporating advanced anti-DDoS systems, companies can ensure the seamless delivery of ads, maintain user engagement, and protect revenue streams. These platforms are designed to detect and mitigate threats in real-time, offering advertisers peace of mind and allowing them to focus on optimizing their campaigns without the constant worry of potential disruptions.

Component Analysis

The DDoS Attack Protection Service market by component is segmented into hardware solutions, software solutions, and services. Hardware solutions include specialized appliances that are designed to detect and mitigate DDoS attacks at the network level. These solutions are often deployed in data centers and are critical for enterprises with high traffic volumes. Companies prefer hardware solutions for their robustness and ability to handle large-scale attacks efficiently. Moreover, advancements in hardware technology have led to the development of more sophisticated and powerful devices capable of providing enhanced protection.

Software solutions, on the other hand, provide a flexible and scalable approach to DDoS attack mitigation. These solutions are designed to be integrated into an organizationÂ’s existing IT infrastructure, offering real-time threat detection and automated response capabilities. Software-based DDoS protection solutions are increasingly popular among organizations due to their ease of deployment and cost-effectiveness. The rise of cloud computing has further fueled the demand for softw

Scoreboard dataset contains statistical data for each second during the testing period. Scoreboard represents srcip:srcport-dstip:dstport pair with statistics count for the number of packets, protocol identification, flag (if it is TCP), and a number of SYN packets (if it is TCP). Each ip:port pair represents one communication channel.

Overview

The RT-IoT2022, a proprietary dataset derived from a real-time IoT infrastructure, is introduced as a comprehensive resource integrating a diverse range of IoT devices and sophisticated network attack methodologies. This dataset encompasses both normal and adversarial network behaviours, providing a general representation of real-world scenarios. Incorporating data from IoT devices such as ThingSpeak-LED, Wipro-Bulb, and MQTT-Temp, as well as simulated attack scenarios involving Brute-Force SSH attacks, DDoS attacks using Hping and Slowloris, and Nmap patterns, RT-IoT2022 offers a detailed perspective on the complex nature of network traffic. The bidirectional attributes of network traffic are meticulously captured using the Zeek network monitoring tool and the Flowmeter plugin. Researchers can leverage the RT-IoT2022 dataset to advance the capabilities of Intrusion Detection Systems (IDS), fostering the development of robust and adaptive security solutions for real-time IoT networks.

Introductory Paper Quantized autoencoder (QAE) intrusion detection system for anomaly detection in resource-constrained IoT devices using RT-IoT2022 dataset By B. S. Sharmila, Rohini Nagapadma. 2023 Published in Cybersecurity

Variable Table available here: https://archive.ics.uci.edu/dataset/942/rt-iot2022

Column Details: id.orig_p id.resp_p proto service flow_duration fwd_pkts_tot bwd_pkts_tot fwd_data_pkts_tot bwd_data_pkts_tot fwd_pkts_per_sec bwd_pkts_per_sec flow_pkts_per_sec down_up_ratio fwd_header_size_tot fwd_header_size_min fwd_header_size_max bwd_header_size_tot bwd_header_size_min bwd_header_size_max flow_FIN_flag_count flow_SYN_flag_count flow_RST_flag_count fwd_PSH_flag_count bwd_PSH_flag_count flow_ACK_flag_count fwd_URG_flag_count bwd_URG_flag_count flow_CWR_flag_count flow_ECE_flag_count fwd_pkts_payload.min fwd_pkts_payload.max fwd_pkts_payload.tot fwd_pkts_payload.avg fwd_pkts_payload.std bwd_pkts_payload.min bwd_pkts_payload.max bwd_pkts_payload.tot bwd_pkts_payload.avg bwd_pkts_payload.std flow_pkts_payload.min flow_pkts_payload.max flow_pkts_payload.tot flow_pkts_payload.avg flow_pkts_payload.std fwd_iat.min fwd_iat.max fwd_iat.tot fwd_iat.avg fwd_iat.std bwd_iat.min bwd_iat.max bwd_iat.tot bwd_iat.avg bwd_iat.std flow_iat.min flow_iat.max flow_iat.tot flow_iat.avg flow_iat.std payload_bytes_per_second fwd_subflow_pkts bwd_subflow_pkts fwd_subflow_bytes bwd_subflow_bytes fwd_bulk_bytes bwd_bulk_bytes fwd_bulk_packets bwd_bulk_packets fwd_bulk_rate bwd_bulk_rate active.min active.max active.tot active.avg active.std idle.min idle.max idle.tot idle.avg idle.std fwd_init_window_size bwd_init_window_size fwd_last_window_size Attack_type

Class Labels

The Dataset contains both Attack patterns and Normal Patterns. Attacks patterns Details: 1. DOS_SYN_Hping------------------------94659 2. ARP_poisioning--------------------------7750 3. NMAP_UDP_SCAN--------------------2590 4. NMAP_XMAS_TREE_SCAN--------2010 5. NMAP_OS_DETECTION-------------2000 6. NMAP_TCP_scan-----------------------1002 7. DDOS_Slowloris------------------------534 8. Metasploit_Brute_Force_SSH---------37 9. NMAP_FIN_SCAN---------------------28 Normal Patterns Details:

1. MQTT -----------------------------------8108
2. Thing_speak-----------------------------4146
3. Wipro_bulb_Dataset-------------------253

The DDoS protection market is experiencing robust growth, driven by the escalating frequency and sophistication of distributed denial-of-service (DDoS) attacks targeting businesses and critical infrastructure globally. The market's expansion is fueled by several key factors: the increasing reliance on cloud services and digital infrastructure, the proliferation of IoT devices creating larger attack surfaces, and the evolution of DDoS attack methodologies towards more complex and evasive techniques. Significant investments in advanced security solutions are being made by organizations across various sectors, including finance, healthcare, and e-commerce, to mitigate the financial and reputational damage caused by successful DDoS attacks. The market is segmented by application (mobile, data center, government & carrier transport) and attack type (UDP flood, ICMP flood, SYN flood, HTTP flood, others), with data centers and cloud providers representing substantial market segments due to their concentration of critical assets. Geographic distribution shows strong growth across North America and Asia-Pacific, driven by higher levels of internet penetration and adoption of cloud-based services in these regions. Competitive landscape features established players like F5 Networks, Akamai Technologies, and Cloudflare, alongside emerging security specialists offering innovative solutions. Continued innovation in AI-powered threat detection and mitigation, coupled with the growing demand for comprehensive security solutions, promises sustained market expansion in the coming years. While precise market sizing data wasn't provided, reasonable estimation based on industry reports suggests a current market value exceeding $5 billion USD. Considering the factors above, a Compound Annual Growth Rate (CAGR) of 15% seems plausible over the forecast period (2025-2033), implying significant growth opportunities. This expansion is moderated by factors such as the cost of implementing advanced DDoS protection solutions and the ongoing challenge of staying ahead of evolving attack vectors. Nevertheless, the rising sophistication of cyberattacks and the escalating consequences of service disruptions will likely drive consistent demand for robust DDoS protection, sustaining the market's positive trajectory. The increasing adoption of hybrid cloud models and the expansion of 5G networks are expected to further fuel market growth, presenting significant opportunities for vendors offering comprehensive solutions that address the complexities of distributed infrastructure.

DDoS Protection Software Market Outlook

The global DDoS protection software market size is projected to witness significant growth with a compound annual growth rate (CAGR) of 14.2% from 2024 to 2032. In 2023, the market was valued at approximately USD 2.3 billion and is forecasted to reach around USD 6.8 billion by 2032. The rising frequency and sophistication of DDoS attacks, coupled with the increasing adoption of Internet of Things (IoT) devices, are major factors driving the market's expansion. As businesses continue to digitize and move their operations online, the need for robust cybersecurity measures becomes more pressing, paving the way for substantial growth in the DDoS protection software market.

One of the primary growth factors for the DDoS protection software market is the exponential rise in cyber incidents and the subsequent need for advanced security solutions. With digital transformation gaining momentum across various sectors, organizations are increasingly vulnerable to cyber threats, particularly DDoS attacks that aim to cripple online services and networks. Companies are investing heavily in security infrastructure to safeguard their data and ensure business continuity, thereby driving demand for comprehensive DDoS protection software. Additionally, regulatory pressures and data privacy laws necessitate stringent cybersecurity measures, further contributing to the market's growth. The rising awareness among enterprises about the potential financial and reputational damage caused by DDoS attacks is also propelling market expansion.

The proliferation of IoT devices and the adoption of cloud-based services are further catalyzing the growth of the DDoS protection software market. As IoT devices become ubiquitous, they create a larger attack surface for cybercriminals, necessitating robust security protocols to mitigate risks. Cloud computing, while offering scalability and flexibility, also exposes enterprises to potential vulnerabilities, making DDoS protection essential for safeguarding cloud infrastructures. Cloud-based DDoS protection services are gaining traction due to their ability to offer real-time threat detection and mitigation, scalability, and cost-effectiveness. As more businesses transition to cloud environments, the demand for cloud-native DDoS protection solutions is expected to surge, driving market growth.

Another significant growth driver for the DDoS protection software market is the increasing investment in cybersecurity by small and medium enterprises (SMEs). Traditionally, large enterprises have dominated the cybersecurity landscape, but with the rise in cyber threats, SMEs are now recognizing the importance of investing in robust security solutions. DDoS attacks can severely impact smaller businesses, often lacking the resources to recover quickly from such disruptions. Consequently, SMEs are adopting DDoS protection software to secure their online presence, reduce downtime, and protect customer data. The availability of cost-effective, scalable solutions tailored to the needs of smaller organizations is facilitating greater market penetration in this segment.

Distributed Denial of Service (DDoS) Protection and Mitigation solutions play a crucial role in safeguarding digital infrastructures from the increasing threat of cyber attacks. As businesses continue to digitize, the risk of DDoS attacks, which aim to overwhelm systems with traffic, becomes more prevalent. These solutions are designed to detect and mitigate such attacks in real-time, ensuring that business operations remain uninterrupted. By employing advanced technologies like machine learning and artificial intelligence, DDoS protection systems can identify unusual traffic patterns and respond swiftly to neutralize threats. This proactive approach not only protects the integrity of online services but also helps maintain customer trust and business reputation. As the threat landscape evolves, the importance of robust DDoS protection and mitigation strategies cannot be overstated.

Regionally, North America is expected to dominate the DDoS protection software market, driven by the presence of key players, advanced technological infrastructure, and high awareness levels regarding cybersecurity threats. The region's robust adoption of cloud-based services and IoT technologies further accentuates the need for advanced DDoS protection solutions. Meanwhile, the Asia Pacific region is anticipated to exhibit the highest growth rate over the forecast period, propelled by rapid digital

DDoS Attack Solution Market Outlook

The DDoS (Distributed Denial of Service) attack solution market has seen substantial growth, with a market size valued at approximately USD 3.5 billion in 2023 and is projected to reach over USD 6.8 billion by 2032, driven by a compound annual growth rate (CAGR) of 7.8%. The growing frequency and sophistication of cyber-attacks are propelling this market, as businesses and organizations increasingly seek robust solutions to protect their digital infrastructure. The heightened reliance on digital platforms across various industries and the surge in online activities are major factors contributing to this growth. Additionally, the expansion of Internet of Things (IoT) devices, which often serve as gateways for DDoS attacks, is further necessitating advanced security measures, thereby fueling demand for DDoS protection solutions.

The increasing adoption of cloud-based services across industries is another significant growth factor for the DDoS attack solution market. As businesses migrate their operations to the cloud, the potential attack surface expands, making them more susceptible to DDoS attacks. Cloud service providers and businesses alike are investing substantially in cybersecurity measures to safeguard cloud-based systems and ensure uninterrupted service delivery. Furthermore, the rapid digital transformation driven by advancements in technology and the global shift towards remote work arrangements have made robust cybersecurity measures imperative. This shift has heightened the awareness and urgency among businesses to adopt DDoS protection solutions, further bolstering market growth.

Moreover, regulatory frameworks and compliance requirements across different regions are compelling organizations to prioritize their cybersecurity strategies, including DDoS protection. Industries such as BFSI, healthcare, and government are under stringent regulations to protect sensitive data and maintain service continuity. This regulatory landscape is compelling organizations to invest in comprehensive DDoS solutions to ensure compliance and safeguard their reputation. Additionally, the rising cost associated with data breaches and downtime due to DDoS attacks is driving organizations to adopt preventive measures, thereby creating a conducive environment for the growth of the DDoS attack solution market.

From a regional outlook, North America currently dominates the DDoS attack solution market, attributed to the presence of advanced digital infrastructure and a high concentration of tech-savvy businesses. However, the Asia Pacific region is expected to witness the highest growth rate during the forecast period. The rapid digitalization of economies, coupled with increasing internet penetration and smart device usage, is driving the demand for DDoS solutions in this region. Factors such as increased government initiatives towards digital infrastructure development and heightened cybersecurity threats also contribute to the market's expansion in Asia Pacific.

Solution Type Analysis

The DDoS attack solution market is segmented into hardware solutions, software solutions, and services. Hardware solutions form a crucial part of the DDoS protection framework, offering dedicated appliances that can be deployed on-site to mitigate attacks. These hardware solutions are especially favored by large enterprises with substantial IT infrastructure as they provide high-performance protection and can be customized to meet specific organizational needs. The reliability and efficiency of hardware solutions in detecting and mitigating volumetric and application-layer attacks contribute significantly to their continued demand in the market.

Software solutions have gained prominence due to their flexibility and scalability, making them an attractive choice for organizations of all sizes. These solutions can be integrated with existing IT systems and provide real-time threat intelligence, ensuring continuous monitoring and protection against DDoS attacks. The shift towards software solutions is also driven by the need for cost-effective security measures that can be easily updated to counter evolving threats. Software-based DDoS solutions are seeing increased adoption in sectors where rapid deployment and cost efficiency are critical, such as small and medium enterprises (SMEs).

In the face of escalating cyber threats, DDoS Protection and Mitigation have become essential components of a comprehensive cybersecurity stra

1.Introduction

In the digital era of the Industrial Internet of Things (IIoT), the conventional Critical Infrastructures (CIs) are transformed into smart environments with multiple benefits, such as pervasive control, self-monitoring and self-healing. However, this evolution is characterised by several cyberthreats due to the necessary presence of insecure technologies. DNP3 is an industrial communication protocol which is widely adopted in the CIs of the US. In particular, DNP3 allows the remote communication between Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA). It can support various topologies, such as Master-Slave, Multi-Drop, Hierarchical and Multiple-Server. Initially, the architectural model of DNP3 consists of three layers: (a) Application Layer, (b) Transport Layer and (c) Data Link Layer. However, DNP3 can be now incorporated into the Transmission Control Protocol/Internet Protocol (TCP/IP) stack as an application-layer protocol. However, similarly to other industrial protocols (e.g., Modbus and IEC 60870-5-104), DNP3 is characterised by severe security issues since it does not include any authentication or authorisation mechanisms. More information about the DNP3 security issue is provided in [1-3]. This dataset contains labelled Transmission Control Protocol (TCP) / Internet Protocol (IP) network flow statistics (Common-Separated Values - CSV format) and DNP3 flow statistics (CSV format) related to 9 DNP3 cyberattacks. These cyberattacks are focused on DNP3 unauthorised commands and Denial of Service (DoS). The network traffic data are provided through Packet Capture (PCAP) files. Consequently, this dataset can be used to implement Artificial Intelligence (AI)-powered Intrusion Detection and Prevention (IDPS) systems that rely on Machine Learning (ML) and Deep Learning (DL) techniques.

2.Instructions

This DNP3 Intrusion Detection Dataset was implemented following the methodological frameworks of A. Gharib et al. in [4] and S. Dadkhah et al in [5], including eleven features: (a) Complete Network Configuration, (b) Complete Traffic, (c) Labelled Dataset, (d) Complete Interaction, (e) Complete Capture, (f) Available Protocols, (g) Attack Diversity, (h) Heterogeneity, (i) Feature Set and (j) Metadata.

A network topology consisting of (a) eight industrial entities, (b) one Human Machine Interfaces (HMI) and (c) three cyberattackers was used to implement this DNP3 Intrusion Detection Dataset. In particular, the following cyberattacks were implemented.

On Thursday, May 14, 2020, the DNP3 Disable Unsolicited Messages Attack was executed for 4 hours.

On Friday, May 15, 2020, the DNP3 Cold Restart Message Attack was executed for 4 hours.

On Friday, May 15, 2020, the DNP3 Warm Restart Message Attack was executed for 4 hours.

On Saturday, May 16, 2020, the DNP3 Enumerate Attack was executed for 4 hours.

On Saturday, May 16, 2020, the DNP3 Info Attack was executed for 4 hours.

On Monday, May 18, 2020, the DNP3 Initialisation Attack was executed for 4 hours.

On Monday, May 18, 2020, the Man In The Middle (MITM)-DoS Attack was executed for 4 hours.

On Monday, May 18, 2020, the DNP3 Replay Attack was executed for 4 hours.

On Tuesday, May 19, 2020, the DNP3 Stop Application Attack was executed for 4 hours.

The aforementioned DNP3 cyberattacks were executed, utilising penetration testing tools, such as Nmap and Scapy. For each attack, a relevant folder is provided, including the network traffic and the network flow statistics for each entity. In particular, for each cyberattack, a folder is given, providing (a) the pcap files for each entity, (b) the Transmission Control Protocol (TCP)/ Internet Protocol (IP) network flow statistics for 120 seconds in a CSV format and (c) the DNP3 flow statistics for each entity (using different timeout values in terms of second (such as 45, 60, 75, 90, 120 and 240 seconds)). The TCP/IP network flow statistics were produced by using the CICFlowMeter, while the DNP3 flow statistics were generated based on a Custom DNP3 Python Parser, taking full advantage of Scapy.

1. Dataset Structure

The dataset consists of the following folders:

20200514_DNP3_Disable_Unsolicited_Messages_Attack: It includes the pcap and CSV files related to the DNP3 Disable Unsolicited Message attack.

20200515_DNP3_Cold_Restart_Attack: It includes the pcap and CSV files related to the DNP3 Cold Restart attack.

20200515_DNP3_Warm_Restart_Attack: It includes the pcap and CSV files related to DNP3 Warm Restart attack.

20200516_DNP3_Enumerate: It includes the pcap and CSV files related to the DNP3 Enumerate attack.

20200516_DNP3_Ιnfo: It includes the pcap and CSV files related to the DNP3 Info attack.

20200518_DNP3_Initialize_Data_Attack: It includes the pcap and CSV files related to the DNP3 Data Initialisation attack.

20200518_DNP3_MITM_DoS: It includes the pcap and CSV files related to the DNP3 MITM-DoS attack.

20200518_DNP3_Replay_Attack: It includes the pcap and CSV files related to the DNP3 replay attack.

20200519_DNP3_Stop_Application_Attack: It includes the pcap and CSV files related to the DNP3 Stop Application attack.

Training_Testing_Balanced_CSV_Files: It includes balanced CSV files from CICFlowMeter and the Custom DNP3 Python Parser that could be utilised for training ML and DL methods. Each folder includes different sub-folder for the corresponding flow timeout values used by the DNP3 Python Custom Parser. For CICFlowMeter, only the timeout value of 120 seconds was used.

Each folder includes respective subfolders related to the entities/devices (described in the following section) participating in each attack. In particular, for each entity/device, there is a folder including (a) the DNP3 network traffic (pcap file) related to this entity/device during each attack, (b) the TCP/IP network flow statistics (CSV file) generated by CICFlowMeter for the timeout value of 120 seconds and finally (c) the DNP3 flow statistics (CSV file) from the Custom DNP3 Python Parser. Finally, it is noteworthy that the network flows from both CICFlowMeter and Custom DNP3 Python Parser in each CSV file are labelled based on the DNP3 cyberattacks executed for the generation of this dataset. The description of these attacks is provided in the following section, while the various features from CICFlowMeter and Custom DNP3 Python Parser are presented in Section 5.

4.Testbed & DNP3 Attacks

The following figure shows the testbed utilised for the generation of this dataset. It is composed of eight industrial entities that play the role of the DNP3 outstations/slaves, such as Remote Terminal Units (RTUs) and Intelligent Electron Devices (IEDs). Moreover, there is another workstation which plays the role of the Master station like a Master Terminal Unit (MTU). For the communication between, the DNP3 outstations/slaves and the master station, opendnp3 was used.

Table 1: DNP3 Attacks Description

DNP3 Attack

Description

Dataset Folder

DNP3 Disable Unsolicited Message Attack

This attack targets a DNP3 outstation/slave, establishing a connection with it, while acting as a master station. The false master then transmits a packet with the DNP3 Function Code 21, which requests to disable all the unsolicited messages on the target.

20200514_DNP3_Disable_Unsolicited_Messages_Attack

DNP3 Cold Restart Attack

The malicious entity acts as a master station and sends a DNP3 packet that includes the “Cold Restart” function code. When the target receives this message, it initiates a complete restart and sends back a reply with the time window before the restart process.

20200515_DNP3_Cold_Restart_Attack

DNP3 Warm Restart Attack

This attack is quite similar to the “Cold Restart Message”, but aims to trigger a partial restart, re-initiating a DNP3 service on the target outstation.

20200515_DNP3_Warm_Restart_Attack

DNP3 Enumerate Attack

This reconnaissance attack aims to discover which DNP3 services and functional codes are used by the target system.

20200516_DNP3_Enumerate

DNP3 Info Attack

This attack constitutes another reconnaissance attempt, aggregating various DNP3 diagnostic information related the DNP3 usage.

20200516_DNP3_Ιnfo

Data Initialisation Attack

This cyberattack is related to Function Code 15 (Initialize Data). It is an unauthorised access attack, which demands from the slave to re-initialise possible configurations to their initial values, thus changing potential values defined by legitimate masters

20200518_Initialize_Data_Attack

MITM-DoS Attack

In this cyberattack, the cyberattacker is placed between a DNP3 master and a DNP3 slave device, dropping all the messages coming from the DNP3 master or the DNP3 slave.

20200518_MITM_DoS

DNP3 Replay Attack

This cyberattack replays DNP3 packets coming from a legitimate DNP3 master or DNP3 slave.

20200518_DNP3_Replay_Attack

DNP3 Step Application Attack

This attack is related to the Function Code 18 (Stop Application) and demands from the slave to stop its function so that the slave cannot receive messages from the master.

20200519_DNP3_Stop_Application_Attack

1. Features

The TCP/IP network flow statistics generated by CICFlowMeter are summarised below. The TCP/IP network flows and their statistics generated by CICFlowMeter are labelled based on the DNP3 attacks described above, thus allowing the training of ML/DL models. Finally, it is worth mentioning that these statistics are generated when the flow timeout value is equal with 120 seconds.

Table

The finance industry was the major target of DDoS attacks in Russia in 2023. Furthermore, the share of attacks on e-commerce companies was almost 25 percent. DDoS, or distributed denial-of-service attacks involve sending a high number of requests to a target network or website, more than it is capable of handling, leading to the disruption in the resource's functioning.