Network Data Curation Toolkit: Cybersecurity Data Collection, Aided-Labeling, and Rule Generation

Abstract

Cybersecurity network data curation is the collection, labeling, and packaging of datasets that contain artifacts that are important in the cybersecurity domain. These assets are essential for cybersecurity research and key for defense technologies and systems to detect and respond to anomalies caused by adversaries. However, tools for data curation are lacking in all domains of cybersecurity, including enterprise and the military. Curation fuels empirical research and validation of protection, detection, and prevention techniques. Closing the gap will require the development of research-driven tools and technologies that facilitate and enforce not only collection and labeling, but also standardization and distribution. This paper describes a novel tool, called the Network Data Curation Toolkit (NDCT), which simplifies the process of collecting network traffic, keystrokes, mouse clicks; allows network packet labeling; automatically generates intrusion detection rules; and provides a visualization of results. Moreover, the tool has a built-in mechanism for exporting all data into a single distributable file. The tool is modular to allow extension and to facilitate its incorporation into existing workflows. We demonstrate the use of NDCT in two case studies. We first show how NDCT can augment cybersecurity exercises by having participants label their network data. We then describe a separate system that was embedded with the NDCT, which provides a workspace, allowing users to curate data through a multi-session environment, including generating intrusion detection rules for malware.