One month and seven days of anonymized DNS query statistics from Tempest Security's internal network. The dataset features eighteen different attack variations generated using Iodine and DNSExfiltrator tools, with attacks replicated multiple times starting on the 13th day of collection. It was created by Matana da Rocha, Paulo and hosted on Harvard Dataverse.
Use Cases
- Train machine learning models for DNS tunneling detection based on features like query length and character ratios.
- Benchmark anomaly detection algorithms using the labeled attack variants, such as file exfiltration with short queries.
- Analyze network traffic macro-behaviors using the time-window aggregated metrics mentioned in the description.
Strengths
- Includes eighteen distinct, labeled attack variations for model training and evaluation.
- Provides two processing methods: simple per-query statistics and time-window aggregated metrics.
- Covers one month and seven days of real-world, anonymized DNS traffic.
Limitations
- Column-level documentation is absent; field semantics must be inferred after download.
- Row count is unknown, which may limit suitability assessment.
- Data may reflect temporal and source bias inherent to a single organization's network.
Provenance
- Source
- Tempest Security Intelligence's internal network.
- Collection Method
- Metrics derived from anonymized DNS logs.
- Time Range
- One month in 2023.
- Freshness
- Last updated 2026-05-20 17:07:31; freshness should be verified.