Entity Dictionary

A description of the attributes for all of the entities in the ER diagram

INTERVALS

  • interval: the timestamp representation of the start time of the interval which is a five minute aggregation of flows
  • epoch: a representation of the start time as an epoch, which is useful for plotting timeseries
  • filename: the original filename of the Argus flow level data
  • flows_out_internet: the approximate number of flows that were outbound to the Internet
  • flows_in_internet: the approximate number of flows that were inbound from the Internet
  • flows_intranet: the approximate number of flows that were not bound to or from the Internet (few)

FLOWS

  • interval: the five minute aggregate interval that the flow belongs to
  • flow_id: an identification number for each flow unique to the interval
  • start_time: flow start time (precision in seconds)
  • finish_time: flow finish time (precision in seconds)
  • protocol: the protocol used (udp,tcp...)
  • src_ip: source IP address of the flow
  • dst_ip: destination IP address of the flow
  • src_port: the port bound to the source
  • dst_port: the port bound to the destination
  • src_packets: the number of packets generated by the source
  • dst_packets: the number of packets generated by the destination
  • src_bytes: the number of bytes generated by the source
  • dst_bytes: the number of bytes generated by the destination
  • state: the state of the connection when it was considered finished (RST,FIN...)
  • dir_unknown: a flag set if the directionality of the flow is unknown, src/dst are to then be interpreted as left/right

METRICS

  • metric: integer representation of the traffic metric used for referencing
  • name: human readable text of the metric name (addr_src, fsd...)

INTERVAL_STATS

  • interval: the interval for which the statistics belong to
  • metric: the metric that the statistics were generated using
  • entropy: the normalized entropy
  • sdev_score: the standard deviation score
  • wavelet_score: the wavelet deviation score

INTERVAL_ALARMS

  • interval: the interval the alarm belongs to
  • metric: the metric used while generating the alarm
  • alarm_type: the type of alarm, typically a method with a deviation score (ie. sdev_score>3)

ALARMS

  • alarm_type: an integer representation of the alarm classification
  • name: human readable text form of the alarm type (wavelet3, sdev2...)

LABELED_FLOWS

  • label_id: reference to the label which describes the attack
  • interval: the interval in which the label belongs to
  • flow_id: the flow within the interval that is being labeled

LABELS

  • label_id: a unique identifier for the label
  • description: human readable description of the label, describing the attack in detail

ANOMALIES

  • type: an integer representation of the anomaly type for reference
  • description: human readable description of the type of anomaly, such as "flood" or "horizontal scan"