Skip to content

This forked repository contains our fixed version of the original CICFlowmeter tool. The improvements were implemented as part of our paper, where we performed an extensive analysis of the CICIDS 2017 dataset and the CICFlowMeter tool.

License

Notifications You must be signed in to change notification settings

GintsEngelen/CICFlowMeter

 
 

Repository files navigation

Fixed version of the CICFlowMeter tool

As part of our WTMC 2021 paper, we analysed and improved the CICFlowMeter tool, the result of which can be found in this repository. If you use this improved CICFlowMeter tool, please cite our paper:

        @inproceedings{engelen2021troubleshooting,
        title={Troubleshooting an Intrusion Detection Dataset: the CICIDS2017 Case Study},
        author={Engelen, Gints and Rimmer, Vera and Joosen, Wouter},
        booktitle={2021 IEEE Security and Privacy Workshops (SPW)},
        pages={7--12},
        year={2021},
        organization={IEEE}
        }

A detailed list of all fixes and improvements, as well as implications of the changes can be found on our webpage, which hosts the extended documentation of our paper.

Here we stick to a brief summary of all changes to the CICFlowMeter tool:

  • A TCP flow is no longer terminated after a single FIN packet. It now terminates after mutual exchange of FIN packets, which is more in line with the TCP specification.

  • An RST packet is no longer ignored. Instead, the RST packet also terminates a TCP flow.

  • The Flow Active and Idle time features no longer encode an absolute timestamp.

  • The values for Fwd PSH Flags, Bwd PSH Flags, Fwd URG Flags and Bwd URG Flags are now correctly incremented.

Running the tool

Docker Container

To use the tool inside a Docker container, follow these steps:

  1. Set Up Directories:
    • Create a directory at /path/to/pcap.
    • Inside this directory, make two subfolders:
      • input (for your input files)
      • output (where the tool will save its results).
  2. Build the image.
    docker build -t cicflowmeter .
  3. Run the Docker Command:
    docker run -v /path/to/pcap:/tmp/pcap cicflowmeter /tmp/pcap/input /tmp/pcap/output
    This command mounts your local /path/to/pcap directory to /tmp/pcap inside the Docker container and then runs the tool on the input, saving results to the output directory.

Local

To run the tool locally, please refer to the original CICFlowMeter repository for instructions.

About

This forked repository contains our fixed version of the original CICFlowmeter tool. The improvements were implemented as part of our paper, where we performed an extensive analysis of the CICIDS 2017 dataset and the CICFlowMeter tool.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 55.4%
  • Java 42.1%
  • C++ 2.3%
  • Dockerfile 0.2%