Fayth <3's profile picture

Published by

published
updated

Category: Web, HTML, Tech

View Blog View Profile Report Blog Entry

CIC-IDS2017 Data Analysis via Power BI

Source:

https://www.unb.ca/cic/datasets/ids-2017.html


Link to the Power BI report pdf... wont let me upload the screenshots here...

https://drive.google.com/file/d/1PT2qhG-rqswtgwUo8C4Xvuo9-Rdidmni/view?usp=sharing


My Insights:

The downloaded dataset consists of packet capture CSV files simulating five days of realistic enterprise network traffic containing both benign and malicious flows. There are approximately 17,000 unique source IPs and 3.12 million total events — composed of 2.27 million benign and 846,255 categorized attack flows.

Based on the attack trend visual, there is a clear progression of threats over the five-day observation period, resembling the cyber kill chain. On July 3, all traffic was labeled as benign, representing baseline behavior and normal user activity. By July 4, FTP and SSH Patator attacks appeared. Patator is a brute-force tool that targets ports 21 (FTP) and 22 (SSH), marking the reconnaissance and initial access stages, where attackers probe for weak credentials and open entry points.

On July 5, DoS and DDoS attacks were launched, continuing until late on July 7. During this phase, port 80 (HTTP) was the most common destination, indicating that attackers focused on overwhelming web servers to disrupt enterprise operations and impact exposed services. By July 6, infiltration, brute-force, and web attacks were detected, corresponding to the weaponization, delivery, exploitation, and installation stages of the kill chain. Attackers prepared and delivered malicious payloads via infiltration, successfully compromising systems through brute-force and web-based exploits. Finally, on July 7, a sharp rise in reconnaissance/scanning and botnet traffic was observed, representing the command-and-control and actions-on-objectives phases.

The Top Source IPs visual provides insight into traffic origins. Most internal IPs generated primarily benign traffic, typical of user devices or local services. However, one IP — 192.168.0.1, the victim’s firewall — shows a large volume of attack-labeled flows. This likely results from NAT reflection or how traffic was captured in the dataset. Attacks targeting internal systems through the firewall’s public interface can appear in logs as originating from the firewall itself, even though it merely relayed or reflected that traffic. Additionally, when botnet attack traffic is filtered, IPs such as 192.168.10.8, 192.168.10.5, 192.168.10.9, 192.168.10.12, 192.168.10.15, 192.168.10.14, and 192.168.10.17 become prominent — representing compromised internal hosts participating in malicious activity. These likely form part of the C2 (command and control) infrastructure within the infected network, communicating with external servers to execute further actions.

Moving on to the Attack Percentages visual, the top three attack types dominating the dataset are DoS Hulk, PortScan, and DDoS. The prevalence of these attack types suggests that adversaries focused mainly on service disruption and information gathering.

The Top Destination Ports visual highlights the most targeted services: 53 (DNS), 80 (HTTP), 443 (HTTPS), 123 (NTP), 22 (SSH), and 21 (FTP). While ports 53, 123, and 443 show the highest traffic volumes, these are mostly benign, representing essential background activity such as DNS resolution, time synchronization, and secure web communication. In contrast, ports 80, 22, and 21 are more closely associated with attack behavior, aligning with the identified web-based and brute-force patterns.

Overall, the dataset illustrates a structured escalation of cyber activity that mirrors real-world attack lifecycles. Traffic evolves from benign baseline activity to targeted brute-force, denial-of-service, and reconnaissance behavior over several days. The majority of attacks focus on disrupting web services and probing for network vulnerabilities, while a smaller subset of internal hosts appears compromised in later stages, likely as part of botnet operations. Meanwhile, essential network services such as DNS, NTP, and HTTPS continue to generate large volumes of benign traffic, emphasizing the importance of distinguishing routine operations from actual threats.

These findings collectively demonstrate how analyzing flow-level data over time provides a clear picture of both normal enterprise operations and coordinated attack campaigns within a controlled network environment.


p.s. please educate me if i get something wrong, if you have any suggestions or comments!! this is my first power bi project in the universe ever and i just wanted to try something different. xoxo hashtag belieber hashtag bedward.


0 Kudos

Comments

Displaying 0 of 0 comments ( View all | Add Comment )