About the dataset
The dataset is available on Google Drive and consists of four zip files:
all_traces_root.zip
includes traces for all 149 patched malwares operating with root privileges.all_traces_user.zip
contains traces for all 149 patched malwares running under user privileges.ransom_traces.zip
contains traces for 60 ransomware instances that exhibit file read/write/encryption behaviors.benign_disk_traces.zip
includes traces for 55 benign disk applications (e.g., zip programs).
For each malware/application, we collect four types of traces: syscall traces, network traces, disk traces, and performance traces. The syscall trace is stored in *.syscall
files, the disk trace in *.blktrace
files, the network trace in *.net
files, and the performance trace in *.perf
files. Data collection begins upon launching the virtual machine (VM) and initiating the malware sample. It continues until either the malware execution concludes or a timeout of 600 seconds is reached.
Syscall Trace
- Monitoring and recording system calls made by a process or processes running on an operating system
- Well-known trace
Network Trace
- Record data transfer between computer and network media (e.g., ethernet)
- Use a popular packet analysis tool wireshark to capture the data transfer information
Disk Trace
- Record data transfer between computer’s motherboard and storage devices (e.g., HDDs)
- Use Linux utility blktrace to capture data transfer information
Perf Trace
- Perf trace is a command in the Linux perf tool suite, which is a powerful set of tools used for performance analysis and debugging
- Use Linux utility perf to capture Performance Counter (HPC) measurements collected over 100ms time intervals