About the dataset

The dataset is available on Google Drive and consists of four zip files:

1. all_traces_root.zip includes traces for all 149 patched malwares operating with root privileges.
2. all_traces_user.zip contains traces for all 149 patched malwares running under user privileges.
3. ransom_traces.zip contains traces for 60 ransomware instances that exhibit file read/write/encryption behaviors.
4. benign_disk_traces.zip includes traces for 55 benign disk applications (e.g., zip programs).

For each malware/application, we collect four types of traces: syscall traces, network traces, disk traces, and performance traces. The syscall trace is stored in *.syscall files, the disk trace in *.blktrace files, the network trace in *.net files, and the performance trace in *.perf files. Data collection begins upon launching the virtual machine (VM) and initiating the malware sample. It continues until either the malware execution concludes or a timeout of 600 seconds is reached.

Syscall Trace

• Monitoring and recording system calls made by a process or processes running on an operating system
• Well-known trace

Network Trace

• Record data transfer between computer and network media (e.g., ethernet)
• Use a popular packet analysis tool wireshark to capture the data transfer information

Disk Trace

• Record data transfer between computer’s motherboard and storage devices (e.g., HDDs)
• Use Linux utility blktrace to capture data transfer information

Perf Trace

• Perf trace is a command in the Linux perf tool suite, which is a powerful set of tools used for performance analysis and debugging
• Use Linux utility perf to capture Performance Counter (HPC) measurements collected over 100ms time intervals