About the dataset

The dataset is available on Google Drive and consists of four zip files:

  1. all_traces_root.zip includes traces for all 149 patched malwares operating with root privileges.
  2. all_traces_user.zip contains traces for all 149 patched malwares running under user privileges.
  3. ransom_traces.zip contains traces for 60 ransomware instances that exhibit file read/write/encryption behaviors.
  4. benign_disk_traces.zip includes traces for 55 benign disk applications (e.g., zip programs).

For each malware/application, we collect four types of traces: syscall traces, network traces, disk traces, and performance traces. The syscall trace is stored in *.syscall files, the disk trace in *.blktrace files, the network trace in *.net files, and the performance trace in *.perf files. Data collection begins upon launching the virtual machine (VM) and initiating the malware sample. It continues until either the malware execution concludes or a timeout of 600 seconds is reached.

Syscall Trace

Network Trace

Disk Trace

Perf Trace