Overview
The CESNET-CC25 dataset is explicitly designed to reflect contemporary botnet Command-and-Control (C&C) traffic patterns. Unlike legacy datasets, CESNET-CC25 offers a richer and more representative set of real-world threats, capturing modern behaviors such as decentralized (peer-to-peer) architectures and encrypted communication channels. This enables more accurate and robust evaluation of detection methods under realistic and current conditions.
Dataset Metadata
| Property | Value |
|---|---|
| Type | Original dataset |
| Category | PCAP, Flows, Time Series |
| Primary Task | Botnet Detection |
| Formats Available | PCAP [1], IP Flows [2], Flow Time Series [3] |
| Availability | Publicly available via Zenodo |
Note: Only botnet traffic is available in PCAP format.
Data Collection Methodology
Architecture 1: Botnet C&C Communication Capture
The first capturing architecture is dedicated to capturing botnet C&C communication. In this setup:
- Execution Environment: Botnet binaries were executed within isolated virtual machines
- Traffic Capture: Upon activation, most botnets immediately initiated communication with their respective C&C servers
- Interception Method: Traffic was intercepted at the router level using port mirroring and recorded with
tcpdumpon a dedicated monitoring probe - Security Measures: Continuous traffic supervision ensured timely intervention, and all malicious activities were promptly identified and blocked
- Example: The Gafgyt botnet typically initiates attack traffic within seconds of execution
Architecture 2: Benign Traffic Collection
The second architecture was designed to collect benign traffic from the CESNET3 network:
- Infrastructure: Deployed within a live ISP network
- Purpose: Obtain real-world benign communication patterns
- Advantage: Provides a more authentic representation of legitimate traffic compared to synthetically generated traffic in laboratory settings
- Benefit: Addresses the common limitation of existing malware communication datasets, which often include benign traffic crafted under artificial conditions
Dataset Formats
The dataset is published in three formats:
| Format | Description | Reference |
|---|---|---|
| PCAP | Raw packet captures (botnet traffic only) | [1] |
| IP Flows | Network flows in IP flow format | [2] |
| Flow Time Series | Periodic behavior features from multiflow time series | [3] |
How to Cite
@inproceedings{ovskera2025botnet,
title={Botnet Detection Through Periodic Patterns in Command-and-Control Network Traffic},
author={O{\v{s}}kera, Dominik and Koumar, Josef and Pokorn{\'a}, Al{\v{z}}b{\v{e}}ta and Je{\v{r}}{\'a}bek, Kamil and {\v{C}}ejka, Tom{\'a}{\v{s}}},
booktitle={2025 21st International Conference on Network and Service Management (CNSM)},
pages={1--6},
year={2025},
organization={IEEE}
}
Download
[1] Oškera, D., Koumar, J., Pokorná, A., Jeřábek, K., & Čejka, T. (2025). CESNET-CC25: Long-term Capture of C&C Communication of Botnets in the PCAP Format [Data set]. Zenodo.
DOI: 10.5281/zenodo.16752462
[2] Oškera, D., Koumar, J., Pokorná, A., Jeřábek, K., & Čejka, T. (2025). CESNET-CC25: Dataset for Detection of C&C Communication of Botnets in the IP Flow Format [Data set]. Zenodo.
DOI: 10.5281/zenodo.16753890
[3] Oškera, D., Koumar, J., Pokorná, A., Jeřábek, K., & Čejka, T. (2025). CESNET-CC25: Dataset for Detection of C&C Communication of Botnets in the Periodic Behavior Features from Multiflow Time Series Format [Data set]. Zenodo.
DOI: 10.5281/zenodo.16753981