Overview
The CESNET-MINER22 dataset [1] was created to design and evaluate detectors for cryptomining communication. The dataset uses extended bidirectional flow data created by ipfixprobe2, a high-performance flow exporter capable of monitoring 100 Gbps traffic.
Dataset Metadata
| Property | Value |
|---|---|
| Type | Original dataset |
| Category | Flows |
| Primary Task | Cryptomining Detection |
| Flow Exporter | ipfixprobe2 (100 Gbps capable) |
| Design Period | 14 December 2021 – 10 February 2022 |
| Validation Period | 28 February 2022 – 31 March 2022 |
Flow Format and Features
Extended Flow Information
Unlike traditional IP flow records that contain only basic information (e.g., number of transferred bytes and packets), ipfixprobe extends each flow with rich additional data:
| Feature Category | Description |
|---|---|
| Packet-level Details | Information about the first 30 packets carrying payload |
| Per-packet Metrics | Packet size, timestamp, TCP flags, direction |
| Payload Inspection | First 100 bytes of payload from each direction |
| TLS Metadata | Server Name Indication (SNI) from TLS Client Hello packets |
Advantages Over Traditional Flows
- Deep Packet Inspection: Captures initial payload for better classification
- Temporal Analysis: Individual packet timestamps enable time-series analysis
- Protocol Intelligence: TLS SNI extraction for encrypted traffic analysis
- High Performance: Operates at 100 Gbps line rate
Dataset Creation Methodology
The dataset creation process consisted of two primary steps:
Step 1: Traffic Capture Rule Generation
- Identified cryptomining communication patterns
- Developed filtering and capture rules
- Configured monitoring infrastructure
Step 2: Communication Capture
The collected traffic was temporally split into two parts:
| Part | Time Period | Purpose |
|---|---|---|
| Design | 14 Dec 2021 – 10 Feb 2022 | Model training and development |
| Validation | 28 Feb 2022 – 31 March 2022 | Testing and performance evaluation |
This temporal split enables evaluation of model generalization to future traffic patterns and helps assess the impact of evolving cryptomining behaviors.
Research Applications
The CESNET-MINER22 dataset supports research in:
- Cryptomining Detection: Binary classification of mining vs. benign traffic
- Protocol Analysis: Understanding cryptomining communication patterns
- Feature Engineering: Evaluating effectiveness of packet-level and payload features
- Temporal Robustness: Testing detector stability across time periods
How to Cite
@inproceedings{plny2022decrypto,
title={DeCrypto: Finding Cryptocurrency Miners on ISP Networks},
author={Pln{\`y}, Richard and Hynek, Karel and {\v{C}}ejka, Tom{\'a}{\v{s}}},
booktitle={Nordic Conference on Secure IT Systems},
pages={139--158},
year={2022},
organization={Springer}
}
Download
[1] Richard Plný, Karel Hynek, & Tomáš Čejka. (2022). CESNET-MINER22 (1.0) [Data set]. Zenodo.
DOI: 10.5281/zenodo.7189293