Ports scan dataset contains approximately 50% benign flow data and 50% malicious flow data. Benign flow data have been generated with the same python scripts used in D1 and has been labeled as '0'. Malicious flow data has been labeled as '1'.
Malicious flow data has been generated using Nmap tool. Different types of slow port scans have been launched on both TCP and UDP ports. The scans carried out were: TCP SYN scanning; TCP Connect scanning; UDP scanning; TCP NULL; FIN; Xmas scanning; TCP ACK scanning; TCP Window scanning; and TCP Maimon scanning. Slow port-scanning attacks have been carried out by 100 attack nodes that scanned 65536 ports on 200 victim nodes. Requests are launched with 5 to 10 seconds of slack time among them.