The dataset consists of processed alerts collected from the Warden system over several months (2017-2018 and 2023-2024). In total, more than three billion alerts were gathered from intrusion detection systems, honeypots, and other data sources deployed in organizations across the Czech Republic.

Since the data are obtained from detection mechanisms (silver-standard labels), they should be treated as labelled but not manually verified (e.g., by an expert). This fact needs to be taken into account when interpreting the results derived from this dataset. A similar dataset was created in 2020. The dataset contained raw alerts covering one week [9].

Due to the different periods of data collection as well as specific conditions related to the collection of real-world data, the dataset is divided into four parts:

• Part 1 - time series of IDEA alerts collected from the WARDEN system between 2017 and 2018,
• Part 2 - modified time series of IDEA alerts from
• Part 3 - cleared time series of IDEA alerts from part 2,
• Part 4 - time series of IDEA alerts collected from the WARDEN system between 2023 and 2024.

For the first part of the dataset, we selected 21 criteria for creating time series. The first two time series contain, per each time interval:

• count of all alerts,
•  count of unique source IP addresses.

The other time series contains counts of alerts of a specific category and of those with a specific target port or protocol, namely:

• category Recon.Scanning - attacks that send requests to a system in order to discover vulnerabilities. This also includes various testing processes to gather information about devices, running processes, users, etc.,
• category Availability.DDoS - the system is flooded with a large number of requests (packets, connections) from multiple sources, causing delays in operation or system crashes.
• category Attempt.Login - multiple login attempts (e.g., brute force),
• category Attempt.Exploit - an attempt to compromise a system or disrupt a service by exploiting vulnerabilities with a standardized identifier, such as CVE (e.g., buffer overflow, cross-site scripting, etc.), CVE (napr. buffer overflow, cross-site scripting a pod.),
• category Malware.Ransomware - software intentionally inserted or executed in a system with the malicious purpose of encrypting files and demanding ransom,
• category Intrusion.Botnet – detection of command-and-control (C&C) communication with a controlling server,
• port 21,
• port 22,
• port 23,
• port 25,
• port 80,
• port 443,
• port 445,
• protocol TCP,
• protocol SSH,
• protocol UDP,
• protocol ICMP,
• protocol MS WBT Server,
• protocol telnet.

This part of dataset is in folder named “part1”. There is one compressed csv file - part1.csv.xzThis file contains 22 columns. The first one is timestamptimestampand the other columns are values corresponding to specified criterion.

Every value means how many events occurred for selected criterion in given period (30 minutes). There are 17,473 rows (values) in the time range from 11th December 2017 00:00 to 10th December 2018 00:00. There are two places in dataset with missing values (value is NaN – not a number). First one is between 31st October 2018 00:00 (row 15,552) and 31st October 2018 23:30 (row 15,599), and at the end of dataset from 9th December 2018 20:00 (row 17464). In total 57 values are missing. Fig. 1 shows a part of the dataset for criterions “Count of all alerts”, “Category attempt login”, and “Port 445”.

Additionally, we provide a Jupyter Notebook (read_part_1.ipynb) in directory part1that demonstrates data loading, display graphs, shows more statistical information, train end test split according to papers [3,22] etc.

For the first part of the dataset, we also provide jupyter notebook (prediction_example_part_1.ipynbthat show example of usage of one time series (Port 445) of this part of the dataset for forecasting, using LSTM network and ARIMA approach. This example is easy to adjust to be used on other time series and other parts of the dataset.

The second part of the dataset has the same structure as the first part. This part of the dataset is in a folder named ''part2''. There is one compressed CSV file – part2.csv.xz. This part of the dataset consists of 520,889 rows (values). The period for this part of the dataset is one minute. Problematic and missing data from the beginning and end of the time series were removed, and the first value is on 13th December 2017 at 00:00. The last on 9th December 2018 at 17:28.

Also, there are missing data (NaN) between 31st October 2018 at 00:00 and 31st October 2018 23:30 (1411 rows). We also provide an example Jupyter Notebook (read_part_2.ipynb) in the folder “part 2” that demonstrates data loading, changing periods, displaying graphs, and showing additional statistical information, train end test split according to papers [3,22], among other features.

The third part of the dataset consists of three processing outputs (folders “only_events”, “source_destination”, and “tables_csv” in the “part3” folder).

Each of the first two processing outputs (folders “only_events” and “source_destination”) consists of 20 compressed CSV files. The name of each file corresponds to one of the 20 criteria described in the first part (note that one criterion does not have a time series). Every file contains columns that correspond to sensors that were sending alerts to the Warden system.

There are 271 time series in total (271 is the sum of the number of columns in every criterion file) in each of the first two processing outputs. The period is again one minute, so every line describes how many alerts are sent by the given sensor in one minute. The number of columns can vary because not every sensor sends alerts for every criterion.

The files in processing outputs vary in the way they were created. More information can be found in section “Experimental design, materials and methods”. The time range of the time series is the same as in the second part of the dataset, with the same missing values.