Cry Wolf simulated events

This repository contains analysis scripts and the data set used in the Cry Wolf experiment. The data set consists of simulated Intrusion Detection System (IDS) alerts.

Currently, the IDS alerts are all derived from an impossible travel scenario. Impossible travel alerts are triggered when a user authenticates from two geographic locations within a period where physical travel between the two locations is impossible, e.g., authentications from London and Moscow with a time between authentications of 30 minutes. Physical travel in this time frame is impossible, but the authentications may be legitimate through technical means such as a Virtual Private Network (VPN).

The dataset contains both true alarms where the impossible travel alert warrants further investigation for potential malicious activity, and false alarms where the alert is not cause for concern. Each alert contains the following data:

There are two versions of the dataset:

The sets contain differences in the “time between authentications” field for five of the alerts.