cybersecurity attacks: which dataset should be used to evaluate an intrusion detection system?

Introduction: analyzing the high-dimensional datasets used for intrusion detection becomes a challenge for researchers. this paper presents the most often used data sets. adfa contains two data sets containing records from linux/unix. awid is based on actual traces of normal and intrusion activity of an ieee 802.11 wi-fi network. caida collects data types in geographically and topologically diverse regions. in cic-ids2017, http, https, ftp, ssh, and email protocols are examined. csecic-2018 includes abstract distribution models for applications, protocols, or lower-level network entities. darpa contains data of network traffic. iscx 2012 dataset has profiles on various multi-stage attacks and actual network traffic with background noise. kdd cup '99 is a collection of data transfer from a virtual environment. kyoto 2006+ contains records of real network traffic. it is used only for anomaly detection. nsl-kdd corrects flaws in the kdd cup '99 caused by redundant and duplicate records. unsw-nb-15 is derived from real normal data and the synthesized contemporary attack activities of the network traffic. methods: this study uses both quantitative and qualitative techniques. the scientific references and publicly accessible information about given dataset are used. results: datasets are often simulated to meet objectives required by a particular organization. the number of real datasets are very small compared to simulated dataset. anomaly detection is rarely used today. conclusion: the main characteristics and a comparative analysis of the data sets in terms of the date they were created, the size, the number of features, the traffic types, and the purpose are presented.