Abstract

In this work, we outline a procedure for collecting and labeling Man-in-the-Middle (MITM) attack traffic. Our capture procedure allows for the collection of real-world representative data using a full-scale network environment. MITM attacks are typically performed with the purpose of intercepting information amongst two networked machines. This enables the attacker to gain access to otherwise confidential communications and potentially alter said communications maliciously. MITM attacks are still a very common attack that can be implemented with relative ease across a variety of network environments. Our work establishes experimental procedures for enacting three prevalent MITM attack variants through penetration testing. The process for data collection is defined, along with our approach on gathering real-world, representative data. We also present a novel labeling procedure based on the inherent behaviors of each MITM attack variant. Our work aims to address the challenges associated with collecting such data within a live production environment, as well as identify the impact MITM attacks have on traffic behavior. We also present a case study to provide some quantitative analysis regarding the data collected.