Man-in-the-Middle (MitM) Practice Test File (CSV)
=================================================

This is a synthetic, defender-focused dataset for practicing machine-learning defenses against Man-in-the-Middle (MitM) attacks.
Each row represents a single network session (or short-lived connection summary) enriched with timing, transport, and TLS/certificate signals.

label:
  0 = normal session
  1 = MitM attack session

Columns
-------
session_id
  Unique session identifier.

timestamp_utc
  Session timestamp in UTC (ISO-8601).

environment
  Network context where the session occurred (corp_lan, home_wifi, cafe_wifi, campus).

application
  High-level application category (web_login, api_call, file_sync, email_client, admin_portal).

protocol
  Session protocol family (HTTPS, HTTP, SSH, IMAPS).

tls_used
  1 if the session used TLS (e.g., HTTPS/IMAPS), otherwise 0.

tls_version
  Negotiated TLS version if tls_used=1 (TLS1.0–TLS1.3). Empty if tls_used=0.

cipher_group
  Coarse cipher quality bucket if tls_used=1: modern / mixed / legacy.

session_duration_s
  Session duration in seconds.

bytes_up, bytes_down
  Approximate bytes uploaded/downloaded during the session.

rtt_ms_mean
  Mean round-trip time (RTT) in milliseconds.

rtt_ms_std
  Standard deviation of RTT (jitter proxy).

rtt_zscore
  Approximate z-score of RTT relative to the baseline of the session environment.

retransmission_rate_per_100pkts
  Proxy retransmission rate per 100 packets.

packet_loss_rate_pct
  Proxy packet loss rate in percent.

cert_valid
  1 if certificate validation succeeded, 0 if validation failed (TLS sessions only).

cert_issuer_mismatch
  1 if the observed certificate issuer did not match the expected/pinned issuer (synthetic signal).

cert_self_signed
  1 if the observed certificate is self-signed (synthetic signal).

sni_hostname_mismatch
  1 if hostname expectations do not match observed TLS metadata (synthetic signal).

tls_downgrade_indicator
  1 if telemetry suggests an attempted downgrade to older TLS/ciphers (synthetic signal).

tls_handshake_anomaly
  1 if TLS handshake behavior is anomalous (synthetic signal).

arp_anomaly_flag
  1 if ARP behavior suggests spoofing/poisoning (synthetic signal).

dns_anomaly_flag
  1 if DNS behavior appears abnormal (synthetic signal).

gateway_mac_change_flag
  1 if the default gateway MAC changed unexpectedly (synthetic signal).

Suggested Practice Tasks
------------------------
1) Train a baseline classifier to predict label.
2) Evaluate with Precision/Recall and PR-AUC.
3) Try an anomaly model (Isolation Forest) trained on label=0 sessions only.
4) Add environment-aware features (per-environment baselines).
5) Build a risk score (0–100) and choose an alert threshold.