PerSCiDO facilitates the exploration of research datasets.

Share your research datasets using PerSCiDO!

Numbers
Datasets: 31
Downloaded: 392
  • Trace data
  • 4.0
GICS Intrusion Detection Datasets
  • Contributor Stephane Mocanu
Context These datasets were generated for the evaluation of cybersecurity measures in the context of industrial control systems (ICS). An ICS is a set of devices (electrical, mechanical, hydraulic,. . . ) whose interaction controls the behavior of a physical process in order to achieve an industrial objective (manufacturing, transportation of matter and energy, etc.). ICSs serve as the backbone of several critical infrastructures that provide facilities for the generation and distribution of electricity, water treatment and supply, railway transportation networks, and manufacturing applications. Due to their criticality, failures in these systems, whether of accidental or intentional origins, can lead to significant human and economic loss. The recent history of ICSs is that of an ever-growing convergence with classical information technology (IT) systems. In an effort to drive down costs and provide stakeholders, engineers and operators with seamless access to the industrial plants, ICSs are nowadays interconnected with the Internet and have adopted off-the-shelf IT technology such as TCP/IP networking, standard computer architectures, and common operating systems. Concurrently, many of the security vulnerabilities which marred IT systems have been exported to ICSs. Thus, if such systems were once considered secure because of their isolation, their use of proprietary protocols and peculiar architectures, this is no longer the case as witnessed by the growing number of increasingly sophisticated cybersecurity incidents in the last decades. As a result, nation-states, organizations, and industries have become sensitive to the security threats of ICSs, and have been adamant in their call for the development of adequate security measures to protect ICSs from security breaches. One of the key aspects which distinguish an ICS from classical IT systems is the presence of a physical process. This has lead to the apparition of a new class of novel threats which target the physical process. These datasets contain instances of such attacks and can be used to evaluate the efficiency of security measures in protecting an ICS against targeted attacks. Content These datasets include network traces collected at the ENSE3 GICS platform for the purposes of evaluating an intrusion detection system (IDS) for ICS. An IDS is a system which monitors a system in order to automatically detect security breaches. The network traces capture the behavior of an ICS test bed under attacks targeting the physical process. The test bed is implemented in GICS and is comprised of several controllers (Schneider M340/M580, Wago IPC-C6, Siemens, etc.) along with supervisory machines, engineering workstations and human machine interfaces (HMIs). Each controller sends commands and receives sensor information, via I/O interface cards, from a real-time OpenModelica simulation of a complex physical process representing a complex chemical plant. The traces contain, among other protocols, Modbus traffic carrying attacks violating the specifications of the underlying physical process. This is performed by sending a sequence of Modbus commands from workstations to controllers running the control logics which steer the process. Two types of attacks are contained in these datasets. The first type of attacks violates qualitative temporal constraints on the behavior of the physical process. Examples of such attacks include opening simultaneously two valves or stopping a motor before its due time. The second type of attacks violates quantitative temporal constraints. For example, the traces include attacks that wear a valve by quickly opening and closing it. The contents of the datasets is as follows: • One capture free from attacks and containing only legitimate traffic (capture16) • Four captures containing attacks (capture17, capture18, capure19, capture20)
Read me file
readme2.txt
Read me file
Context
These datasets were generated for the evaluation of cybersecurity measures in the context of industrial control systems (ICS). An ICS is a set of devices (electrical, mechanical, hydraulic,. . . ) whose interaction controls the behavior of a physical process in order to achieve an industrial objective (manufacturing, transportation of matter and energy, etc.). ICSs serve as the backbone of several critical infrastructures that provide facilities for the generation and distribution of electricity,
water treatment and supply, railway transportation networks, and manufacturing applications. Due to their criticality, failures in these systems, whether of accidental or intentional origins, can lead to significant human and economic loss.

The recent history of ICSs is that of an ever-growing convergence with classical information
technology (IT) systems. In an effort to drive down costs and provide stakeholders,
engineers and operators with seamless access to the industrial plants, ICSs are nowadays interconnected with the Internet and have adopted off-the-shelf IT technology such as TCP/IP networking, standard computer architectures, and common operating systems. Concurrently, many of the security vulnerabilities which marred IT systems have been exported to ICSs. Thus, if such systems were once considered secure because of their isolation, their use of proprietary protocols and peculiar architectures, this is no longer the case as witnessed by the growing number of increasingly sophisticated cybersecurity incidents in the last decades. As a result, nation-states, organizations, and industries have become sensitive to the security threats of ICSs, and have been adamant in their call for the development of adequate security measures to protect ICSs from security breaches.

One of the key aspects which distinguish an ICS from classical IT systems is the presence of a physical process. This has lead to the apparition of a new class of novel threats which target the physical process. These datasets contain instances of such attacks and can be used to evaluate the efficiency of security measures in protecting an ICS against targeted attacks.

Content
These datasets include network traces collected at the ENSE3 GICS platform for the purposes of evaluating an intrusion detection system (IDS) for ICS. An IDS is a system which monitors a system in order to automatically detect security breaches.
The network traces capture the behavior of an ICS test bed under attacks targeting the physical process. The test bed is implemented in GICS and is comprised of several controllers (Schneider M340/M580, Wago IPC-C6, Siemens, etc.) along with supervisory machines, engineering workstations and human machine interfaces (HMIs). Each controller sends commands and receives sensor information, via I/O interface cards, from a real-time OpenModelica simulation of a complex physical process representing a complex chemical plant. The traces contain, among other protocols, Modbus traffic carrying attacks violating the specifications of the underlying physical process. This is performed by sending a sequence of Modbus commands from workstations to controllers running the control logics which steer the process. Two types of attacks are contained in these datasets. The first type of attacks violates qualitative temporal constraints on the behavior of the physical process. Examples of such attacks include opening simultaneously two valves or stopping a motor before its due time. The second type of attacks violates quantitative temporal constraints. For example, the traces include attacks that wear a valve by quickly opening and closing it.
The contents of the datasets is as follows:
* One capture free from attacks and containing only legitimate traffic (capture16)
* Four captures containing attacks (capture17, capture18, capure19, capture20)

How to use
Datasets are in standard pcapng format ( https://wiki.wireshark.org/Development/LibpcapFileFormat ). They contain TCP/IP traffic with industrial application protocols.
They might be visualized using wireshark (https://wiki.wireshark.org) or any other software able to decode pcapng file format.

2018 09 24
The size of this dataset is beetween 500 and 4000 Mb
Archive files
dataet.zip
2018 09 19
1.15 GB
  • capture16 /
  • capture16 / capture16_00001_20170512120033 146 484 438 ko
  • capture16 / capture16_00002_20170512122606 146 484 465 ko
  • capture16 / capture16_00003_20170512125356 146 484 402 ko
  • capture16 / capture16_00004_20170512132022 146 484 379 ko
  • capture16 / capture16_00005_20170512134321 146 484 422 ko
  • capture16 / capture16_00006_20170512140721 5 838 785 ko
  • capture17 /
  • capture17 / capture17_00001_20170512145530 146 484 375 ko
  • capture17 / capture17_00002_20170512152123 146 484 383 ko
  • capture17 / capture17_00003_20170512154641 146 484 465 ko
  • capture17 / capture17_00004_20170512161331 146 484 488 ko
  • capture17 / capture17_00005_20170512164128 146 484 379 ko
  • capture17 / capture17_00006_20170512170825 146 484 387 ko
  • capture17 / capture17_00007_20170512173609 113 338 320 ko
  • capture18 /
  • capture18 / capture18_00001_20170516125644 146 484 453 ko
  • capture18 / capture18_00002_20170516132244 146 484 395 ko
  • capture18 / capture18_00003_20170516134435 146 484 375 ko
  • capture18 / capture18_00004_20170516140543 146 484 441 ko
  • capture18 / capture18_00005_20170516143044 146 484 391 ko
  • capture18 / capture18_00006_20170516145723 146 484 375 ko
  • capture18 / capture18_00007_20170516152441 146 484 391 ko
  • capture18 / capture18_00008_20170516155352 43 004 699 ko
  • capture19 /
  • capture19 / capture19_00001_20170529090226 146 484 383 ko
  • capture19 / capture19_00002_20170529092901 146 484 461 ko
  • capture19 / capture19_00003_20170529095504 146 484 402 ko
  • capture19 / capture19_00004_20170529102331 146 484 406 ko
  • capture19 / capture19_00005_20170529105155 146 484 426 ko
  • capture19 / capture19_00006_20170529111928 146 484 434 ko
  • capture19 / capture19_00007_20170529114822 77 928 020 ko
  • capture20 /
  • capture20 / capture20_00001_20170524155834 146 484 406 ko
  • capture20 / capture20_00002_20170524162431 146 484 430 ko
  • capture20 / capture20_00003_20170524164956 146 484 461 ko
  • capture20 / capture20_00004_20170524171648 146 484 508 ko
  • capture20 / capture20_00005_20170524174419 146 484 395 ko
  • capture20 / capture20_00006_20170524181207 146 484 426 ko
  • capture20 / capture20_00007_20170524183938 124 718 242 ko
Related publications
Other metadata
  • External Identifiers:

  • Subjects:

    Computer Science
  • Keywords:

    intrusion detection, cybersecurity, industrial control systems, cyberattacks
  • Corresponding tasks:

    anomaly detection
  • Encoding data format:

    pcapng - PCAP Next Generation Dump File Format -https://wiki.wireshark.org/Development/PcapNg-

Stephane Mocanu (2018) GICS Intrusion Detection Datasets. [Data set]. 10.18709/PERSCIDO.2018.09.DS236. Published 2018 via Perscido-Grenoble-Alpes;

Stephane Mocanu (2018) GICS Intrusion Detection Datasets. [Data set]. 10.18709/PERSCIDO.2018.09.DS236. Published 2018 via Perscido-Grenoble-Alpes