Difference between revisions of "Datasets"
(7 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
+ | |||
⚫ | |||
+ | ===== Data sets for alert correlation in industrial control systems ===== |
||
− | * single flow line mode direct connection |
||
+ | |||
+ | These datasets include network traces collected at the ENSE3 GICS platform for the purposes of evaluating an intrusion detection system (IDS) for ICS. An IDS is a system which monitors a system in order to automatically detect security breaches. |
||
+ | The network traces capture the behavior of an ICS test bed under attacks targeting the physical process. The test bed is implemented in GICS and is comprised of several controllers (Schneider M340/M580, Wago IPC-C6, Siemens, etc.) along with supervisory machines, engineering workstations and human machine interfaces (HMIs). Each controller sends commands and receives sensor information, via I/O interface cards, from a real-time OpenModelica simulation of a complex physical process representing a complex chemical plant. The traces contain, among other protocols, Modbus traffic carrying attacks violating the specifications of the underlying physical process. This is performed by sending a sequence of Modbus commands from workstations to controllers running the control logics which steer the process. Two types of attacks are contained in these datasets. The first type of attacks violates qualitative temporal constraints on the behavior of the physical process. Examples of such attacks include opening simultaneously two valves or stopping a motor before its due time. The second type of attacks violates quantitative temporal constraints. For example, the traces include attacks that wear a valve by quickly opening and closing it. |
||
+ | |||
+ | The contents of the datasets is as follows : |
||
+ | |||
+ | * One capture free from attacks and containing only legitimate traffic [[http://lig-g-ics.imag.fr/datasets/correlation/capture16.zip capture16]] |
||
+ | * Four captures containing attacks ([[http://lig-g-ics.imag.fr/datasets/correlation/capture17.zip capture17]], [[http://lig-g-ics.imag.fr/datasets/correlation/capture18.zip capture18]], [[http://lig-g-ics.imag.fr/datasets/correlation/capture19.zip capture19]], [[http://lig-g-ics.imag.fr/datasets/correlation/capture20.zip capture20]]) |
||
+ | |||
+ | |||
⚫ | |||
+ | * [[http://lig-g-ics.imag.fr/datasets/processbus/P1LineMode.zip single flow line mode direct connection]] |
||
* [[http://lig-g-ics.imag.fr/datasets/processbus/P1HSR.zip single flow HSR]] |
* [[http://lig-g-ics.imag.fr/datasets/processbus/P1HSR.zip single flow HSR]] |
||
* [[http://lig-g-ics.imag.fr/datasets/processbus/P1PRPdirect.zip single flow PRP direct connection]] |
* [[http://lig-g-ics.imag.fr/datasets/processbus/P1PRPdirect.zip single flow PRP direct connection]] |
Latest revision as of 10:57, 31 August 2021
Datasets are collected industrial network traffic from G-ICS lab.
Some datasets correspond to published papers and are hosted on extenal servers (like https://persyval-platform.univ-grenoble-alpes.fr/) other are locally available and contain some unusual trafic.
Data sets for alert correlation in industrial control systems
These datasets include network traces collected at the ENSE3 GICS platform for the purposes of evaluating an intrusion detection system (IDS) for ICS. An IDS is a system which monitors a system in order to automatically detect security breaches. The network traces capture the behavior of an ICS test bed under attacks targeting the physical process. The test bed is implemented in GICS and is comprised of several controllers (Schneider M340/M580, Wago IPC-C6, Siemens, etc.) along with supervisory machines, engineering workstations and human machine interfaces (HMIs). Each controller sends commands and receives sensor information, via I/O interface cards, from a real-time OpenModelica simulation of a complex physical process representing a complex chemical plant. The traces contain, among other protocols, Modbus traffic carrying attacks violating the specifications of the underlying physical process. This is performed by sending a sequence of Modbus commands from workstations to controllers running the control logics which steer the process. Two types of attacks are contained in these datasets. The first type of attacks violates qualitative temporal constraints on the behavior of the physical process. Examples of such attacks include opening simultaneously two valves or stopping a motor before its due time. The second type of attacks violates quantitative temporal constraints. For example, the traces include attacks that wear a valve by quickly opening and closing it.
The contents of the datasets is as follows :
- One capture free from attacks and containing only legitimate traffic [capture16]
- Four captures containing attacks ([capture17], [capture18], [capture19], [capture20])
Data sets for the traffic measurement in process bus networks:
- [2 flows HSR]
- [3 flows HSR]
- [4 flows HSR]
- [5 flows HSR]
- [6 flows HSR]