This repository is part of IPAL - an Industrial Protocol Abstraction Layer. IPAL aims to establish an abstract representation of industrial network traffic for subsequent unified and protocol-independent industrial intrusion detection. IPAL consists of a transcriber to automatically translate industrial traffic into the IPAL representation, an IDS Framework implementing various industrial intrusion detection systems (IIDSs), and a collection of evaluation datasets. For details about IPAL, please refer to our publications listed down below.
This repository contains a collection of datasets for evaluating industrial IDS. Therefore, this repository contains scripts to convert (transcribe) existing datasets into IPAL format. It does not contain the raw datasets nor the datasets transcribed into IPAL. We merely use placeholders which can be replaced after obtaining the original datasets at the respective publishers (see link in the table below).
| Dataset | Type | Notes | Link |
|---|---|---|---|
| ELEGANT | Packet (Modbus) | The ELEGANT dataset consists of a MiTM and a DoS part. Until now we consider only the MiTM dataset and not the DoS dataset. | IEEE Dataport |
| Electra | Packet (Modbus, S7) | Not all IPAL features are present, e.g., crc or length are missing. Also the request data/address fields are not always correct. We skip few duplicated packets. | Webseite |
| Energy Dataset | Packet (IEC-104) | A short PCAP of the WATTSON simulator from Fraunhofer FKIE. We use the manipulateTraces tool from the DTMC IDS paper to add attacks to the WATTSON PCAP. | Paper, manipulateTraces DTMC Paper |
| GeekLounge | Packet (S7) | The dataset does not contain any attacks. We added attacks according to the description of a paper. This results in 6 datasets with 3 attacks types each on requests and responses of S7 packets. | Website , Paper |
| HAI | State | Dataset contains three training and five test files. Train and test are not in linear time order and have overlapping time-regions. | Github |
| HIL | Packet & State (Modbus) | Paper | |
| IEC61850SecurityDataset | Packet (Goose) | Github | |
| Lemay | Packet (Modbus) | Most attacks are not performed with Modbus and use different protocols not relevant for the transcriber. | Paper Github |
| MorrisDS4 | Packet (Modbus) | There are minor differences between the Raw and Arff dataset. These differences affect only the attack packets. Default: Use the Arff dataset. | Website |
| QUT_S7comm | Packet (S7) | Dataset Paper | |
| QUT_S7_Myers | Packet (S7). | TODO: Check Rules | Dataset Paper |
| QUT_DNP3 | Packet (DNP3, GOOSE) | Git Thesis | |
| SWaT | State | Attack dataset has a 81s gap which we fill with the previous state. The first 1800s are often skipped in literature. The version 0 of SWaT has a slightly different start of the training data. | iTrust |
| TEP-PASAD | State | The dataset consists of 5 different scenarios. Each scenario has its own training and test part combined in one single file. | Github |
| WADI | State | WADI has a large gap in the training data of ~73h. Note: we use the row number as index for the timestamp since WADI has a challenging time notation. | iTrust |
Transcribing the datasets requires the ipal-transcriber and tshark to be installed (see IPAL - Transcriber and https://tshark.dev/setup/install/).
-
After cloning the repository, initialise Git's submodules with
git submodule initandgit submodule update -
To transcribe a dataset into IPAL, one needs to obtain copy of the original datasets, e.g., from the source listed in table above. This dataset needs to be placed under
[dataset-name]/raw/. -
Use the
transcribe.shortranscribe.pyscripts to convert the dataset into IPAL. The dataset will be exported to[datset-name]/ipal.
MIT License. See LICENSE for details.