Malware communication in smart factories: A network traffic data set

IF 4.4 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2024-10-09 DOI:10.1016/j.comnet.2024.110804

Bernhard Brenner , Joachim Fabini , Magnus Offermanns , Sabrina Semper , Tanja Zseby

{"title":"Malware communication in smart factories: A network traffic data set","authors":"Bernhard Brenner , Joachim Fabini , Magnus Offermanns , Sabrina Semper , Tanja Zseby","doi":"10.1016/j.comnet.2024.110804","DOIUrl":null,"url":null,"abstract":"<div><div>Machine learning-based intrusion detection requires suitable and realistic data sets for training and testing. However, data sets that originate from real networks are rare. Network data is considered privacy sensitive and the purposeful introduction of malicious traffic is usually not possible. In this paper we introduce a labeled data set captured at a smart factory located in Vienna, Austria during normal operation and during penetration tests with different attack types. The data set consists of 173 GB of Packet Capture (PCAP) files, which represent 16 days (395 h) of factory operation. It includes Message Queuing Telemetry Transport (MQTT), OPC Unified Architecture (OPC UA), and Modbus/TCP traffic. The captured malicious traffic was originated by a professional penetration tester who performed two types of attacks: (a) aggressive attacks that are easier to detect and (b) stealthy attacks that are harder to detect. Our data set includes the raw PCAP files and extracted flow data. Labels for packets and flows indicate whether packets (or flows) originated from a specific attack or from benign communication. We describe the methodology for creating the data set, conduct an analysis of the data and provide detailed information about the recorded traffic itself. The data set is freely available to support reproducible research and the comparability of results in the area of intrusion detection in industrial networks.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"255 ","pages":"Article 110804"},"PeriodicalIF":4.4000,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128624006364","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Machine learning-based intrusion detection requires suitable and realistic data sets for training and testing. However, data sets that originate from real networks are rare. Network data is considered privacy sensitive and the purposeful introduction of malicious traffic is usually not possible. In this paper we introduce a labeled data set captured at a smart factory located in Vienna, Austria during normal operation and during penetration tests with different attack types. The data set consists of 173 GB of Packet Capture (PCAP) files, which represent 16 days (395 h) of factory operation. It includes Message Queuing Telemetry Transport (MQTT), OPC Unified Architecture (OPC UA), and Modbus/TCP traffic. The captured malicious traffic was originated by a professional penetration tester who performed two types of attacks: (a) aggressive attacks that are easier to detect and (b) stealthy attacks that are harder to detect. Our data set includes the raw PCAP files and extracted flow data. Labels for packets and flows indicate whether packets (or flows) originated from a specific attack or from benign communication. We describe the methodology for creating the data set, conduct an analysis of the data and provide detailed information about the recorded traffic itself. The data set is freely available to support reproducible research and the comparability of results in the area of intrusion detection in industrial networks.

查看原文本刊更多论文

智能工厂中的恶意软件通信：网络流量数据集

基于机器学习的入侵检测需要合适且真实的数据集来进行训练和测试。然而，源自真实网络的数据集并不多见。网络数据被视为隐私敏感数据，通常不可能有目的地引入恶意流量。在本文中，我们介绍了位于奥地利维也纳的一家智能工厂在正常运行和使用不同攻击类型进行渗透测试期间捕获的标记数据集。数据集由 173 GB 的数据包捕获 (PCAP) 文件组成，代表了工厂 16 天（395 小时）的运行情况。其中包括消息队列遥测传输（MQTT）、OPC 统一架构（OPC UA）和 Modbus/TCP 流量。捕获的恶意流量由专业渗透测试人员发起，他们实施了两种类型的攻击：(a) 攻击性攻击，这种攻击更容易被检测到；(b) 隐身攻击，这种攻击更难被检测到。我们的数据集包括原始 PCAP 文件和提取的流量数据。数据包和数据流的标签表明数据包（或数据流）是来自特定攻击还是来自良性通信。我们介绍了创建数据集的方法，对数据进行了分析，并提供了有关记录流量本身的详细信息。数据集免费提供，以支持工业网络入侵检测领域的可重复研究和结果可比性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.