Dongsung Kim,Yuchan Song,Soonhyeon Kwon,Haerin Kim,Jeong Do Yoo,Huy Kang Kim

2024-04-08

Abstract:We collected attack data from unmanned vehicles using the UAVCAN protocol, and public and described technical documents. A testbed was built with a drone using PX4, and a total of three attacks, Flooding, Fuzzy, and Replay, were performed. The attack was carried out in a total of 10 scenarios. We expect that the attack data will help develop technologies such as anomaly detection to solve the security threat problem of drones.

Cryptography and Security

Yuan Xu,Xingshuo Han,Gelei Deng,Jiwei Li,Yang Liu,Tianwei Zhang

DOI: https://doi.org/10.1109/eurosp57164.2023.00067

2022-01-01

Abstract:Robotic Vehicles (RVs) have gained great popularity over the past few years. Meanwhile, they are also demonstrated to be vulnerable to sensor spoofing attacks. Although a wealth of research works have presented various attacks, some key questions remain unanswered: are these existing works complete enough to cover all the sensor spoofing threats? If not, how many attacks are not explored, and how difficult is it to realize them? This paper answers the above questions by comprehensively systematizing the knowledge of sensor spoofing attacks against RVs. Our contributions are threefold. (1) We identify seven common attack paths in an RV system pipeline. We categorize and assess existing spoofing attacks from the perspectives of spoofer property, operation, victim characteristic and attack goal. Based on this systematization, we identify 4 interesting insights about spoofing attack designs. (2) We propose a novel action flow model to systematically describe robotic function executions and unexplored sensor spoofing threats. With this model, we successfully discover 103 spoofing attack vectors, 26 of which have been verified by prior works, while 77 attacks are never considered. (3) We design two novel attack methodologies to verify the feasibility of newly discovered spoofing attack vectors.

Tommaso Puccetti,Simone Nardi,Cosimo Cinquilli,Tommaso Zoppi,Andrea Ceccarelli

2024-02-13

Abstract:Most of the intrusion detection datasets to research machine learning-based intrusion detection systems (IDSs) are devoted to cyber-only systems, and they typically collect data from one architectural layer. Additionally, often the attacks are generated in dedicated attack sessions, without reproducing the realistic alternation and overlap of normal and attack actions. We present a dataset for intrusion detection by performing penetration testing on an embedded cyber-physical system built over Robot Operating System 2 (ROS2). Features are monitored from three architectural layers: the Linux operating system, the network, and the ROS2 services. The dataset is structured as a time series and describes the expected behavior of the system and its response to ROS2-specific attacks: it repeatedly alternates periods of attack-free operation with periods when a specific attack is being performed. Noteworthy, this allows measuring the time to detect an attacker and the number of malicious activities performed before detection. Also, it allows training an intrusion detector to minimize both, by taking advantage of the numerous alternating periods of normal and attack operations.

Machine Learning

Shishir Kumar Shandilya,Chirag Ganguli,Ivan Izonin,Prof Atulya Kumar Nagar

DOI: https://doi.org/10.1016/j.dib.2022.108771

2022-11-24

Abstract:To determine the effectiveness of any defense mechanism, there is a need for comprehensive real-time network data that solely references various attack scenarios based on older software versions or unprotected ports, and so on. This presented dataset has entire network data at the time of several cyber attacks to enable experimentation on challenges based on implementing defense mechanisms on a larger scale. For collecting the data, we captured the network traffic of configured virtual machines using Wireshark and tcpdump. To analyze the impact of several cyber attack scenarios, this dataset presents a set of ten computers connected to Router1 on VLAN1 in a Docker Bridge network, that try and exploit each other. It includes browsing the web and downloading foreign packages including malicious ones. Also, services like File Transfer Protocol (FTP) and Secure Shell (SSH) were exploited using several attack mechanisms. The presented dataset shows the importance of updating and patching systems to protect themselves to a greater extent, by following attack tactics on older versions of packages as compared to the newer and updated ones. This dataset also includes an Apache Server hosted on a different subset of VLAN2 which is connected to the VLAN1 to demonstrate isolation and cross- VLAN communication. The services on this web server were also exploited by the previously stated ten computers. The attack types include Distributed Denial of Service, SQL Injection, Account Takeover, Service Exploitation (SSH, FTP), DNS and ARP Spoofing, Scanning and Firewall Searching and Indexing (using Nmap), Hammering the services to brute-force passwords and usernames, Malware attacks, Spoofing, and Man-in-the-Middle Attack. The attack scenarios also show various scanning mechanisms and the impact of Insider Threats on the entire network.

Tommaso Puccetti,Simone Nardi,Cosimo Cinquilli,Tommaso Zoppi,Andrea Ceccarelli

DOI: https://doi.org/10.1038/s41597-024-03311-2

2024-05-11

Scientific Data

Abstract:Most of the intrusion detection datasets to research machine learning-based intrusion detection systems (IDSs) are devoted to cyber-only systems, and they typically collect data from one architectural layer. Often the attacks are generated in dedicated attack sessions, without reproducing the realistic alternation and overlap of normal and attack actions. We present a dataset for intrusion detection by performing penetration testing on an embedded cyber-physical system built over Robot Operating System 2 (ROS2). Features are monitored from three architectural layers: the Linux operating system, the network, and the ROS2 services. The dataset is structured as a time series and describes the expected behavior of the system and its response to ROS2-specific attacks: it repeatedly alternates periods of attack-free operation with periods when a specific attack is being performed. This allows measuring the time to detect an attacker and the number of malicious activities performed before detection. Also, it allows training an intrusion detector to minimize both, by taking advantage of the numerous alternating periods of normal and attack operations.

multidisciplinary sciences

Aya Abdul Rahman Alchikh Omar,Bassel Soudan,Ala Altaweel

DOI: https://doi.org/10.1016/j.dib.2024.110650

2024-06-22

Abstract:The proliferation of Internet of Things (IoT) implementations has enabled significant advancements across various applications, from smart homes to industrial automation. IoT networks typically consist of wirelessly interconnected, resource-constrained heterogeneous nodes. They are usually built using the energy-efficient Low Power and Lossy Network (LLN) standard, and employ the Routing Protocol for Low-Power and Lossy Networks (RPL) due to its efficiency in accommodating the constraints of IoT devices. However, RPL-based networks are susceptible to various security attacks that target the organization of the network. Chief among these is the sinkhole attack, which disrupts the network topology to attract traffic towards the malicious node by advertising false routing information. This work addresses the challenge of detecting sinkhole attacks on RPL-based IoT networks by introducing the extensive UOS_IOTSH_2024 dataset. This dataset is comprised mainly of raw network traffic collected through simulations of realistic IoT networks using the COOJA simulator. The dataset contains samples representing single and dual attackers in small and medium-sized IoT networks. It also covers both single-DODAG and dual-DODAG network architectures, as well as attackers at various locations across different topological positions for each scenario. In total, the dataset comprises 1,771,880 samples covering 60 different scenarios.

Miki E. Verma,Robert A. Bridges,Michael D. Iannacone,Samuel C. Hollifield,Pablo Moriano,Steven C. Hespeler,Bill Kay,Frank L. Combs

DOI: https://doi.org/10.1371/journal.pone.0296879

2024-02-07

Abstract:Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions on CANs. Producing vehicular CAN data with a variety of intrusions is out of reach for most researchers as it requires expensive assets and expertise. To assist researchers, we present the first comprehensive guide to the existing open CAN intrusion datasets, including a quality analysis of each dataset and an enumeration of each's benefits, drawbacks, and suggested use case. Current public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, which lack fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but not a corresponding raw binary version. Overall, the available data pigeon-holes CAN IDS works into testing on limited, often inappropriate data (usually with attacks that are too easily detectable to truly test the method), and this lack data has stymied comparability and reproducibility of results. As our primary contribution, we present the ROAD (Real ORNL Automotive Dynamometer) CAN Intrusion Dataset, consisting of over 3.5 hours of one vehicle's CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real fuzzing, fabrication, and unique advanced attacks, as well as simulated masquerade attacks. To facilitate benchmarking CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures. Our contributions aim to facilitate appropriate benchmarking and needed comparability in the CAN IDS field.

Cryptography and Security,Machine Learning

Miki E. Verma,Robert A. Bridges,Michael D. Iannacone,Samuel C. Hollifield,Pablo Moriano,Steven C. Hespeler,Bill Kay,Frank L. Combs

DOI: https://doi.org/10.1371/journal.pone.0296879

IF: 3.7

2024-01-23

PLoS ONE

Abstract:Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions or anomalies on CANs. Producing vehicular CAN data with a variety of intrusions is a difficult task for most researchers as it requires expensive assets and deep expertise. To illuminate this task, we introduce the first comprehensive guide to the existing open CAN intrusion detection system (IDS) datasets. We categorize attacks on CANs including fabrication (adding frames, e.g., flooding or targeting and ID), suspension (removing an ID's frames), and masquerade attacks (spoofed frames sent in lieu of suspended ones). We provide a quality analysis of each dataset; an enumeration of each datasets' attacks, benefits, and drawbacks; categorization as real vs. simulated CAN data and real vs. simulated attacks; whether the data is raw CAN data or signal-translated; number of vehicles/CANs; quantity in terms of time; and finally a suggested use case of each dataset. State-of-the-art public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, lacking fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but is missing a corresponding "raw" binary version. This issue pigeon-holes CAN IDS research into testing on limited and often inappropriate data (usually with attacks that are too easily detectable to truly test the method). The scarcity of appropriate data has stymied comparability and reproducibility of results for researchers. As our primary contribution, we present the Real ORNL Automotive Dynamometer (ROAD) CAN IDS dataset, consisting of over 3.5 hours of one vehicle's CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real (i.e. non-simulated) fuzzing, fabrication, unique advanced attacks, and simulated masquerade attacks. To facilitate a benchmark for CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures. Our contributions aim to facilitate appropriate benchmarking and needed comparability in the CAN IDS research field.

multidisciplinary sciences

Maxime Vaidis,Mohsen Hassanzadeh Shahraji,Effie Daum,William Dubois,Philippe Giguère,François Pomerleau

2024-03-13

Abstract:Numerous datasets and benchmarks exist to assess and compare Simultaneous Localization and Mapping (SLAM) algorithms. Nevertheless, their precision must follow the rate at which SLAM algorithms improved in recent years. Moreover, current datasets fall short of comprehensive data-collection protocol for reproducibility and the evaluation of the precision or accuracy of the recorded trajectories. With this objective in mind, we proposed the Robotic Total Stations Ground Truthing dataset (RTS-GT) dataset to support localization research with the generation of six-Degrees Of Freedom (DOF) ground truth trajectories. This novel dataset includes six-DOF ground truth trajectories generated using a system of three Robotic Total Stations (RTSs) tracking moving robotic platforms. Furthermore, we compare the performance of the RTS-based system to a Global Navigation Satellite System (GNSS)-based setup. The dataset comprises around sixty experiments conducted in various conditions over a period of 17 months, and encompasses over 49 kilometers of trajectories, making it the most extensive dataset of RTS-based measurements to date. Additionally, we provide the precision of all poses for each experiment, a feature not found in the current state-of-the-art datasets. Our results demonstrate that RTSs provide measurements that are 22 times more stable than GNSS in various environmental settings, making them a valuable resource for SLAM benchmark development.

Robotics

Oscar A. Tobar-Rosero,Omar A. Roa-Romero,Germán D. Rueda-Carvajal,Alexánder Leal-Piedrahita,Juan F. Botero-Vega,Sergio A. Gutierrez-Betancur,John W. Branch-Bedoya,Germán D. Zapata-Madrigal

DOI: https://doi.org/10.3390/en17236098

IF: 3.2

2024-12-04

Energies

Abstract:Cybersecurity in Critical Infrastructures, especially Digital Substations, has garnered significant attention from both the industrial and academic sectors. A commonly adopted approach to support research in this area involves the use of datasets, which consist of network traffic samples gathered during the operation of an infrastructure. However, creating such datasets from real-world electrical systems presents some challenges: (i) These datasets are often generated under controlled or idealized conditions, potentially overlooking the complexities of real-world operations within a digital substation; (ii) the captured data frequently contain sensitive information, making it difficult to share openly within the research community. This paper presents the creation of a new dataset aimed at advancing cybersecurity research, specifically focused on GOOSE spoofing attacks, given the crucial role of the GOOSE protocol in managing operational and control tasks within Digital Substations. The dataset highlights the real-world impacts of these attacks, demonstrating the execution of unintended operations under different operational scenarios, including both stable conditions and situations involving system failures. The data were collected from a laboratory testbed that replicates the actual functioning of a real digital substation with two bays. The experiments provided insights into key characteristics of GOOSE protocol traffic and the vulnerability of DS infrastructure to Spoofing Attacks.

energy & fuels

Urikhimbam Boby Clinton,Nazrul Hoque

DOI: https://doi.org/10.1109/access.2024.3494052

IF: 3.9

2024-11-20

IEEE Access

Abstract:As the growth of IoT networks increases exponentially, the number of cyber attacks is also increasing on IoT networks day-by-day. This results in the vital requirement of cyber security mechanisms to secure IoT networks from cyberattacks. To build such a security mechanism, researchers and cybersecurity practitioners need relevant IoT datasets. However, until now, only a few publicly available IoT network intrusion datasets exist in the literature. Moreover, these datasets lack coverage of IoT network traffic containing IoT application layer protocols like AMQP, XMPP, STOMP, etc. and various IoT-based attacks. So, in this work, we generate a new realistic and comprehensive IoT network intrusion dataset called MU-IoT for IoT cybersecurity. The network traffic contained in the MU-IoT dataset is collected from the Manipur University (MU) IoT Smart Lab, which is our own IoT network testbed. The testbed includes more than 30 devices, which include both physical and emulated IoT devices, and general-purpose devices such as laptops, desktops, servers, etc., that are usually present in a Smart Lab. The dataset contains normal network traffic generated from various applications and attack network traffic comprised of 16 attack types, including IoT-based attacks, which are categorized into six categories. From the testbed, we collected 22.8 GB of raw network data and extracted 15.8 GB of preprocessed network data by using our own feature extraction approach. The preprocessed network data contains 121 flow-based features and 3 class labels of more than 34.8 million records. Additionally, this dataset covers extensive IoT-specific application protocols and a variety of normal network behaviours, which is a notable advantage over existing datasets. The MU-IoT dataset can be utilized to develop and validate machine learning-based Intrusion Detection and Mitigation Systems (IDMS). Moreover, the MU-IoT dataset helps to validate the centralized and federated learning-based IDMS. In addition, we also include the prior exploratory data analysis with the ranking of the features given by various feature selection algorithms as well as from our own feature ranking approach and the performance given by some common machine learning algorithms, as a future reference to the research community. The MU-IoT dataset is publicly available in the link https://manipuruniv.ac.in/CSDmuIOTdataset/.

computer science, information systems,telecommunications,engineering, electrical & electronic

Brooke Lampe,Weizhi Meng

DOI: https://doi.org/10.1016/j.cose.2024.103777

IF: 5.105

2024-02-01

Computers & Security

Abstract:When it comes to in-vehicle networks (IVNs), the controller area network (CAN) bus dominates the market; automobiles manufactured and sold worldwide depend on the CAN bus for safety-critical communications between various components of the vehicle (e.g., the engine, the transmission, the steering column). Unfortunately, the CAN bus is inherently insecure; in fact, it completely lacks controls such as authentication, authorization, and confidentiality (i.e., encryption). Therefore, researchers have travailed to develop automotive security enhancements. The automotive intrusion detection system (IDS) is especially popular in the literature—due to its relatively low cost in terms of money, resource utilization, and implementation effort. That said, developing and evaluating an automotive IDS is often challenging; if researchers do not have access to a test vehicle, then they are forced to depend on publicly available CAN data—which is not without limitations. Lack of access to adequate CAN data, then, becomes a barrier to entry into automotive security research. We seek to lower that barrier to entry by introducing a new CAN dataset to facilitate the development and evaluation of automotive IDSs. Our datasets—dubbed can-dataset, can-log, can-csv, can-ml, and can-train-and-test—provide CAN data from four different vehicles produced by two different manufacturers. The attack captures for each vehicle model are equivalent, enabling researchers to assess the ability of a given IDS to generalize to different vehicle models and even different vehicle manufacturers. Our datasets contain replayable .log files as well as labeled and unlabeled .csv files, thereby meeting a variety of development and evaluation needs. In particular, the can-train-and-test dataset offers nine unique attacks, ranging from denial of service (DoS) to gear spoofing to standstill; as such, researchers can select a subset of the attacks for training and save the remainder for testing in order to assess a given IDS against unseen attacks. Many of our attacks, particularly the spoofing-related attacks, were conducted during live, on-the-road experiments with real vehicles. These attacks have known physical impacts. As a benchmark, we pit a number of machine learning IDSs against our dataset and analyze the results. We present our datasets—especially can-train-and-test—as a contribution to the existing catalogue of open-access datasets in hopes of filling in the gaps left by those datasets.

computer science, information systems

Rampriya R. S.,Taher Al-Shehari,Sabari Nathan,Jenefa A.,Suganya R.,Shunmuga Perumal P.,Taha Alfakih,Hussain Alsalman

DOI: https://doi.org/10.1038/s41597-024-03952-3

2024-12-04

Scientific Data

Abstract:Safety is crucial in the railway industry because railways transport millions of passengers and employees daily, making it paramount to prevent injuries and fatalities. In order to guarantee passenger safety, computer vision, unmanned aerial vehicles (UAV), and artificial intelligence will be essential tools in the near future for routinely evaluating the railway environment. An unmanned aerial vehicle captured dataset for railroad segmentation and obstacle detection (UAV-RSOD) comprises high-resolution images captured by UAVs over various obstacles within railroad scenes, enabling automatic railroad extraction and obstacle detection. The dataset includes 315 raw images, along with 630 labeled and 630 masked images for railroad semantic segmentation. The dataset consists of 315 original images captured by the UAV for object detection and obstacle detection. To increase dataset diversity for training purposes, we applied data augmentation techniques, which expanded the dataset to 2002 augmented and annotated images for obstacle detection cover six different classes of obstacles on railroad lines. Additionally, we provide the original 315 images along with a script for augmentation, allowing users to generate their own augmented data as needed, offering a more sustainable and customizable option. Each image in the dataset is accurately annotated with bounding boxes and labeled under six categories, including person, boulder, barrel, branch, jerry can, and iron rod. This comprehensive classification and detailed annotation make the dataset an essential tool for researchers and developers working on computer vision applications in the railroad domain.

multidisciplinary sciences

Sven Zemanek,Immanuel Hacker,Konrad Wolsing,Eric Wagner,Martin Henze,Martin Serror

DOI: https://doi.org/10.1145/3546096.3546102

2022-07-11

Abstract:Power grids worldwide are increasingly victims of cyberattacks, where attackers can cause immense damage to critical infrastructure. The growing digitalization and networking in power grids combined with insufficient protection against cyberattacks further exacerbate this trend. Hence, security engineers and researchers must counter these new risks by continuously improving security measures. Data sets of real network traffic during cyberattacks play a decisive role in analyzing and understanding such attacks. Therefore, this paper presents PowerDuck, a publicly available security data set containing network traces of GOOSE communication in a physical substation testbed. The data set includes recordings of various scenarios with and without the presence of attacks. Furthermore, all network packets originating from the attacker are clearly labeled to facilitate their identification. We thus envision PowerDuck improving and complementing existing data sets of substations, which are often generated synthetically, thus enhancing the security of power grids.

Cryptography and Security

Unmesh Patil,Akshith Gunasekaran,Rakesh Bobba,Houssam Abbas

2024-10-05

Abstract:We present a new simulator of Uncrewed Aerial Vehicles (UAVs) that is tailored to the needs of testing cyber-physical security attacks and defenses. Recent investigations into UAV safety have unveiled various attack surfaces and some defense mechanisms. However, due to escalating regulations imposed by aviation authorities on security research on real UAVs, and the substantial costs associated with hardware test-bed configurations, there arises a necessity for a simulator capable of substituting for hardware experiments, and/or narrowing down their scope to the strictly necessary. The study of different attack mechanisms requires specific features in a simulator. We propose a simulation framework based on ROS2, leveraging some of its key advantages, including modularity, replicability, customization, and the utilization of open-source tools such as Gazebo. Our framework has a built-in motion planner, controller, communication models and attack models. We share examples of research use cases that our framework can enable, demonstrating its utility.

Robotics,Cryptography and Security

Yichuang Zhang,Yu Zhang,Jiahao Qi,Kangcheng Bin,Hao Wen,Xunqian Tong,Ping Zhong

DOI: https://doi.org/10.3390/rs14215298

IF: 5

2022-10-24

Remote Sensing

Abstract:Although deep learning has received extensive attention and achieved excellent performance in various scenarios, it suffers from adversarial examples to some extent. In particular, physical attack poses a greater threat than digital attack. However, existing research has paid less attention to the physical attack of object detection in UAV remote sensing images (RSIs). In this work, we carefully analyze the universal adversarial patch attack for multi-scale objects in the field of remote sensing. There are two challenges faced by an adversarial attack in RSIs. On one hand, the number of objects in remote sensing images is more than that of natural images. Therefore, it is difficult for an adversarial patch to show an adversarial effect on all objects when attacking a detector of RSIs. On the other hand, the wide height range of the photography platform causes the size of objects to vary a great deal, which presents challenges for the generation of universal adversarial perturbation for multi-scale objects. To this end, we propose an adversarial attack method of object detection for remote sensing data. One of the key ideas of the proposed method is the novel optimization of the adversarial patch. We aim to attack as many objects as possible by formulating a joint optimization problem. Furthermore, we raise the scale factor to generate a universal adversarial patch that adapts to multi-scale objects, which ensures that the adversarial patch is valid for multi-scale objects in the real world. Extensive experiments demonstrate the superiority of our method against state-of-the-art methods on YOLO-v3 and YOLO-v5. In addition, we also validate the effectiveness of our method in real-world applications.

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Seungho Han,Min-Yyeong Cho,Minyoung Lee,Kyung-Soo Kim,Yeongseok Lee,Ji-il Park,Hyoseo Choi,J. Cho,Minseong Choi

DOI: https://doi.org/10.1109/COMPSAC54236.2022.00013

2022-06-01

Abstract:As autonomous driving research has actively pro-gressed, software for autonomous vehicles and embedded systems such as Apollo and AutoWare have also been developed, providing a complete set of self-driving modules, including perception, localization and mapping, path planning, prediction, decision making, and control. Most of the researchers currently use these software programs, but many researchers have also studied autonomous driving based on the middleware software termed robot operating system (ROS) before such software was released, especially in academia. Accordingly, we intend to develop ROS-based unmanned RC car equipped with autonomous driving sensors such as LiDAR, radar, VIS/IR cameras, GPS, and IMUs that can provide ROS-based datasets to researchers studying self-driving cars and robots using ROS. In addition, unlike conventional datasets, we acquire dataset not only on road but also pedestrian paths that can be used in both vehicles and robots and provides extreme environmental datasets such as snowfall environments. In this sense, the ROS dataset we created will be helpful to researchers studying autonomous vehicles and robots by using ROS.

Computer Science,Environmental Science,Engineering

Hayelom Gebrye,Yong Wang,Fagen Li

DOI: https://doi.org/10.1007/s13042-022-01765-7

2023-01-07

International Journal of Machine Learning and Cybernetics

Abstract:The fast expansion of the Internet of Things (IoT) networks raises the possibility of further network threats. In today's world, network traffic analysis has become an increasingly critical and useful tool for monitoring network traffic in general and analyzing attack patterns in particular. A few years ago, distributed denial-of-service attacks on IoT networks were considered the most pressing problem that needed to be addressed. The absence of high-quality datasets is one of the main obstacles to applying DDOS detection systems based on machine learning. Researchers have developed numerous methods to extract and analyze information from recorded files. From a literature review, it is clear that most of these tools share similar drawbacks. In this study, we proposed an intelligent raw network data extractor and labeler tool by incorporating the limitations of the tools that are available to transform PCAP to CSV. To generate and process a high-quality DDOS attack dataset suitable for machine learning models, we employed several data preprocessing operations on the selected network intrusion dataset. To confirm the validity and acceptability of the dataset, we tested different models. Among the models tested, the random forest was the most accurate in detecting the DDOS attack.

Syed Sohaib Karim,Mehreen Afzal,Waseem Iqbal,Dawood Al Abri

DOI: https://doi.org/10.1016/j.dib.2024.110290

2024-03-05

Abstract:The novel dataset called Linux-APT Dataset 2024 captures Advanced Persistent Threat (APT) attacks along with other latest and sophisticated payloads. Existing datasets lacks latest attacker's techniques and procedures, APTs tactics and configuration to capture maximum Linux log sources to observe the working and behaviour of an APT in a detailed manner. The environment which supported us in capturing the logs is composed of Linux machines and a centralized logging system configured appropriately to captures and detect all possible events and logs for an APT and other complex intrusion. Unlike Microsoft Windows, Linux logging system are investigated enough and usually systems relies on limited log sources but for an APT, all possible log sources should be evaluated and added to completely analyse the behaviour, trajectory, and operation of an APT. To keep the dataset up to date and realistic, recent payloads and APTs are emulated in the environment. A well-known cyber-security framework 'MITRE ATT&CK' is utilised to map the behaviour and operation in a generalized manner after capturing the events and logs. This dataset can be used for training and conducting a variety of experiments to build as well as design the solutions for detecting most recent intrusions and APT attacks for Linux System.

Ayush Kumar,Vrizlynn L.L. Thing

DOI: https://doi.org/10.48550/arXiv.2301.11524

2023-09-26

Abstract:Past Advanced Persistent Threat (APT) attacks on Industrial Internet-of-Things (IIoT), such as the 2016 Ukrainian power grid attack and the 2017 Saudi petrochemical plant attack, have shown the disruptive effects of APT campaigns while new IIoT malware continue to be developed by APT groups. Existing APT detection systems have been designed using cyberattack TTPs modelled for enterprise IT networks and leverage specific data sources (e.g., Linux audit logs, Windows event logs) which are not found on ICS devices. In this work, we propose RAPTOR, a system to detect APT campaigns in IIoT. Using cyberattack TTPs modelled for ICS/OT environments and focusing on "invariant" attack phases, RAPTOR detects and correlates various APT attack stages in IIoT leveraging data which can be readily collected from ICS devices/networks (packet traffic traces, IDS alerts). Subsequently, it constructs a high-level APT campaign graph which can be used by cybersecurity analysts towards attack analysis and mitigation. A performance evaluation of RAPTOR's APT attack-stage detection modules shows high precision and low false positive/negative rates. We also show that RAPTOR is able to construct the APT campaign graph for APT attacks (modelled after real-world attacks on ICS/OT infrastructure) executed on our IIoT testbed.

Cryptography and Security