Argus + ML + WUSTL-IIOT-2018

WUSTL-IIOT-2018 Dataset for ICS (SCADA)

WUSTL-IIOT-2018 is an ICS SCADA intrustion dataset generated using argus. The dataset was built using WUSTL's SCADA system testbed described in the paper SCADA System Testbed for Cybersecurity Research Using Machine Learning Approach . The purpose of the WUSTL SCADA testbed is to emulate real-world industrial systems closely, allowing the researchers to carry out realistic cyber-attacks.

In this study, the focus was on reconnaissance attacks where the network is scanned for possible vulnerabilities to be used for later attacks. The authors used scan tools to inspect the topology of the victim network (in this case, their testbed), and identify the devices in the network as well as their vulnerabilities. The attacks carried out against our testbed are described in Table 1, below.

Details of the dataset and project can be found here.

Attack NameAttack Description
Port Scanner
This attack is used to identify common SCADA protocols on the network. Using Nmap tool, packets are sent to the target at intervals, which vary from 1 to 3s. The TCP connection is not fully established so that the attack is difficult to detect by the rules.x
Address Scan Attack
This attack is used to scan network addresses and identify the Modbus server address. Each system has only one Modbus server and disabling this device would collapse the whole SCADA system. Thus, this attack tries to find the unique address of the Modbus server so that it can be used for further attacks.
Device Identification Attack
This attack is used to enumerate the SCADA Modbus slave IDs on the network and to collect additional information such as vendor and firmware from the first slave ID found.
Device Identification Attack (Aggressive Mode)
This attack is similar to the previous attack. However, the scanning uses an aggressive mode which means that the additional information about all slave IDs found in the system is collected.
Exploit
Exploit is used to read the coil values of the SCADA devices. The coils represent the ON/OFF status of the devices controlled by the PLC, such as motors, valves, and sensors.
© Copyright QoSient, LLC.
All Rights Reserved.
site by spliteye