Realistic Data Generation for Anomaly Detection in Industrial Settings Using Simulations

  • Peter SchneiderEmail author
  • Alexander Giehl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11387)


With the rise of advanced persistent threats to cyber-physical facilities, new methods for anomaly detection are required. However, research on anomaly detection systems for industrial networks suffers from the lack of suitable training data to verify the methods at early stages. This paper presents a framework and workflow to generate meaningful training and test data for anomaly detection systems in industrial settings. Using process-model based simulations data can be generated on a large scale. We evaluate the data in regard to its usability for state-of-the-art anomaly detection systems. With adequate simulation configurations, it is even possible to simulate a sensor manipulation attack on the model and to derive labeled data.

By this simulation of attacked components, we demonstrate the effectiveness of systems trained on artificial data to detect previously unseen attacks.


Anomaly detection Cyber-physical systems Modeling Security Simulation 



The presented work is part of the German national security reference project IUNO ( The project is funded by the BMBF and aims to provide building-blocks for security in the emerging field of Industrie 4.0.


  1. 1.
    Almalawi, A., Fahad, A., Tari, Z., Alamri, A., AlGhamdi, R., Zomaya, A.Y.: An efficient data-driven clustering technique to detect attacks in scada systems. IEEE Trans. Inf. Forensics Secur. 11(5), 893–906 (2016)CrossRefGoogle Scholar
  2. 2.
    Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: skywiper (aka flame aka flamer): A complex malware for targeted attacks. CrySyS Lab Technical report, No. CTR-2012-05-31 (2012)Google Scholar
  3. 3.
    Bonvini, M., Leva, A.: A modelica library for industrial control systems. In: Proceedings of the 9th International MODELICA Conference; 3–5 September 2012, Munich, Germany, pp. 477–484. No. 076, Linköping University Electronic Press (2012)Google Scholar
  4. 4.
    Boterenbrood, H.: Canopen High-Level Protocol for Can-Bus. Nikhef, Amsterdam (2000)Google Scholar
  5. 5.
    Brunner, M., Hofinger, H., Krauß, C., Roblee, C., Schoo, P., Todt, S.: Infiltrating Critical Infrastructures with Next-generation Attacks. Fraunhofer Institute for Secure Information Technology (SIT), Munich (2010)Google Scholar
  6. 6.
    Candell, R., Zimmerman, T., Stouffer, K.: An industrial control system cybersecurity performance testbed. National Institute of Standards and Technology, NISTIR 8089 (2015)Google Scholar
  7. 7.
    Carneiro, G.: Ns-3: network simulator 3, April 2010.
  8. 8.
    Casella, F., Leva, A.: Modelica open library for power plant simulation: design and experimental validation. In: Proceeding of the 2003 Modelica Conference, Linkoping, Sweden (2003)Google Scholar
  9. 9.
    Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, pp. 13–24. ACM (2015)Google Scholar
  10. 10.
    Chen, T.M.: Stuxnet, the real start of cyber warfare? [editor’s note]. IEEE Netw. 24(6), 2–3 (2010)CrossRefGoogle Scholar
  11. 11.
    Federal Office for Information Security, Germany: Industrial Control System Security Top 10 Threats and Countermeasures 2014. BSI Publications on Cyber-Security (2014)Google Scholar
  12. 12.
    Fritzson, P., et al.: OpenModelica - a free open-source environment for system modeling, simulation, and teaching. In: 2006 IEEE International Symposium on Intelligent Control Computer Aided Control System Design, 2006 IEEE International Conference on Control Applications, pp. 1588–1595. IEEE (2006)Google Scholar
  13. 13.
    Giehl, A.: Development of a co-simulation framework to analyse attacks and their impact on Smart Grids. Master’s thesis, Technische Universität München, July 2013Google Scholar
  14. 14.
    Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 126–135. ACM (2014)Google Scholar
  15. 15.
    Haller, P., Genge, B.: Using sensitivity analysis and cross-association for the design of intrusion detection systems in industrial cyber-physical systems. IEEE (2016). Scholar
  16. 16.
    Holm, H., Karresand, M., Vidström, A., Westring, E.: A survey of industrial control system testbeds. In: Buchegger, S., Dam, M. (eds.) NordSec 2015. LNCS, vol. 9417, pp. 11–26. Springer, Cham (2015). Scholar
  17. 17.
    IDA, M.: Modbus messaging on TCP/IP implementation guide v1. 0a (2004)Google Scholar
  18. 18.
    Jazdi, N.: Cyber physical systems in the context of industry 4.0. In: 2014 IEEE International Conference on Automation, Quality and Testing, Robotics, pp. 1–4. IEEE (2014)Google Scholar
  19. 19.
    Lemay, A., Fernandez, J.M.: Providing scada network data sets for intrusion detection research. In: 9th Workshop on Cyber Security Experimentation and Test (CSET 16). USENIX Association (2016)Google Scholar
  20. 20.
    McLaughlin, S., Konstantinou, C., Wang, X., Davi, L., Sadeghi, A.R., Maniatakos, M., Karri, R.: The cybersecurity landscape in industrial control systems. Proc. IEEE 104(5), 1039–1057 (2016)CrossRefGoogle Scholar
  21. 21.
    Nohl, K., Krißler, S., Lell, J.: BadUSB-on accessories that turn evil. Black Hat USA (2014)Google Scholar
  22. 22.
    Pasqualetti, F., Dörfler, F., Bullo, F.: Attack detection and identification in cyber-physical systems. IEEE Trans. Autom. Control 58(11), 2715–2729 (2013)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Ponomarev, S., Atkison, T.: Industrial control system network intrusion detection by telemetry analysis. IEEE Trans. Dependable Secure Comput. 13(2), 252–260 (2016)CrossRefGoogle Scholar
  24. 24.
    Reichl, G.: Wastewater a library for modelling and simulation of wastewater treatment plants in Modelica. In: Paper Presented at the 3rd International Modelica Conference, Citeseer (2003)Google Scholar
  25. 25.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316. IEEE (2010)Google Scholar
  26. 26.
    Turner, H., White, J., Camelio, J.A., Williams, C., Amos, B., Parker, R.: Bad parts: are our manufacturing systems at risk of silent cyberattacks? IEEE Secur. Priv. 13(3), 40–47 (2015)CrossRefGoogle Scholar
  27. 27.
    Zhang, J., Gan, S., Liu, X., Zhu, P.: Intrusion detection in scada systems by traffic periodicity and telemetry analysis. In: 2016 IEEE Symposium on Computers and Communication (ISCC), pp. 318–325. IEEE (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Fraunhofer AISECGarchingGermany

Personalised recommendations