Industrial Control System Traffic Data Sets for Intrusion Detection Research

  • Thomas Morris
  • Wei Gao
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 441)


Supervisory control and data acquisition (SCADA) systems monitor and control physical processes associated with the critical infrastructure. Weaknesses in the application layer protocols, however, leave SCADA networks vulnerable to attack. In response, cyber security researchers have developed myriad intrusion detection systems. Researchers primarily rely on unique threat models and the corresponding network traffic data sets to train and validate their intrusion detection systems. This leads to a situation in which researchers cannot independently verify the results, cannot compare the effectiveness of different intrusion detection systems, and cannot adequately validate the ability of intrusion detection systems to detect various classes of attacks. Indeed, a common data set is needed that can be used by researchers to compare intrusion detection approaches and implementations. This paper describes four data sets, which include network traffic, process control and process measurement features from a set of 28 attacks against two laboratory-scale industrial control systems that use the MODBUS application layer protocol. The data sets, which are freely available, enable effective comparisons of intrusion detection solutions for SCADA systems.


Industrial control systems SCADA intrusion detection MODBUS 


  1. 1.
    A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. Fovino and A. Trombetta, A multidimensional critical state analysis for detecting intrusions in SCADA systems, IEEE Transactions on Industrial Informatics, vol. 7(2), pp. 179–186, 2011.CrossRefGoogle Scholar
  2. 2.
    S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner and A. Valdes, Using model-based intrusion detection for SCADA networks, Proceedings of the SCADA Security Scientific Symposium, 2007.Google Scholar
  3. 3.
    N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011.Google Scholar
  4. 4.
    W. Gao, Cyber Threats, Attacks and Intrusion Detection in Supervisory Control and Data Acquisition Networks, Ph.D. Dissertation, Department of Electrical and Computer Engineering, Mississippi State University, Mississippi State, Mississippi, 2014.Google Scholar
  5. 5.
    M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann and I. Witten, The WEKA data mining software: An update, ACM SIGKDD Explorations, vol. 11(1), pp. 10–18, 2009.CrossRefGoogle Scholar
  6. 6.
    S. Hettich and S. Bay, The UCI KDD Archive, Department of Information and Computer Science, University of California at Irvine, Irvine, California (, 1999.Google Scholar
  7. 7.
    O. Linda, M. Manic and M. McQueen, Improving control system cyber-state awareness using known secure sensor measurements, Proceedings of the Seventh International Conference on Critical Information Infrastructures Security, pp. 46–58, 2012.Google Scholar
  8. 8.
    O. Linda, T. Vollmer and M. Manic, Neural network based intrusion detection system for critical infrastructures, Proceedings of the International Joint Conference on Neural Networks, pp. 1827–1834, 2009.Google Scholar
  9. 9.
    T. Morris, A. Srivastava, B. Reaves, W. Gao, K. Pavurapu and R. Reddi, A control system testbed to validate critical infrastructure protection concepts, International Journal of Critical Infrastructure Protection, vol. 4(2), pp. 88–103, 2011.CrossRefGoogle Scholar
  10. 10.
    P. Oman and M. Phillips, Intrusion detection and event monitoring in SCADA networks, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 161–173, 2008.Google Scholar
  11. 11.
    K. Poulsen, Slammer worm crashed Ohio nuke plant network, SecurityFocus, Symantec, Mountain View, California (, August 19, 2003.Google Scholar
  12. 12.
    J. Rrushi and K. Kang, Detecting anomalies in process control networks, in Critical Infrastructure Protection III, C. Palmer and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 151–165, 2009.CrossRefGoogle Scholar
  13. 13.
    J. Slay and M. Miller, Lessons learned from the Maroochy water breach, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 73–82, 2008.Google Scholar
  14. 14.
    C. Ten, J. Hong and C. Liu, Anomaly detection for cybersecurity of substations, IEEE Transactions on Smart Grid, vol. 2(4), pp. 865–873, 2011.CrossRefGoogle Scholar
  15. 15.
    A. Valdes and S. Cheung, Communication pattern anomaly detection in process control systems, Proceedings of the IEEE Conference on Technologies for Homeland Security, pp. 22–29, 2009.Google Scholar
  16. 16.
    D. Yang, A. Usynin and J. Hines, Anomaly-based intrusion detection for SCADA systems, presented at the IAEA Technical Meeting on Cyber Security of Nuclear Power Plant Instrumentation and Control and Information Systems, 2006.Google Scholar
  17. 17.
    Y. Zhang, L. Wang, W. Sun, R. Green and M. Alam, Distributed intrusion detection system in a multi-layer network architecture of smart grids, IEEE Transactions on Smart Grid, vol. 2(4), pp. 796–808, 2011CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Thomas Morris
    • 1
  • Wei Gao
    • 2
  1. 1.Critical Infrastructure Protection CenterMississippi State UniversityMississippiUSA
  2. 2.Siemens CorporationAtlantaUSA

Personalised recommendations