DNP3 Intrusion Detection Dataset

In the digital era of the Industrial Internet of Things (IIoT), the conventional Critical Infrastructures (CIs) are transformed into smart environments with multiple benefits, such as pervasive control, self-monitoring and self-healing. However, this evolution is characterised by several cyberthreats due to the necessary presence of insecure technologies. DNP3 is an industrial communication protocol which is widely adopted in the CIs of the US. In particular, DNP3 allows the remote communication between Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA). It can support various topologies, such as Master-Slave, Multi-Drop, Hierarchical and Multiple-Server. Initially, the architectural model of DNP3 consists of three layers: (a) Application Layer, (b) Transport Layer and (c) Data Link Layer. However, DNP3 can be now incorporated into the Transmission Control Protocol/Internet Protocol (TCP/IP) stack as an application-layer protocol. However, similarly to other industrial protocols (e.g., Modbus and IEC 60870-5-104), DNP3 is characterised by severe security issues since it does not include any authentication or authorisation mechanisms. This dataset contains labelled Transmission Control Protocol (TCP) / Internet Protocol (IP) network flow statistics (Common-Separated Values - CSV format) and DNP3 flow statistics (CSV format) related to 9 DNP3 cyberattacks. These cyberattacks are focused on DNP3 unauthorised commands and Denial of Service (DoS). The network traffic data are provided through Packet Capture (PCAP) files. Consequently, this dataset can be used to implement Artificial Intelligence (AI)-powered Intrusion Detection and Prevention (IDPS) systems that rely on Machine Learning (ML) and Deep Learning (DL) techniques

在工业物联网（Industrial Internet of Things, IIoT）的数字化时代，传统的关键基础设施（Critical Infrastructures, CIs）已转型为智能环境，具备泛在控制、自我监控与自我修复等多重优势。然而，由于不可避免地采用了不安全技术，这一演进过程伴随着多种网络威胁。DNP3是一种广泛应用于美国关键基础设施的工业通信协议，具体而言，它支持工业控制系统（Industrial Control Systems, ICS）与监控与数据采集系统（Supervisory Control and Data Acquisition, SCADA）之间的远程通信，可兼容主从式、多站式、分层式及多服务器式等多种拓扑结构。最初，DNP3的架构模型包含三层：（a）应用层（Application Layer）、（b）传输层（Transport Layer）及（c）数据链路层（Data Link Layer）；不过，目前它可作为应用层协议融入传输控制协议/互联网协议（Transmission Control Protocol/Internet Protocol, TCP/IP）栈。但与Modbus、IEC 60870-5-104等其他工业协议类似，DNP3存在严重安全缺陷——因其未内置任何认证或授权机制。该数据集包含带标签的TCP/IP网络流统计数据（逗号分隔值格式，Common-Separated Values, CSV）及与9类DNP3网络攻击相关的DNP3流统计数据（CSV格式），这些攻击聚焦于DNP3未授权命令及拒绝服务（Denial of Service, DoS）。网络流量数据通过数据包捕获（Packet Capture, PCAP）文件提供。因此，该数据集可用于构建基于人工智能（Artificial Intelligence, AI）的入侵检测与防御系统（Intrusion Detection and Prevention, IDPS），此类系统依赖机器学习（Machine Learning, ML）与深度学习（Deep Learning, DL）技术。