Automotive Ethernet Intrusion Dataset

Citation Author(s):
Seonghoon
Jeong
School of Cybersecurity, Korea University
Boosun
Jeon
Cyber Security Research Division, Electronics and Telecommunications Research Institute
Boheung
Chung
Cyber Security Research Division, Electronics and Telecommunications Research Institute
Huy Kang
Kim
School of Cybersecurity, Korea University
Submitted by:
Huy Kang Kim
Last updated:
Thu, 02/04/2021 - 10:52
DOI:
10.21227/1yr3-q009
Data Format:
License:
0
0 ratings - Please login to submit your rating.

Abstract 

This dataset was created for the following paper: Seonghoon Jeong, Boosun Jeon, Boheung Chung, and Huy Kang Kim, "Convolutional neural network-based intrusion detection system for AVTP streams in automotive Ethernet-based networks," Vehicular Communications, will be available soon.

 

This dataset contains benign Audio Video Transport Protocol (AVTP) packet captures from our physical automotive Ethernet testbed. Also, we demonstrate a replay attack on the automotive Ethernet to achieve the intrusion dataset.

Instructions: 

The following devices are connected to the automotive Ethernet testbed:

  • a RAD-Galaxy: BroadR-Reach switch
  • two neoECU AVB/TSN (AVB/TSN Endpoint Simulation): configured as an AVB talker and an AVB listener, respectively
  • a RAD-Moon: a media converter (between BroadR-Reach and Ethernet)
  • an USB Camera connected to the AVB talker

The dataset contains four benign (attack-free) packet captures. 

  • driving_01_original.pcap (about 10 min)
  • driving_02_original.pcap (about 16 min)
  • indoors_01_original.pcap (about 24 min)
  • indoors_02_original.pcap (about 21 min)

 

We suppose that an attacker injects arbitrary stream AVTP data units (AVTPDUs) into the IVN. The goal of the attacker is to output a single video frame, at a terminal application connected to the AVB listener, by injecting previously generated AVTPDUs during a certain period. To demonstrate the attack, we extract 36 continuous stream AVTPDUs (single-MPEG-frame.pcap) from one of our AVB datasets; the extracted AVTPDUs constitute one video frame. Then, the attacker performs a replay attack by sending the 36 stream AVTPDUs repeatedly. Check *_injected.pcap files for the result of the replay attack.

 

To open the packet captures, we recommend researchers use Wireshark and the following plug-ins:

 

Acknowledgements

This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2018-0-00312, Developing technologies to predict, detect, respond, and automatically diagnose security threats to automotive Ethernet-based vehicle).