Dataset of Publication "Malware Communication in Smart Factories: A Network Traffic Data Set"

Machine learning-based intrusion detection requires suitable and realistic
data sets for training and testing. However, data sets that originate from
real networks are rare. Network data is considered privacy sensitive and the 
purposeful introduction of malicious traffic is usually not possible. In this
paper we introduce a labeled data set captured at a smart factory located
in Vienna, Austria during normal operation and during penetration tests with different
attack types. The data set contains 173 GB of PCAP files, which represent 16 days (395 hours) of factory operation. It includes MQTT, OPC UA, and Modbus/TCP traffic. The captured malicious traffic was originated
by a professional penetration tester who performed two types of attacks: (a)
aggressive attacks that are easier to detect and (b) stealthy attacks that are
harder to detect. Our data set includes the raw PCAP files and extracted
flow data. Labels for packets and flows indicate whether packets (or flows)
originated from a specific attack or from benign communication. We describe
the methodology for creating the data set, conduct an analysis of the data
and provide detailed information about the recorded traffic itself. The data
set is freely available to support reproducible research and the comparability
of results in the area of intrusion detection in industrial networks.

File description:

a_day1, a_day2, s_day1, s_day2, tf_a and tf_s: Main data set, where files starting with "tf"  are training files  containing only benign, operational data and all other files are attack files containing both, operational data and attack data.

images.zip: Contains descriptive images about the data.

extractions.zip: Contains extracted packets, flows in both labeled and unlabeled form.

a_day_tuesday_dos.zip: additional day of attack traffic containing benign and attack data, including a DoS attack. This day is not labeled.