Newer
Older
## A Graph Dataset for Security Enforcement in IoT Networks
### Overview
The Graph-Based Dataset for IoT Network Attack Detection is a curated collection of data specifically designed for research and development in the field of cybersecurity, focusing on the detection of attacks in Internet of Things (IoT) networks. This graph-based dataset provides researchers, developers, and practitioners with a comprehensive resource to evaluate and benchmark various detection algorithms and systems in real-world IoT network environments.
## Key Features
- Graph Representation: Network traffic data represented as graphs, facilitating intuitive visualization and analysis.
- Attack Scenarios: Diverse attack scenarios, including DDoS attacks, HTTP Get/Post flood, TCP SYN flood, UDP flood, ICMP flood, brute force and port scanning.
- Realistic Environment: emulated IoT network environments reflecting real-world conditions and configurations.
- Anomaly Labels: Ground truth labels for anomalous network activity, enabling supervised learning approaches for attack detection.
The dataset consists of network traffic data captured from emulated IoT network environments, where various attack scenarios have been emulated. The network traffic data is represented in the form of graphs, capturing the interactions and relationships between different devices, services, and communication patterns within the IoT network. Each graph in the dataset represents a snapshot of network activity over a specific time period, enabling analysis of attack patterns and behaviors. The following figure presents the general netwok architecture.
<img src="images/image-1.png" title="Overview of the IoT network architecture" alt="alt text" width="500" />
<em>Overview of the IoT network architecture</em>
You find in this dataset the graph that contains all the attacks and the Pcap csv file per attack. The graph containing all attacks is the merge of attacks including normal traffic.
To construct our dataset, we initially establish a test environment mirroring real-world networks and subsequently simulate diverse forms of attacks. Our testbed architecture comprises two primary components: the user network and the adversary network. Within the user network, we incorporate standard elements typical of IoT networks, including end-user devices executing various tasks to replicate the traffic patterns commonly encountered in such networks. Additionally, virtual machines emulate smart devices (IoT Devices), generating typical traffic associated with these devices. Furthermore, we integrate an onsite server furnishing services to network users, serving as the focal point for the attacks we execute on the network.
Conversely, the adversary network features a botnet comprising multiple zombie machines overseen by a singular bot-master machine functioning as a Command and Control (C&C) server. Through this central machine, we can orchestrate an array of botnet attacks directed at the user network. The following figure illustrates the architectural of our testbed.
<img src="images/image-2.png" alt="alt text" width="800" title="The detialled network architecture" />
For implementing this environment, we used the GNS3 tool. It is an open-source software for network emulation. It empowers users to design, configure, and test intricate network topologies within a virtual environment.
## 1. Normal traffic generation
For normal traffic generation, we used multiple virtual machine that were supposed to mimic the behavior of real network users. It consisted of 3 Ubuntu VMs that served as users and another Ubuntu VM that played the role of a local server providing services such as web site hosting and file sharing using FTP. We also used an Ubuntu VM to run IoT-Flock, an IoT devices simulation tool. We used it to simulate the following devices: Light intensity sensor, Temperature sensor, Smoke sensor, Door lock, Fan speed controller.
## 2. Attack scenarios
As for the attack scenarios, we used a botnet composed of multiple VMs controlled by a Kali virtual machine. This botnet was able to launch a variety of network attacks on the local server described above. These attacks included the following: HTTP GET flood, HTTP POST flood, ICMP flood, TCP SYN flood, UDP flood, Port scanning and Brute force.
## 3. Data capture
To capture the network trafic in our environment, we used Wireshark tool to record the network data in pcap format and used a flow capture tool called CICFlowmeter.
### Packets capture
we use the Wireshark tool to record the network data in pcap format. They are available in the GRASEC-IoT gitlab \cite{grasec}. An exemple of features (the complete list of 83 features is in the pcap-csv file above):
<div align="center">
<img src="images/image-5.png" alt="alt text" width="800" />
We use the CICFlowMeter tool to extract flows from Pcap files.
<img src="images/image-6.png" alt="alt text" width="800" />
*The first packet determines the forward (source to destination) and backward (destination to source) directions.
<img src="images/image.png" alt="alt text" width="500" />
The GRASEC-IoT Dataset is available for download and exploration via this gitlab.
If you use this dataset in your research or projects, please cite the following publication:
GRASEC-IoT: A Graph Dataset for Security Enforcement in IoT Networks
Those who have contributed to the project: Djameleddine Hamouche, Mohamed Reda Kadri, Mohamed-Lamine Messai, Hamida Seba.
This work is supported by the French National Research Agency (ANR) under grant ANR-20-CE39-0008.
Creative Commons Attribution. CC BY 4.0 Deed Attribution 4.0 International.
<img src="images/image-3.png" alt="alt text" width="250" />