ISOT Mil-STD-1553 Dataset
The dataset is a combination of datasets collected in a simulated environment consisting of normal activities and a series of attacks against the MIL-STD-1553 databus.
The simulation was conducted using Abaco R15-USB-2M USB interface box and Abaco BUSTOOLS/1553 GUI Software for MIL-STD-1553 bus analysis, simulation, and data logging.
Figure 1 depicts the simulated bus components. The bus architecture used in the simulation consists of a bus monitor (BM) and five different avionic systems, including a flight control computer (FCC) as RT3, a mission computer (MC) as BC, an inertial reference unit (IRU) as RT1, a mission control keyboard (MCK) as RT4, and a multi-function display unit (MFD) as RT2. The MC serves as bus controller (BC), while the remaining components are remote terminals.
Figure 1. Simulated MIL-STD-1553 bus components
The components were the only ones used to execute the normal activities. To simulate the attack, we added a rogue terminal as RT0.
A baseline dataset consisting of normal activities was generated by running the simulation for 10 min. Subsequently, 6 different attack scenarios were run separately against the baseline architecture, by introducing RT0 as rogue terminal. Table 1 provides a summary of the different datasets and Table 2 shows the different fields involved in the raw data. The dataset is provided as separate CSV files.
Table 1. Outline of the collected MIL-STD-1553 datasets
|Dataset #||Type of data||Attack type||Attack description||
rogue terminal (RT0) targets the FCC (RT3) by sending random
words in a loop
|3||Mix Normal/malicious||Multi-target DOS (Attack 2)||Rogue terminal (RT0) sends broadcast messages in a loop||373||30 sec|
Subtle Fake data injection
rogue terminal (RT0) replicates one of the messages sent by one of the legitimate RTs by slightly
altering one of the data items
Noisy fake data injection
similar to the above attack, except that in this case fake data
is randomly generated.
|6||Mix Normal/malicious||Logic attack (Attack 5)||
a rogue RT broadcast mode code value 4 (0x04), which corresponds to the Transmitter
Shutdown, which is unusual
|7||Mix Normal/malicious||Hybrid Logic/fake data injection (Attack 6)||Combination of the attacks in datasets 5 and 6||1004||30 sec|
Table 2. Raw dataset format
|msgID||Sequence number associated with the message by the simulator|
|timestamp||Message timestamp in seconds|
|error||Indicate whether the error bit of the status word related to the message is set; contains TRUE/FALSE accordingly.|
|modeCode||Indicate whether the message is a mode command message; contains TRUE/FALSE accordingly.|
|channel||Channel associated with the message|
|sa||Address of sending RT|
|ssa||Sub-address of the sending subsystem from the sending RT|
|da||Address of receiving RT|
|dsa||Sub-address of the receiving subsystem at the receiving RT|
|wc||Word count: number of data words included in the message|
|modeCode value||Mode code value when applicable|
|txRsp||Transmit command response time in ms|
|txSts||Transmit status word|
|rxRsp||Receive command response time in ms|
|rxSts||Receive status word|
|dw0 … dw31||Values of the data word included in the message ranging from dw0 to dw31; N/A is used when there is no data words for a field.|
|Malicious||Indication of whether the message is malicious: contains TRUE/FALSE accordingly.|
Indication of whether part of the data included in the message is injected:
contains TRUE/FALSE accordingly.
|gap||Inter-message gap time in ms|
|msgTime||Message time in ms|
To cite this dataset use:
Hadeer Saad, Issa Traore, Paulo Quinan, Karim Ganame, Oussama Boudar, “A Collection of Datasets for Intrusion Detection in MIL-STD-1553 Platforms”, in Artificial Intelligencefor Cyber- Physical Systems Hardening, I. Traoré, I. Woungang, and S. Saad, Eds. Springer, 2022, Chapter 4.