CAN Dataset for intrusion detection (OTIDS)
Controller Area Network (CAN) is a bus communication protocol which defines a standard for reliable and efficient transmission between in-vehicle nodes in real-time. Since CAN message is broadcast from a transmitter to the other nodes on a bus, it does not contain information about the source and destination address for validation. Therefore, an attacker can easily inject any message to lead system malfunctions. In this paper, we propose an intrusion detection method based on the analysis of the offset ratio and time interval between request and response messages in CAN. If a remote frame having a particular identifier is transmitted, a receiver node should respond to the remote frame immediately. Thus, each node has a fixed response offset ratio and the time interval in a normal state while these values vary in attack state. Using this property, we can measure the response performance of the existing nodes based on the offset ratio and time interval between request and response messages. As a result, our methodology can detect intrusions by monitoring the offset ratio and time interval, and it allows quick intrusion detection with high accuracy.
We provide datasets which include DoS attack, fuzzy attack, impersonation attack, and attack free states. Datasets were constructed by logging CAN traffic via the OBD-II port from a real vehicle while message injection attacks were performing.
We extracted the in-vehicle data from KIA SOUL.
1. DoS Attack : Injecting messages of ‘0x000’ CAN ID in a short cycle.
2. Fuzzy Attack : Injecting messages of spoofed random CAN ID and DATA values.
3. Impersonation Attack : Injecting messages of Impersonating node, arbitration ID = '0x164'.
4. Attack Free State: Normal CAN messages.
1.1 Data attributes
Timestamp, CAN ID, DLC, DATA, DATA, DATA, DATA, DATA, DATA, DATA, DATA
1. Timestamp : recorded time (s)
2. CAN ID : identifier of CAN message in HEX (ex. 043f)
3. DLC : number of data bytes, from 0 to 8
4. DATA[0~7] : data value (byte)
1.2 Summary of our dataset
For academic purpose, we are happy to release our datasets. If you use our dataset for your experiment, please cite our paper.
Dataset Download Link: Download
1. DoS Attack
2. Fuzzy Attack
3. Impersonation Attack
4. Attack Free State
Hyunsung Lee, Seong Hoon Jeong and Huy Kang Kim, "OTIDS: A Novel Intrusion Detection System for In-vehicle Network by using Remote Frame", PST (Privacy, Security and Trust) 2017
Download full paper: https://www.ucalgary.ca/pst2017/files/pst2017/paper-67.pdf
Download citation as Bibtex: otids.bib
If you have any questions about our study and the dataset, please feel free to contact us for further information.
Seong Hoon Jeong (seonghoon at korea.ac.kr) or Huy Kang Kim (cenda at korea.ac.kr)
4. About label in our dataset
The label of each record is as follows:
DoS Attack: Every frame that's Arbitration_ID = 0x000 is for attack (abnormal).
Fuzzy Attack / Impersonation Attack: there is no label whether each record is normal or abnormal.
0 sec - 250 sec: attack-free state (there is no message for the attack.)
from 250 sec: under-attack (attack + normal message)
This dataset is used for the the Anomaly Detection in Automobile Track in '2017 Information Security R&D dataset challenge' in South Korea.
You can find additional resources and tutorials (written in Korean) in the above URLs.
6. see also
Please see the page [HCRL/Datasets] to find out more in-vehicle IDS datasets or other datasets that we have.