TOW-IDS: Automotive Ethernet Intrusion Dataset


For academic purposes, we are happy to release our datasets. This dataset is in support of my research paper 'TOW-IDS: Intrusion Detection System based on Three Overlapped Wavelets in Automotive Ethernet'. If you want to use our dataset for your experiment, please cite our paper.

We created and extracted various types of In-vehicle network data for academic purposes in the Automotive Ethernet environment. The dataset contains three kinds of IVN data, i.e., AVTP, gPTP, and UDP. In particular, the UDP traffic is converted from CAN messages. The collected data were divided into two datasets. One of the datasets contained Normal driving data without an attack. The other dataset included Abnormal driving data that occurred when an attack was performed. The abnormal traffic is based on the defined five attack scenarios.

We focus on the CAN, AVB, and gPTP protocols in Automotive Ethernet. These protocols generate and transmit network traffic, such as AVB stream data, gPTP sync, and encapsulated CAN messages. These various types of network traffic pass through the 100BASE-T1 switches to reach the destination in the end. We extracted the IVN traffic data using port mirroring with the 100BASE-T1 switch while all linked nodes communicate each. Moreover, to include the CAN message in Automotive Ethernet, we extracted the IVN traffic data by converting the CAN bus traffic to UDP packets.

The equipment setup used to extract vehicle data from the Automotive Ethernet environment was as follows. First, we simulated the experiment on machine with the following specs to assess the performance: 4790K CPU, 32GB RAM, and 2080 RTX GPU. Then, we used the Keras Python library for deep learning to apply the deep learning algorithm. Regarding parameter setting, we initialized ‘adam’ in the optimizer, binary cross-entropy in the loss function, and 100 epochs of the training iteration.

2. instructions

There are both Normal data and Abnormal data in the *.pcap.

The Abnormal data contains Fram injection, PTP sync, Switch (MAC Flooding), CAN DoS, and CAN replay attacks.

The label name is defined as follows.

  • Normal: normal data

  • F_I: Fram injection attack

  • P_I: PTP sync attack

  • M_F: Switch (MAC Flooding) attack

  • C_D: CAN DoS attack

  • C_R: CAN replay attack

3. Publication

Mee Lan Han, Byung Il Kwak, and Huy Kang Kim. "TOW-IDS: Intrusion Detection System based on Three Overlapped Wavelets in Automotive Ethernet." IEEE Transactions on Information Forensics and Security (2022, ACCEPTED for publication as a REGULAR paper in the IEEE Transactions on Information Forensics & Security)


5. acknowledgement

  • This work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No.2021-0-00903, Development of Physical Channel Vulnerability-based Attacks and its Countermeasures for Reliable On-Device Deep Learning Accelerator Design).

  • This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. 2022R1A4A1033600).