RT Spoofing Attacks on MIL-STD-1553 Communication Traffic

MIL-STD-1553 is a military standard that defines the protocol characteristics of a data bus medium for the exchange of information between various subsystems. Although the threat of cyber-attacks on the MIL-STD-1553 protocol has become a growing concern in recent years, little work has been published on detecting such attacks. One of the primary reasons for this is the confidentiality of data recorded from buses on operational systems and as a result, lack of data availability. Moreover, existing research doesn’t sufficiently emphasize the complexity of detecting attacks that can be camouflaged by normal non-periodic messages that the MIL-STD-1553 supports. We present three datasets of synthesized MIL-STD-1553 traffic containing injected RT Spoofing Attack messages. The implemented attacks emulate normal non-periodical communication so detecting them with a low false positive rate is non-trivial. Each dataset is separated into a training set of normal messages and a test set of both normal and attack messages. The test sets differ by the occurrence rate of attack messages (0.01%, 0.1%, and 1%). Each dataset is also preprocessed into a dataset of message sequences so that it can be used for sequential anomaly detection analysis. The sequential test sets differ by the occurrence rate of attack sequences (0.14%, 1.26%, and 11.01%). A Java program for generating the sequence datasets from the message stream datasets is also included so users can generate new sequence datasets with different sequence lengths or a labeling according to whether or not the message was injected instead of whether or not it affected the aircraft's behavior. These datasets are intended to serve three primary purposes: (1) evaluate the ability of MIL-STD-1553 intrusion detection systems (IDS) to detect attacks that emulate normal non-periodical traffic; (2) evaluate IDSs on differing occurrence rates of attacks; (3) evaluate and compare IDSs that operate on non-sequential data as well as IDSs that operate on sequential data. Please refer to the linked data description document for the full details of the data synthesis process, the motivation for our preprocessing into sequences, and the format of the CSV files. This document also provides relevant background on detecting Spoofing Attacks from MIL-STD-1553 Traffic.