Implementation of modbus spoofing attacks and detection using unsupervised machine learning.
Instructions assume a linux setup.
Install VirtualBox for your linux distribution. You may need to enable virtualization in BIOS
Download and import the prebuilt VMs. When importing each machine, set promiscuous mode in its network adapter configuration to Allow All.
If you have trouble enabling host-only networks, add the following to /etc/vbox/networks.conf.
* 192.168.90.0/24
* 192.168.95.0/24
Navigate to the simulation in your browser and verify that the chemical plant is running. If so, you're all set. Shutdown the VMs.
Follow the instructions in the README.md file in the modbus-attacks directory.
Follow the instructions in the README.md file in the data-capture directory.
Install python modules (run inside SpoofingDetection directory)
pip3 install -r requirements.txt
This will create a snapshot of all VMs in a state where the chemical process has stabilized. Each time the machines are booted, the state is restored to this snapshot.
bash create-snapshot.sh
This will capture a full cycle (1000 seconds) of benign data.
bash capture-training-data.sh
This will train the model using the training data previously captured.
python3 train.py
This will capture attack data for all 54 attacks. Each attack is run for a full cycle (1000 seconds). This will take about 15 hours to complete.
bash capture-attack-data.sh
This will capture 50 cycles (roughly 14 hours worth) of benign data to verify that the model does not induce any false positives.
bash capture-benign-data.sh
This will test the model against all the attack and benign datasets.
python3 batch.py
This will collect the detection time for each attack and log it to a file time.csv. Each attack is only run for a full cycle (1000 seconds).
bash detection-time.sh
You can also do the detection time for a single attack.
bash live-monitor.sh <attack number>