Automotive Ethernet Intrusion Dataset

The following devices are connected to the automotive Ethernet testbed:

• a RAD-Galaxy: BroadR-Reach switch
• two neoECU AVB/TSN (AVB/TSN Endpoint Simulation): configured as an AVB talker and an AVB listener, respectively
• a RAD-Moon: a media converter (between BroadR-Reach and Ethernet)
• an USB Camera connected to the AVB talker

The dataset contains four benign (attack-free) packet captures. 

• driving_01_original.pcap (about 10 min)
• driving_02_original.pcap (about 16 min)
• indoors_01_original.pcap (about 24 min)
• indoors_02_original.pcap (about 21 min)

We suppose that an attacker injects arbitrary stream AVTP data units (AVTPDUs) into the IVN. The goal of the attacker is to output a single video frame, at a terminal application connected to the AVB listener, by injecting previously generated AVTPDUs during a certain period. To demonstrate the attack, we extract 36 continuous stream AVTPDUs (single-MPEG-frame.pcap) from one of our AVB datasets; the extracted AVTPDUs constitute one video frame. Then, the attacker performs a replay attack by sending the 36 stream AVTPDUs repeatedly. Check *_injected.pcap files for the result of the replay attack.

To open the packet captures, we recommend researchers use Wireshark and the following plug-ins:

• Dissector for IEEE1722 (AVTP) IEC61883/IIDC Subtype MPEG2-TS: https://gist.github.com/oro350/8321451
• (Optional) MPEG video parser https://wiki.wireshark.org/mpeg_dump.lua

Acknowledgements

This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2018-0-00312, Developing technologies to predict, detect, respond, and automatically diagnose security threats to automotive Ethernet-based vehicle).