CICAPT-IIOT: A provenance-based APT attack dataset for IIoT environment

TL;DR

The paper introduces CICAPT-IIoT, a comprehensive dataset combining network and provenance logs for IIoT environments, to improve detection of sophisticated APT attacks using machine learning.

Contribution

It presents a novel, detailed APT dataset for IIoT that includes multiple attack techniques and integrates network and provenance data for enhanced cybersecurity research.

Findings

Includes over 20 attack techniques relevant to APT campaigns

Captures key phases of APT cycle such as data exfiltration and lateral movement

Provides a foundation for developing advanced intrusion detection systems

Abstract

The Industrial Internet of Things (IIoT) is a transformative paradigm that integrates smart sensors, advanced analytics, and robust connectivity within industrial processes, enabling real-time data-driven decision-making and enhancing operational efficiency across diverse sectors, including manufacturing, energy, and logistics. IIoT is susceptible to various attack vectors, with Advanced Persistent Threats (APTs) posing a particularly grave concern due to their stealthy, prolonged, and targeted nature. The effectiveness of machine learning-based intrusion detection systems in APT detection has been documented in the literature. However, existing cybersecurity datasets often lack crucial attributes for APT detection in IIoT environments. Incorporating insights from prior research on APT detection using provenance data and intrusion detection within IoT systems, we present the CICAPT-IIoT dataset. The main goal of this paper is to propose a novel APT dataset in the IIoT setting that includes essential information for the APT detection task. In order to achieve this, a testbed for IIoT is developed, and over 20 attack techniques frequently used in APT campaigns are included. The performed attacks create some of the invariant phases of the APT cycle, including Data Collection and Exfiltration, Discovery and Lateral Movement, Defense Evasion, and Persistence. By integrating network logs and provenance logs with detailed attack information, the CICAPT-IIoT dataset presents foundation for developing holistic cybersecurity measures. Additionally, a comprehensive dataset analysis is provided, presenting cybersecurity experts with a strong basis on which to build innovative and efficient security solutions.