Skip to content
/ aius Public
forked from ITI/aius

AIUS Repository (EDMAND/CAPTAR combination)

License

Notifications You must be signed in to change notification settings

beitong95/aius

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

# aius
AIUS Repository (EDMAND/CAPTAR combination)

This folder contains codes for the framework named Aius. It's a framework for anomaly detection and attack reasoning in SCADA systems.

The three folders contain different files:
code: This folder stores all the code files (Bro and Python scripts) for the framework. Each file will be described in more details later in this ReadMe.
csv: This folder stores '.csv' files that contain simulated measurement data in ITI testbed. They are used to generate baseline traffic and anomaly data for evaluation puporse.
trace: This folder stores several trace files for traffic in SCADA systems for test purpose.

To run the framework, run the 'run.sh' file. Two running mode can be selected using the following two different commands:
"./run.sh real": This runs the framework based on traffic stored in a specified trace file. The trace file can be specified in the run.sh.
"./run.sh": This runs the framework based on traffic generated by our traffic generator.

A brief description of each file in the 'code' folder is given as follows:
'end_point.bro': Bro script that serves as the end point for communication with the Python part.
  'flow_level.bro': Data extractor module file for the transport level traffic.
  'protocol_level.bro': Data extractor module file for the protocol level traffic.
  'protocol_level_modbus.bro': Sub-module file responsible for the Modbus protocol level extraction.
  'protocol_level_dnp3.bro': Sub-module file responsible for the DNP3 protocol level extraction.
  'data_level.bro': Data extractor module for the content level traffic.
  'data_level_modbus.bro': Sub-module file responsible for the Modbus content level extraction.
  'data_level_dnp3.bro': Sub-module file responsible for the DNP3 content level extraction.
'edmand.py': Main file for the anomaly detection sub-framework named EDMAND.
  'parse_packet.py': File for the transport level parser.
  'packet.py': File to store the input data structure for packet level anomlay detection.
  'parse_operation.py': File for the protocol level parser.
  'operation.py': File to store the input data structure for protocol level anomaly detection.
  'parse_data_value.py': File for the content level parser.
  'data_value.py': File to store the input data structure for content level anomaly detection.
  'analyze_packet.py': File for the packet processor.
  'analyze_flow.py': File for the flow processor.
  'flow.py': File to store the input data structure for flow level anomaly detection.
  'anomaly.py': File to store the anomaly data.
  'den_stream.py': File for the clustering anomaly detection mechanism.
  'inc_mean_std.py': File for the Mean-STD anomaly detection mechanism.
  'manage_anomaly.py': File for the alert manager.
  'generate_traffic': File for the synthetic traffic generator.
'analyze_alert': Main file for the attack reasoning sub-framework named CAPTAR.
  'anomaly_analyzer.py': File for the causal reasoning engine.
  'correlate_alert.py': File for the alert correlator.
  'attack_step.py': File to store the attack step node in the causal polytree.
  'attack_template.py': File to store the attack tempalte (causal polytree).
  'generate_template': File to create the attack templates.

About

AIUS Repository (EDMAND/CAPTAR combination)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 84.2%
  • Zeek 15.7%
  • Shell 0.1%