Implementation of Modbus packet spoofing and detection using unsupervised machine learning on Factory I/O
View the demo here
Instructions assume a Windows 10 setup with WSL. Factory I/O only runs on Windows
Install VirtualBox for Windows
Install Factory I/O. This will require a valid license.
Create the following host only network
192.168.56.0/24
We use three virtual machines as part of the VM topology. All of them run Debian GNU/Linux. Download the prebuilt VMs and add them to the host only network.
Prebuilt VMs
Shared Folders
- Create a shared folder between the data-capture directory and /home/hmi/data-capture on the factoryio_hmi VM
- Create a shared folder between the modbus-attacks directory and /home/attacker/modbus-attacks on the factoryio_attacker VM
Download the Production Line scene with renamed variables. Import the scene into Factory I/O and rename it to Production Line
In capture-training-data.sh, capture-attack-data.sh, capture-benign-data.sh, and live-monitor.sh, replace all instances of <user> with the appropriate username
Install the required python libraries
pip3 install -r requirements.txt
This will create a snapshot of all VMs in a booted state. Each time the machines are booted, the state is restored to this snapshot.
bash create-snapshot.sh
This will capture a full cycle (400 seconds) of benign data.
bash capture-training-data.sh
This will train the model using the training data previously captured.
python3 train.py
This will capture attack data for all 7 attacks. Each attack is run for a full cycle (400 seconds).
bash capture-attack-data.sh
This will capture 50 cycles (roughly 5.5 hours worth) of benign data to verify that the model does not induce any false positives.
bash capture-benign-data.sh
This will test the model against all the attack and benign datasets.
python3 batch.py
This will collect the detection time for each attack and log it to a file time.csv. Each attack is only run for a full cycle (400 seconds).
bash detection-time.sh