Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Sherlock: A Dataset for Process-aware Intrusion Detection Research on Power Grid Networks

Eric Wagner, Lennart Bader, Konrad Wolsing, Martin Serror

TL;DR

Sherlock tackles the lack of large-scale, realistic datasets for process-aware intrusion detection in power grids by introducing a Wattson-based co-simulated dataset across three realistic scenarios. It provides passive network captures and a process-state abstraction via IPAL, enabling evaluation of multiple IDS across attack and normal-operation conditions over 35 simulated days. The work benchmarks five general-purpose industrial IDS, revealing limitations and six domain-specific challenges, and demonstrates that transferability between similar and different grid topologies is essential for practical IDS deployment. By offering labeled data, ground-truth process states, and IPAL-formatted representations, Sherlock supports reproducible research and facilitates advancement toward robust, scalable security solutions for critical infrastructure. The dataset and findings have practical impact for researchers and operators aiming to improve detection while managing benign grid dynamics.

Abstract

Physically distributed components and legacy protocols make the protection of power grids against increasing cyberattack threats challenging. Infamously, the 2015 and 2016 blackouts in Ukraine were caused by cyberattacks, and the German Federal Office for Information Security (BSI) recorded over 200 cyber incidents against the German energy sector between 2023 and 2024. Intrusion detection promises to quickly detect such attacks and mitigate the worst consequences. However, public datasets of realistic scenarios are vital to evaluate these systems. This paper introduces Sherlock, a dataset generated with the co-simulator Wattson. In total, Sherlock covers three scenarios with various attacks manipulating the process state by injecting malicious commands or manipulating measurement values. We additionally test five recently-published intrusion detection systems on Sherlock, highlighting specific challenges for intrusion detection in power grids. Dataset and documentation are available at https://sherlock.wattson.it/.

Sherlock: A Dataset for Process-aware Intrusion Detection Research on Power Grid Networks

TL;DR

Sherlock tackles the lack of large-scale, realistic datasets for process-aware intrusion detection in power grids by introducing a Wattson-based co-simulated dataset across three realistic scenarios. It provides passive network captures and a process-state abstraction via IPAL, enabling evaluation of multiple IDS across attack and normal-operation conditions over 35 simulated days. The work benchmarks five general-purpose industrial IDS, revealing limitations and six domain-specific challenges, and demonstrates that transferability between similar and different grid topologies is essential for practical IDS deployment. By offering labeled data, ground-truth process states, and IPAL-formatted representations, Sherlock supports reproducible research and facilitates advancement toward robust, scalable security solutions for critical infrastructure. The dataset and findings have practical impact for researchers and operators aiming to improve detection while managing benign grid dynamics.

Abstract

Physically distributed components and legacy protocols make the protection of power grids against increasing cyberattack threats challenging. Infamously, the 2015 and 2016 blackouts in Ukraine were caused by cyberattacks, and the German Federal Office for Information Security (BSI) recorded over 200 cyber incidents against the German energy sector between 2023 and 2024. Intrusion detection promises to quickly detect such attacks and mitigate the worst consequences. However, public datasets of realistic scenarios are vital to evaluate these systems. This paper introduces Sherlock, a dataset generated with the co-simulator Wattson. In total, Sherlock covers three scenarios with various attacks manipulating the process state by injecting malicious commands or manipulating measurement values. We additionally test five recently-published intrusion detection systems on Sherlock, highlighting specific challenges for intrusion detection in power grids. Dataset and documentation are available at https://sherlock.wattson.it/.

Paper Structure

This paper contains 16 sections, 1 figure, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. The Sherlock Dataset
  4. Testbed Setup
  5. Scenarios
  6. 01-Basic: The Cigre MV Reference Grid
  7. 02-Semiurban: Simbench MV Semi-urban
  8. 03-Rural: Simbench MV Rural
  9. Commands and Measurements
  10. Attacks
  11. Recommended Evaluation Metrics
  12. Data Format and Extraction
  13. Challenges of IDSs in Power Grids
  14. Evaluation Results
  15. Challenges in Power Grids
  16. ...and 1 more sections

Figures (1)

  • Figure 1: Time-series data shows outliers during attacks, but benign switching event also drastically change the behavior over prolonged times.