Network Traffic Features for Anomaly Detection in Specific Industrial Control System Network

The deterministic and restricted nature of industrial control system networks sets them apart from more open networks, such as local area networks in office environments. This improves the usability of network security, monitoring approaches that would be less feasible in more open environments. One of such approaches is machine learning based anomaly detection. Without proper customization for the special requirements of the industrial control system network environment, many existing anomaly or misuse detection systems will perform sub-optimally. A machine learning based approach could reduce the amount of manual customization required for different industrial control system networks. In this paper we analyze a possible set of features to be used in a machine learning based anomaly detection system in the real world industrial control system network environment under investigation. The network under investigation is represented by architectural drawing and results derived from network trace analysis. The network trace is captured from a live running industrial process control network and includes both control data and the data flowing between the control network and the office network. We limit the investigation to the IP traffic in the traces.

[1]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[2]  M. V. Velzen,et al.  Self-organizing maps , 2007 .

[3]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[4]  Ragnar Schierholz,et al.  Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration , 2009, 2009 IEEE Conference on Emerging Technologies & Factory Automation.

[5]  Alfonso Valdes,et al.  Intrusion Monitoring in Process Control Systems , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[6]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[7]  John Domingue,et al.  The Future of the Internet , 1999, Academia Letters.

[8]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  John A. Clark,et al.  Optimising IDS Sensor Placement , 2010, 2010 International Conference on Availability, Reliability and Security.

[10]  K. Shadan,et al.  Available online: , 2012 .

[11]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[12]  Matti Mantere,et al.  Feature Selection for Machine Learning Based Anomaly Detection in Industrial Control System Networks , 2012, 2012 IEEE International Conference on Green Computing and Communications.

[13]  Thilo Sauter,et al.  A novel, wireless sensor/actuator network for the factory floor , 2010, 2010 IEEE Sensors.

[14]  Rayford B. Vaughn,et al.  A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems , 2012, 2012 45th Hawaii International Conference on System Sciences.

[15]  Shawn Ostermann,et al.  Detecting Anomalous Network Traffic with Self-organizing Maps , 2003, RAID.

[16]  Stefano Vitturi,et al.  Ethernet networks for factory automation , 2002, Industrial Electronics, 2002. ISIE 2002. Proceedings of the 2002 IEEE International Symposium on.

[17]  Ulf Lindqvist,et al.  Detection, correlation, and visualization of attacks against critical infrastructure systems , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[18]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Dayu Yang,et al.  Anomaly-Based Intrusion Detection for SCADA Systems , 2006 .

[20]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[21]  Matti Mantere,et al.  Challenges of Machine Learning Based Monitoring for Industrial Control System Networks , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.