Feature Selection for Machine Learning Based Anomaly Detection in Industrial Control System Networks

The nature of the traffic in industrial control system network is markedly different from more open networks. Industrial control system networks should be far more restricted in what types of traffic diversity is present. This enables the usage of approaches that are currently not as feasible in open environments, such as machine learning based anomaly detection. Without proper customization for the special requirements of industrial control system network environment many existing anomaly or misuse detection systems will perform sub-optimally. Machine learning based approach would reduce the amount of manual customization required for different restricted network environments of which an industrial control system network is an good example of. In this paper we present an initial analysis of data received from a ethernet network of a live running industrial site. This includes both control data and the data flowing between the control network and the office network. A set of possible features to be used for detecting anomalies is studied for this environment.

[1]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Stefano Vitturi,et al.  Ethernet networks for factory automation , 2002, Industrial Electronics, 2002. ISIE 2002. Proceedings of the 2002 IEEE International Symposium on.

[3]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Thilo Sauter,et al.  A novel, wireless sensor/actuator network for the factory floor , 2010, 2010 IEEE Sensors.

[5]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[6]  John A. Clark,et al.  Optimising IDS Sensor Placement , 2010, 2010 International Conference on Availability, Reliability and Security.

[7]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[8]  Anja Feldmann,et al.  Predicting the resource consumption of network intrusion detection systems , 2008, SIGMETRICS '08.

[9]  Shawn Ostermann,et al.  Detecting Anomalous Network Traffic with Self-organizing Maps , 2003, RAID.

[10]  Jason Lee,et al.  The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware , 2007, RAID.

[11]  Matti Mantere,et al.  Challenges of Machine Learning Based Monitoring for Industrial Control System Networks , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[12]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[13]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..