Mining Anomaly Communication Patterns for Industrial Control Systems

The attacks on industrial control systems (ICS) have been exemplified by the malwares Stuxnet, Industroyer, and Triton that targeted nuclear facilities of Iran in 2010, power grid of Ukraine in 2016, and Safety Instrumented System (SIS) controllers of a Middle East country in 2017, respectively. As a result, the issues concerning Critical Infrastructure Information Protection (CIIP) have drawn much attention among academia, industry, and government in many countries.In this paper, we propose an anomaly detection method for ICS networks. The main idea of the proposed method is to model the normal behavior patterns of TCP and UDP payloads as frequent patterns and non-frequent pattern clusters. The normal behavior payloads are first processed by sequential pattern mining algorithm to extract frequent patterns, and then the payloads are projected against frequent patterns. After projection, the projected payloads are clustered using hierarchical agglomerative clustering algorithm to find representative variations in normal behaviors. The experimental results show that the proposed method has very good performance in terms of the metrics such as accuracy, recall, precision, false alarm, and false dismissal for the ICS networks that use Modbus/TCP or BACnet protocols. The proposed system model can also leverage honeypots deployed in ICS networks to generate attack signatures, which can be helpful in filtering out known attacks.