research-article

A Network Traffic Processing Library for ICS Anomaly Detection

Authors:

Ondřej Ryšavý,

Petr MatoušekAuthors Info & Claims

ECBS 2021: 7th Conference on the Engineering of Computer Based Systems

Article No.: 22, Pages 1 - 7

https://doi.org/10.1145/3459960.3459963

Published: 27 May 2021 Publication History

Abstract

Anomaly detection in industrial control systems based on traffic monitoring is one of the key components in securing these critical cyber-physical environments. Many anomaly detection methods have been proposed in the past decade. They are based on various principles stemming from signature detection, statistical analysis, or machine learning. Because of the lack of ICS communication datasets, their evaluation and mainly comparing their performance is problematic. If provided as a prototype implementation, the methods are implemented in various languages and require different input formats. In the present paper, we propose a library that can process ICS communication, extract required information, e.g., various packet-level or flow-level features, and provide the data to a user-specified anomaly detection method. It is possible to integrate the library in the system that automates the entire processing pipeline enabling us to conduct experiments with different methods while saving the time needed for manual data preparation.

References

[1]

[1] Dainotti, A., De Donato, W., & Pescapé, A. (2009). TIE: A community-oriented traffic classification library. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 5537 LNCS, 64–74. https://doi.org/10.1007/978-3-642-01645-5_8

[2]

[2] Lee, S., & Hyun-chul. (2011). NeTraMark A Network Traffic Classification Benchmark. ACM SIGCOMM Computer Communication Review, 41(1), 8. https://dl.acm.org/citation.cfm?id=1925865

Digital Library

[3]

[3] Yan, X., Liang, B., Ban, T., Guo, S., & Wang, L. (2012). TrafficS: A behavior-based network traffic classification benchmark system with traffic sampling functionality. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7666 LNCS(PART 4), 100–107. https://doi.org/10.1007/978-3-642-34478-7_13

[4]

[4] Jin, Y., Duffield, N., Erman, J., Haffner, P., Sen, S., & Zhang, Z. L. (2012). A modular machine learning system for flow-level traffic classification in large networks. ACM Transactions on Knowledge Discovery from Data, 6(1). https://doi.org/10.1145/2133360.2133364

Digital Library

[5]

[5] Donato, W., Pescapé, A., & Dainotti, A. (2014). Traffic identification engine: An open library for traffic classification. IEEE Network, 28(2), 56–64. https://doi.org/10.1109/MNET.2014.6786614

[6]

[6] Kim, Y. H., Konow, R., Dujovne, D., Turletti, T., Dabbous, W., & Navarro, G. (2015). PcapWT: An efficient packet extraction tool for large volume network traces. Computer Networks, 79, 91–102. https://doi.org/10.1016/j.comnet.2014.12.007

Digital Library

[7]

[7] Hu, B., Kamiya, K., Takahashi, K., & Nakao, A. (2020). Piper: A Unified Machine Learning Pipeline for Internet-scale Traffic Analysis. GLOBECOM - IEEE Global Telecommunications Conference, 1–6. https://doi.org/10.1109/globecom42002.2020.9322531

[8]

[8] Ahmed, Z., Amizadeh, S., Bilenko, M., Carr, R., Chin, W. S., Dekel, Y., Dupre, X., Eksarevskiy, V., Erhardt, E., Eseanu, C., Filipi, S., Finley, T., Goswami, A., Hoover, M., Inglis, S., Interlandi, M., Katzenberger, S., Kazmi, N., Krivosheev, G., & Zhu, Y. (2019). Machine learning at Microsoft with ML.NET. In KDD ’19: Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (pp. 2448–2458).

Digital Library

[9]

[9] Chandramouli, B., Goldstein, J., Barnett, M., DeLine, R., Fisher, D., Platt, J. C., Terwilliger, J. F., & Wernsing, J. (2014). Trill: A High-Performance Incremental Query Processor for Diverse Analytics. Proceedings of the VLDB Endowment, 8(4), 401–412. https://doi.org/10.14778/2735496.2735503

Digital Library

[10]

[10] Ren, H., Xu, B., Wang, Y., Yi, C., Huang, C., Kou, X., Xing, T., Yang, M., Tong, J., & Zhang, Q. (2019). Time-series anomaly detection service at Microsoft. Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. https://doi.org/10.1145/3292500.3330680

Digital Library

[11]

[11] Darwish, I., & Saadawi, T. (2018). Attack detection and mitigation techniques in industrial control system-smart grid DNP3. Proceedings - 2018 1st International Conference on Data Intelligence and Security, ICDIS 2018, 131–134. https://doi.org/10.1109/ICDIS.2018.00028

[12]

[12] Lai, Y., Liu, Z., Song, Z., Wang, Y., & Gao, Y. (2016). Anomaly detection in Industrial Autonomous Decentralized System based on time series. Simulation Modelling Practice and Theory, 65, 57–71. https://doi.org/10.1016/j.simpat.2016.01.013

[13]

[13] Anton, S. D., Kanoor, S., Fraunholz, D., & Schotten, H. D. (2018). Evaluation of machine learning-based anomaly detection algorithms on an industrial modbus/TCP data set. ACM International Conference Proceeding Series, 1–9. https://doi.org/10.1145/3230833.3232818

Digital Library

[14]

[14] Lin, C., & Nadjm-tehrani, S. (2019). Timing Patterns and Correlations in Spontaneous SCADA Traffic for Anomaly Detection. 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), 73–88.

[15]

[15] Zhanwei, S., & Zenghui, L. (2019). Abnormal detection method of industrial control system based on behavior model. Computers and Security, 84, 166–178. https://doi.org/10.1016/j.cose.2019.03.009

[16]

[16] Kreimel, P., Eigner, O., Mercaldo, F., Santone, A., & Tavolato, P. (2020). Anomaly detection in substation networks. Journal of Information Security and Applications, 54. https://doi.org/10.1016/j.jisa.2020.102527

[17]

[17] Siegel, B. (2020). Industrial Anomaly Detection: A Comparison of Unsupervised Neural Network Architectures. IEEE Sensors Letters, 4(8). https://doi.org/10.1109/LSENS.2020.3007880

[18]

[18] Ahmed, M., Naser Mahmood, A., & Hu, J. (2016). A survey of network anomaly detection techniques. Journal of Network and Computer Applications, 60, 19–31. https://doi.org/10.1016/j.jnca.2015.11.016

Digital Library

[19]

[19] Shang, W., Zeng, P., Wan, M., Li, L., & An, P. (2016). Intrusion detection algorithm based on OCSVM in industrial control system. Security and Communication Networks, 9(10), 1040–1049. https://doi.org/10.1002/sec.1398

Digital Library

[20]

[20] Inoue, J., Yamagata, Y., Chen, Y., Poskitt, C., & Sun, J. (2017). Anomaly detection for a water treatment system using unsupervised machine learning. IEEE International Conference on Data Mining Workshops, ICDMW, 2017-. https://doi.org/10.1109/ICDMW.2017.149

[21]

[21] Lin, Q., Verwer, S., Adepu, S., & Mathur, A. (2018). TABOR: A graphical model-based approach for anomaly detection in industrial control systems. ASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security. https://doi.org/10.1145/3196494.3196546

Digital Library

[22]

[22] Kravchik, M., & Shabtai, A. (2018). Detecting cyber attacks in industrial control systems using convolutional neural networks. Proceedings of the ACM Conference on Computer and Communications Security. https://doi.org/10.1145/3264888.3264896

Digital Library

[23]

[23] Elbez, G., Keller, H. B., Bohara, A., Nahrstedt, K., & Hagenmeyer, V. (2020). Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations. Energies, 13(19), 5176. https://doi.org/10.3390/en13195176

[24]

[24] Faisal, M., Cardenas, A. A., & Wool, A. (2017). Modeling Modbus TCP for intrusion detection. 2016 IEEE Conference on Communications and Network Security, CNS 2016, 386–390. https://doi.org/10.1109/CNS.2016.7860524

[25]

[25] Zhanwei, S., & Zenghui, L. (2019). Abnormal detection method of industrial control system based on behavior model. Computers and Security, 84, 166–178. https://doi.org/10.1016/j.cose.2019.03.009

[26]

[26] Barbosa, R. R. R., Sadre, R., & Pras, A. (2016). Exploiting traffic periodicity in industrial control networks. International Journal of Critical Infrastructure Protection, 13, 52–62. https://doi.org/10.1016/j.ijcip.2016.02.004

Digital Library

[27]

[27] Choi, S., Yun, J. H., & Kim, S. K. (2019). A comparison of ICS datasets for security research based on attack paths. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Vol. 11260 LNCS. Springer International Publishing. https://doi.org/10.1007/978-3-030-05849-4_12

Cited By

Babbar HRani SDriss M(2024)Effective DDoS attack detection in software-defined vehicular networks using statistical flow analysis and machine learningPLOS ONE10.1371/journal.pone.031469519:12(e0314695)Online publication date: 18-Dec-2024
https://doi.org/10.1371/journal.pone.0314695

Index Terms

A Network Traffic Processing Library for ICS Anomaly Detection

Index terms have been assigned to the content through auto-classification.

Recommendations

A hybrid behavior- and Bayesian network-based framework for cyber–physical anomaly detection
Abstract
In recent years, the increasing Internet connectivity and heterogeneity of industrial protocols have been raising the number and nature of cyber-attacks against Industrial Control Systems (ICS). Such cyber-attacks may lead to cyber anomalies and ...
Highlights
- Hybrid behavior- and Bayesian network-based cyber–physical anomaly detection.
- Hybrid anomaly detection framework based on both cyber and physical data from ICS.
- Identification of cyber, physical and cyber–physical anomalies in ICS.
Super Detector: An Ensemble Approach for Anomaly Detection in Industrial Control Systems
Critical Information Infrastructures Security
Abstract
Industrial Control Systems encompass supervisory systems (SCADA) and cyber-physical components (sensors/actuators), which are typically deployed in critical infrastructure to control physical processes. Their interconnectedness and controllability ...
Anomaly Detection in ICS based on Data-history Analysis
EICC '20: Proceedings of the 2020 European Interdisciplinary Cybersecurity Conference

Data of industrial control systems (ICS) are increasingly subject to cyber attacks which should be detected by approaches such as anomaly detection before they can take effect. However, examples such as Stuxnet, Industroyer or Triton show that, despite ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ECBS 2021: 7th Conference on the Engineering of Computer Based Systems

May 2021

168 pages

ISBN:9781450390576

DOI:10.1145/3459960

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 May 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Ministry of Interior of the Czech Republic

Conference

ECBS 2021

ECBS 2021: 7th Conference on the Engineering of Computer Based Systems

May 26 - 27, 2021

Novi Sad, Serbia

Acceptance Rates

Overall Acceptance Rate 25 of 49 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
139
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Babbar HRani SDriss M(2024)Effective DDoS attack detection in software-defined vehicular networks using statistical flow analysis and machine learningPLOS ONE10.1371/journal.pone.031469519:12(e0314695)Online publication date: 18-Dec-2024
https://doi.org/10.1371/journal.pone.0314695

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten