A module for anomaly detection in ICS networks

Matti Mantere, Mirko Sailio, Sami Noponen

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

    18 Citations (Scopus)

    Abstract

    Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring
    Original languageEnglish
    Title of host publicationProceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14
    PublisherAssociation for Computing Machinery ACM
    Pages49-56
    ISBN (Print)978-1-4503-2652-0
    DOIs
    Publication statusPublished - 2014
    MoE publication typeA4 Article in a conference publication
    Event3rd international conference on High confidence networked systems, HiCoNS 2014 - Berlin, Germany
    Duration: 15 Apr 201417 Apr 2014

    Conference

    Conference3rd international conference on High confidence networked systems, HiCoNS 2014
    Abbreviated titleHiCoNS 2014
    Country/TerritoryGermany
    CityBerlin
    Period15/04/1417/04/14

    Keywords

    • Cyber security
    • anomaly detection
    • network security
    • SCADA security
    • ICS security

    Fingerprint

    Dive into the research topics of 'A module for anomaly detection in ICS networks'. Together they form a unique fingerprint.

    Cite this