A module for anomaly detection in ICS networks

Matti Mantere, Mirko Sailio, Sami Noponen

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

10 Citations (Scopus)

Abstract

Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring
Original languageEnglish
Title of host publicationProceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14
PublisherAssociation for Computing Machinery ACM
Pages49-56
ISBN (Print)978-1-4503-2652-0
DOIs
Publication statusPublished - 2014
MoE publication typeA4 Article in a conference publication
Event3rd international conference on High confidence networked systems, HiCoNS 2014 - Berlin, Germany
Duration: 15 Apr 201417 Apr 2014

Conference

Conference3rd international conference on High confidence networked systems, HiCoNS 2014
Abbreviated titleHiCoNS 2014
CountryGermany
CityBerlin
Period15/04/1417/04/14

Fingerprint

Network security
Self organizing maps
Learning systems
Monitoring
Learning algorithms
Engines
Control systems

Keywords

  • Cyber security
  • anomaly detection
  • network security
  • SCADA security
  • ICS security

Cite this

Mantere, M., Sailio, M., & Noponen, S. (2014). A module for anomaly detection in ICS networks. In Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14 (pp. 49-56). Association for Computing Machinery ACM. https://doi.org/10.1145/2566468.2566478
Mantere, Matti ; Sailio, Mirko ; Noponen, Sami. / A module for anomaly detection in ICS networks. Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM, 2014. pp. 49-56
@inproceedings{114cfd5730f2478eae4308363c672ae3,
title = "A module for anomaly detection in ICS networks",
abstract = "Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring",
keywords = "Cyber security, anomaly detection, network security, SCADA security, ICS security",
author = "Matti Mantere and Mirko Sailio and Sami Noponen",
year = "2014",
doi = "10.1145/2566468.2566478",
language = "English",
isbn = "978-1-4503-2652-0",
pages = "49--56",
booktitle = "Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14",
publisher = "Association for Computing Machinery ACM",
address = "United States",

}

Mantere, M, Sailio, M & Noponen, S 2014, A module for anomaly detection in ICS networks. in Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM, pp. 49-56, 3rd international conference on High confidence networked systems, HiCoNS 2014, Berlin, Germany, 15/04/14. https://doi.org/10.1145/2566468.2566478

A module for anomaly detection in ICS networks. / Mantere, Matti; Sailio, Mirko; Noponen, Sami.

Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM, 2014. p. 49-56.

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

TY - GEN

T1 - A module for anomaly detection in ICS networks

AU - Mantere, Matti

AU - Sailio, Mirko

AU - Noponen, Sami

PY - 2014

Y1 - 2014

N2 - Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring

AB - Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring

KW - Cyber security

KW - anomaly detection

KW - network security

KW - SCADA security

KW - ICS security

U2 - 10.1145/2566468.2566478

DO - 10.1145/2566468.2566478

M3 - Conference article in proceedings

SN - 978-1-4503-2652-0

SP - 49

EP - 56

BT - Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14

PB - Association for Computing Machinery ACM

ER -

Mantere M, Sailio M, Noponen S. A module for anomaly detection in ICS networks. In Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM. 2014. p. 49-56 https://doi.org/10.1145/2566468.2566478