A module for anomaly detection in ICS networks

Matti Mantere, Mirko Sailio, Sami Noponen

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

    10 Citations (Scopus)

    Abstract

    Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring
    Original languageEnglish
    Title of host publicationProceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14
    PublisherAssociation for Computing Machinery ACM
    Pages49-56
    ISBN (Print)978-1-4503-2652-0
    DOIs
    Publication statusPublished - 2014
    MoE publication typeA4 Article in a conference publication
    Event3rd international conference on High confidence networked systems, HiCoNS 2014 - Berlin, Germany
    Duration: 15 Apr 201417 Apr 2014

    Conference

    Conference3rd international conference on High confidence networked systems, HiCoNS 2014
    Abbreviated titleHiCoNS 2014
    CountryGermany
    CityBerlin
    Period15/04/1417/04/14

    Fingerprint

    Network security
    Self organizing maps
    Learning systems
    Monitoring
    Learning algorithms
    Engines
    Control systems

    Keywords

    • Cyber security
    • anomaly detection
    • network security
    • SCADA security
    • ICS security

    Cite this

    Mantere, M., Sailio, M., & Noponen, S. (2014). A module for anomaly detection in ICS networks. In Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14 (pp. 49-56). Association for Computing Machinery ACM. https://doi.org/10.1145/2566468.2566478
    Mantere, Matti ; Sailio, Mirko ; Noponen, Sami. / A module for anomaly detection in ICS networks. Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM, 2014. pp. 49-56
    @inproceedings{114cfd5730f2478eae4308363c672ae3,
    title = "A module for anomaly detection in ICS networks",
    abstract = "Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring",
    keywords = "Cyber security, anomaly detection, network security, SCADA security, ICS security",
    author = "Matti Mantere and Mirko Sailio and Sami Noponen",
    year = "2014",
    doi = "10.1145/2566468.2566478",
    language = "English",
    isbn = "978-1-4503-2652-0",
    pages = "49--56",
    booktitle = "Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14",
    publisher = "Association for Computing Machinery ACM",
    address = "United States",

    }

    Mantere, M, Sailio, M & Noponen, S 2014, A module for anomaly detection in ICS networks. in Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM, pp. 49-56, 3rd international conference on High confidence networked systems, HiCoNS 2014, Berlin, Germany, 15/04/14. https://doi.org/10.1145/2566468.2566478

    A module for anomaly detection in ICS networks. / Mantere, Matti; Sailio, Mirko; Noponen, Sami.

    Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM, 2014. p. 49-56.

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

    TY - GEN

    T1 - A module for anomaly detection in ICS networks

    AU - Mantere, Matti

    AU - Sailio, Mirko

    AU - Noponen, Sami

    PY - 2014

    Y1 - 2014

    N2 - Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring

    AB - Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring

    KW - Cyber security

    KW - anomaly detection

    KW - network security

    KW - SCADA security

    KW - ICS security

    U2 - 10.1145/2566468.2566478

    DO - 10.1145/2566468.2566478

    M3 - Conference article in proceedings

    SN - 978-1-4503-2652-0

    SP - 49

    EP - 56

    BT - Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14

    PB - Association for Computing Machinery ACM

    ER -

    Mantere M, Sailio M, Noponen S. A module for anomaly detection in ICS networks. In Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM. 2014. p. 49-56 https://doi.org/10.1145/2566468.2566478