A module for anomaly detection in ICS networks

Matti Mantere; Mirko Sailio; Sami Noponen

doi:10.1145/2566468.2566478

A module for anomaly detection in ICS networks

Matti Mantere
, Mirko Sailio
, Sami Noponen

VTT (former employee or external)

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

19 Citations (Scopus)

Abstract

Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring

Original language	English
Title of host publication	Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14
Publisher	Association for Computing Machinery ACM
Pages	49-56
ISBN (Print)	978-1-4503-2652-0
DOIs	https://doi.org/10.1145/2566468.2566478
Publication status	Published - 2014
MoE publication type	A4 Article in a conference publication
Event	3rd international conference on High confidence networked systems, HiCoNS 2014 - Berlin, Germany Duration: 15 Apr 2014 → 17 Apr 2014

Conference

Conference	3rd international conference on High confidence networked systems, HiCoNS 2014
Abbreviated title	HiCoNS 2014
Country/Territory	Germany
City	Berlin
Period	15/04/14 → 17/04/14

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 9 Industry, Innovation, and Infrastructure

Keywords

Cyber security
anomaly detection
network security
SCADA security
ICS security

Access to Document

10.1145/2566468.2566478

Cite this

@inproceedings{114cfd5730f2478eae4308363c672ae3,

title = "A module for anomaly detection in ICS networks",

abstract = "Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring",

keywords = "Cyber security, anomaly detection, network security, SCADA security, ICS security",

author = "Matti Mantere and Mirko Sailio and Sami Noponen",

year = "2014",

doi = "10.1145/2566468.2566478",

language = "English",

isbn = "978-1-4503-2652-0",

pages = "49--56",

booktitle = "Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14",

publisher = "Association for Computing Machinery ACM",

address = "United States",

note = "3rd international conference on High confidence networked systems, HiCoNS 2014, HiCoNS 2014 ; Conference date: 15-04-2014 Through 17-04-2014",

}

Mantere, M, Sailio, M & Noponen, S 2014, A module for anomaly detection in ICS networks. in Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM, pp. 49-56, 3rd international conference on High confidence networked systems, HiCoNS 2014, Berlin, Germany, 15/04/14. https://doi.org/10.1145/2566468.2566478

A module for anomaly detection in ICS networks. / Mantere, Matti; Sailio, Mirko; Noponen, Sami.
Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14. Association for Computing Machinery ACM, 2014. p. 49-56.

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

TY - GEN

T1 - A module for anomaly detection in ICS networks

AU - Mantere, Matti

AU - Sailio, Mirko

AU - Noponen, Sami

PY - 2014

Y1 - 2014

N2 - Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring

AB - Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitoring

KW - Cyber security

KW - anomaly detection

KW - network security

KW - SCADA security

KW - ICS security

U2 - 10.1145/2566468.2566478

DO - 10.1145/2566468.2566478

M3 - Conference article in proceedings

SN - 978-1-4503-2652-0

SP - 49

EP - 56

BT - Proceedings of the 3rd international conference on High confidence networked systems, HiCoNS '14

PB - Association for Computing Machinery ACM

T2 - 3rd international conference on High confidence networked systems, HiCoNS 2014

Y2 - 15 April 2014 through 17 April 2014

ER -

A module for anomaly detection in ICS networks

Abstract

Conference

UN SDGs

Keywords

Access to Document

Fingerprint

Cite this