Detecting anomalies in printed intelligence factory network

Matti Mantere, Mirko Sailio, Sami Noponen

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

Abstract

Network security monitoring in ICS, or SCADA, networks provides opportunities and corresponding challenges. Anomaly detection using machine learning has traditionally performed sub-optimally when brought out of the laboratory environments and into more open networks. We have proposed using machine learning for anomaly detection in ICS networks when certain prerequisites are met, e.g. predictability. Results are reported for validation of a previously introduced ML module for Bro NSM using captures from an operational ICS network. The number of false positives and the detection capability are reported on. Parts of the used packet capture files include reconnaissance activity. The results point to adequate initial capability. The system is functional, usable and ready for further development. Easily modified and configured module represents a proof-of-concept implementation of introduced event-driven machine learning based anomaly detection concept for single event and algorithm.
Original languageEnglish
Title of host publicationRisks and Security of Internet and Systems
Subtitle of host publicationCRiSIS 2014
PublisherSpringer
Pages1-16
ISBN (Electronic)978-3-319-17127-2
ISBN (Print)978-3-319-17126-5
DOIs
Publication statusPublished - 28 Apr 2015
MoE publication typeA4 Article in a conference publication
Event9th International Conference on Risks and Security of Internet and Systems, CRiSIS 2014 - Trento, Italy
Duration: 27 Aug 201529 Aug 2015
Conference number: 9

Publication series

NameLecture Notes in Computer Science LNCS
PublisherSpringer
Volume8924
ISSN (Print)0302-9743

Conference

Conference9th International Conference on Risks and Security of Internet and Systems, CRiSIS 2014
Abbreviated titleCRiSIS 2014
CountryItaly
CityTrento
Period27/08/1529/08/15

Fingerprint

Industrial plants
Learning systems
Network security
Monitoring

Keywords

  • anomaly detection
  • cybersecurity
  • ICS network
  • machine learning
  • network security monitoring
  • SCADA network

Cite this

Mantere, M., Sailio, M., & Noponen, S. (2015). Detecting anomalies in printed intelligence factory network. In Risks and Security of Internet and Systems: CRiSIS 2014 (pp. 1-16). Springer. Lecture Notes in Computer Science, Vol.. 8924 https://doi.org/10.1007/978-3-319-17127-2_1
Mantere, Matti ; Sailio, Mirko ; Noponen, Sami. / Detecting anomalies in printed intelligence factory network. Risks and Security of Internet and Systems: CRiSIS 2014. Springer, 2015. pp. 1-16 (Lecture Notes in Computer Science, Vol. 8924).
@inproceedings{7ecc3bacc235493d97640366c8120e24,
title = "Detecting anomalies in printed intelligence factory network",
abstract = "Network security monitoring in ICS, or SCADA, networks provides opportunities and corresponding challenges. Anomaly detection using machine learning has traditionally performed sub-optimally when brought out of the laboratory environments and into more open networks. We have proposed using machine learning for anomaly detection in ICS networks when certain prerequisites are met, e.g. predictability. Results are reported for validation of a previously introduced ML module for Bro NSM using captures from an operational ICS network. The number of false positives and the detection capability are reported on. Parts of the used packet capture files include reconnaissance activity. The results point to adequate initial capability. The system is functional, usable and ready for further development. Easily modified and configured module represents a proof-of-concept implementation of introduced event-driven machine learning based anomaly detection concept for single event and algorithm.",
keywords = "anomaly detection, cybersecurity, ICS network, machine learning, network security monitoring, SCADA network",
author = "Matti Mantere and Mirko Sailio and Sami Noponen",
year = "2015",
month = "4",
day = "28",
doi = "10.1007/978-3-319-17127-2_1",
language = "English",
isbn = "978-3-319-17126-5",
series = "Lecture Notes in Computer Science LNCS",
publisher = "Springer",
pages = "1--16",
booktitle = "Risks and Security of Internet and Systems",
address = "Germany",

}

Mantere, M, Sailio, M & Noponen, S 2015, Detecting anomalies in printed intelligence factory network. in Risks and Security of Internet and Systems: CRiSIS 2014. Springer, Lecture Notes in Computer Science, vol. 8924, pp. 1-16, 9th International Conference on Risks and Security of Internet and Systems, CRiSIS 2014, Trento, Italy, 27/08/15. https://doi.org/10.1007/978-3-319-17127-2_1

Detecting anomalies in printed intelligence factory network. / Mantere, Matti; Sailio, Mirko; Noponen, Sami.

Risks and Security of Internet and Systems: CRiSIS 2014. Springer, 2015. p. 1-16 (Lecture Notes in Computer Science, Vol. 8924).

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

TY - GEN

T1 - Detecting anomalies in printed intelligence factory network

AU - Mantere, Matti

AU - Sailio, Mirko

AU - Noponen, Sami

PY - 2015/4/28

Y1 - 2015/4/28

N2 - Network security monitoring in ICS, or SCADA, networks provides opportunities and corresponding challenges. Anomaly detection using machine learning has traditionally performed sub-optimally when brought out of the laboratory environments and into more open networks. We have proposed using machine learning for anomaly detection in ICS networks when certain prerequisites are met, e.g. predictability. Results are reported for validation of a previously introduced ML module for Bro NSM using captures from an operational ICS network. The number of false positives and the detection capability are reported on. Parts of the used packet capture files include reconnaissance activity. The results point to adequate initial capability. The system is functional, usable and ready for further development. Easily modified and configured module represents a proof-of-concept implementation of introduced event-driven machine learning based anomaly detection concept for single event and algorithm.

AB - Network security monitoring in ICS, or SCADA, networks provides opportunities and corresponding challenges. Anomaly detection using machine learning has traditionally performed sub-optimally when brought out of the laboratory environments and into more open networks. We have proposed using machine learning for anomaly detection in ICS networks when certain prerequisites are met, e.g. predictability. Results are reported for validation of a previously introduced ML module for Bro NSM using captures from an operational ICS network. The number of false positives and the detection capability are reported on. Parts of the used packet capture files include reconnaissance activity. The results point to adequate initial capability. The system is functional, usable and ready for further development. Easily modified and configured module represents a proof-of-concept implementation of introduced event-driven machine learning based anomaly detection concept for single event and algorithm.

KW - anomaly detection

KW - cybersecurity

KW - ICS network

KW - machine learning

KW - network security monitoring

KW - SCADA network

U2 - 10.1007/978-3-319-17127-2_1

DO - 10.1007/978-3-319-17127-2_1

M3 - Conference article in proceedings

SN - 978-3-319-17126-5

T3 - Lecture Notes in Computer Science LNCS

SP - 1

EP - 16

BT - Risks and Security of Internet and Systems

PB - Springer

ER -

Mantere M, Sailio M, Noponen S. Detecting anomalies in printed intelligence factory network. In Risks and Security of Internet and Systems: CRiSIS 2014. Springer. 2015. p. 1-16. (Lecture Notes in Computer Science, Vol. 8924). https://doi.org/10.1007/978-3-319-17127-2_1