Network traffic features for anomaly detection in specific industrial control system network

Matti Mantere (Corresponding Author), Mirko Sailio, Sami Noponen

    Research output: Contribution to journalArticleScientificpeer-review

    27 Citations (Scopus)

    Abstract

    The deterministic and restricted nature of industrial control system networks sets them apart from more open networks, such as local area networks in office environments. This improves the usability of network security, monitoring approaches that would be less feasible in more open environments. One of such approaches is machine learning based anomaly detection. Without proper customization for the special requirements of the industrial control system network environment, many existing anomaly or misuse detection systems will perform sub-optimally. A machine learning based approach could reduce the amount of manual customization required for different industrial control system networks. In this paper we analyze a possible set of features to be used in a machine learning based anomaly detection system in the real world industrial control system network environment under investigation. The network under investigation is represented by architectural drawing and results derived from network trace analysis. The network trace is captured from a live running industrial process control network and includes both control data and the data flowing between the control network and the office network. We limit the investigation to the IP traffic in the traces.
    Original languageEnglish
    Pages (from-to)460-473
    Number of pages13
    JournalFuture Internet
    Volume5
    Issue number4
    DOIs
    Publication statusPublished - 2013
    MoE publication typeA1 Journal article-refereed

    Fingerprint

    Control systems
    Learning systems
    Trace analysis
    Network security
    Local area networks
    Process control
    Monitoring

    Keywords

    • industrial control systems
    • anomaly detection
    • machine learning
    • network security

    Cite this

    @article{d9e701e7145d4124a628120a6ab2f2f1,
    title = "Network traffic features for anomaly detection in specific industrial control system network",
    abstract = "The deterministic and restricted nature of industrial control system networks sets them apart from more open networks, such as local area networks in office environments. This improves the usability of network security, monitoring approaches that would be less feasible in more open environments. One of such approaches is machine learning based anomaly detection. Without proper customization for the special requirements of the industrial control system network environment, many existing anomaly or misuse detection systems will perform sub-optimally. A machine learning based approach could reduce the amount of manual customization required for different industrial control system networks. In this paper we analyze a possible set of features to be used in a machine learning based anomaly detection system in the real world industrial control system network environment under investigation. The network under investigation is represented by architectural drawing and results derived from network trace analysis. The network trace is captured from a live running industrial process control network and includes both control data and the data flowing between the control network and the office network. We limit the investigation to the IP traffic in the traces.",
    keywords = "industrial control systems, anomaly detection, machine learning, network security",
    author = "Matti Mantere and Mirko Sailio and Sami Noponen",
    year = "2013",
    doi = "10.3390/fi5040460",
    language = "English",
    volume = "5",
    pages = "460--473",
    journal = "Future Internet",
    issn = "1999-5903",
    publisher = "MDPI",
    number = "4",

    }

    Network traffic features for anomaly detection in specific industrial control system network. / Mantere, Matti (Corresponding Author); Sailio, Mirko; Noponen, Sami.

    In: Future Internet, Vol. 5, No. 4, 2013, p. 460-473.

    Research output: Contribution to journalArticleScientificpeer-review

    TY - JOUR

    T1 - Network traffic features for anomaly detection in specific industrial control system network

    AU - Mantere, Matti

    AU - Sailio, Mirko

    AU - Noponen, Sami

    PY - 2013

    Y1 - 2013

    N2 - The deterministic and restricted nature of industrial control system networks sets them apart from more open networks, such as local area networks in office environments. This improves the usability of network security, monitoring approaches that would be less feasible in more open environments. One of such approaches is machine learning based anomaly detection. Without proper customization for the special requirements of the industrial control system network environment, many existing anomaly or misuse detection systems will perform sub-optimally. A machine learning based approach could reduce the amount of manual customization required for different industrial control system networks. In this paper we analyze a possible set of features to be used in a machine learning based anomaly detection system in the real world industrial control system network environment under investigation. The network under investigation is represented by architectural drawing and results derived from network trace analysis. The network trace is captured from a live running industrial process control network and includes both control data and the data flowing between the control network and the office network. We limit the investigation to the IP traffic in the traces.

    AB - The deterministic and restricted nature of industrial control system networks sets them apart from more open networks, such as local area networks in office environments. This improves the usability of network security, monitoring approaches that would be less feasible in more open environments. One of such approaches is machine learning based anomaly detection. Without proper customization for the special requirements of the industrial control system network environment, many existing anomaly or misuse detection systems will perform sub-optimally. A machine learning based approach could reduce the amount of manual customization required for different industrial control system networks. In this paper we analyze a possible set of features to be used in a machine learning based anomaly detection system in the real world industrial control system network environment under investigation. The network under investigation is represented by architectural drawing and results derived from network trace analysis. The network trace is captured from a live running industrial process control network and includes both control data and the data flowing between the control network and the office network. We limit the investigation to the IP traffic in the traces.

    KW - industrial control systems

    KW - anomaly detection

    KW - machine learning

    KW - network security

    U2 - 10.3390/fi5040460

    DO - 10.3390/fi5040460

    M3 - Article

    VL - 5

    SP - 460

    EP - 473

    JO - Future Internet

    JF - Future Internet

    SN - 1999-5903

    IS - 4

    ER -