Detail výsledku
A Network Traffic Processing Library for ICS Anomaly Detection
Anomaly detection in industrial control systems based on traffic monitoring is one of the key components in securing these critical cyber-physical environments. Many anomaly detection methods have been proposed in the past decade. They are based on various principles stemming from signature detection, statistical analysis, or machine learning. Because of the lack of ICS communication datasets, their evaluation and mainly comparing their performance is problematic. If provided as a prototype implementation, the methods are implemented in various languages and require different input formats. In the present paper, we propose a library that can process ICS communication, extract required information, e.g., various packet-level or flow-level features, and provide the data to a user-specified anomaly detection method. It is possible to integrate the library in the system that automates the entire processing pipeline enabling us to conduct experiments with different methods while saving the time needed for manual data preparation. We also provide a preliminary performance evaluation of the library and demonstrate the system using two simple anomaly detection methods.
Anomaly Detection, Industrial Control Systems, Network Traffic Classification, Network Traffic Processing, Data Preparation Phase, Time Series Anomaly, ICS Anomaly Detection, Packet Traces
@inproceedings{BUT171483,
author="Ondřej {Ryšavý} and Petr {Matoušek}",
title="A Network Traffic Processing Library for ICS Anomaly Detection",
booktitle="ECBS '21: Proceedings of the 7th Conference on the Engineering of Computer Based Systems",
year="2021",
pages="144--151",
publisher="Association for Computing Machinery",
address="Novi Sad",
doi="10.1145/3459960.3459963",
isbn="978-1-4503-9057-6",
url="https://www.fit.vut.cz/research/publication/12483/"
}