APAD: Autoencoder-based Payload Anomaly Detection for industrial IoE

Abstract

The Internet of Things era is being replaced by the Internet of Everything (IoE) era, where everything can communicate with everything else. With the advent of the fourth industrial revolution and the IoE era, industrial control systems (ICSs) are transitioning into industrial IoE (IIoE). The ICS, which is no longer a closed network, suffers from various cybersecurity threats. Since the attack of Stuxnet in 2010, the malware used to attack critical infrastructure (CI) has become increasingly sophisticated. Furthermore, recent attacks have mimicked normal network traffic. Therefore, investigating intrusion detection systems is necessary to detect these advanced cyberattacks. However, detecting advanced attacks, such as false data injection, is difficult because the traditional detection methods focus only on the protocol header fields. Most studies have not considered low-performance field devices, which are vulnerable to threats. Therefore, we have classified the extended reference model RAMI 4.0, which is the new ICS reference model in the fourth industrial revolution, into two levels: an operative level and a product process management level. A fast and lightweight algorithm is required at the operative level because the low-performance devices communicate with each other in real time. In addition, efficient data processing is important because considerable amount of data is concentrated at the product process management level. Based on these characteristics, a payload-based abnormal behavior detection method, i.e., the autoencoder-based payload anomaly detection (APAD), is proposed for each level. APAD uses an autoencoder to distinguish between normal and abnormal behaviors in low-performance devices. Furthermore, traffic analysis and a considerable amount of time are required to apply a traditional detection method at the product process management level. However, the proposed method does not require long-time traffic analysis. It exhibits a higher detection rate compared with those exhibited by other methods based on verification using the open secure water treatment dataset called SWaT.