Packet Diversity-Based Anomaly Detection System with OCSVM and Representative Model

Abstract

As a number of attacks such as Stuxnet and BlackEnergy targeting the control system of critical infrastructure have happened, the importance of security enhancement for the facilities such as industrial CPS (Cyber Physical System) has emerged. In this paper, by reflecting the characteristics of industrial CPS, we propose a packet diversity-based anomaly detection model which we can learn and conduct detection with more effectively than the existing anomaly detection systems. In the proposed detection system, in order to enhance the sensitivity of the detection model, we construct a detection models on each after grouping the data of an industrial CPS into packet structure based on features of packet header. The proposed detection system aims single packet anomaly detection to cope with the threats such as injection attacks, malformed packet used in fuzzing and others. For the architecture of anomaly detection system, we suppose a structure applying whitelist and learning-based detection model doubly. Measuring packet diversity using payload variation of packet and entropy-based uncertainty is also proposed to select which learning-based detection model is appropriate to dataset. As learning-based detection models, anomaly detection system uses a model constructed with a well-known learning method OCSVM (One Class SVM) and a newly proposed representative detection model made for solving the limitation of OCSVM.