Abstract
Visibility of network communications is critical for security analysts to understand, monitor, and secure computer systems. This visibility is difficult to achieve in the context of modern industrial control systems (ICSs) however, as these may contain a multitude of unique sensors, actuators, and controllers; each communicating via bespoke and diverse network protocols. We are the first to show that machine-learning algorithms, trained with logs of observable (and irregular) system events, can serve as accurate black-box network-monitoring tools for unknown protocols, and are robust to mislabelling and non-uniform timing lag. Using a newly-curated ICS analogue dataset, available here, we analyze a suite of classical and deep-learning models for an event-detection task, showing that decision trees can achieve F1macro = 99.9% with perfectly labeled training data, gradient-boosted decision-tree ensembles can achieve F1macro = 99.0% with mislabeled training data, and a 1D-CNN-LSTM architecture can achieve F1macro = 92.1% with non-uniform timing lag. We validate these techniques on existing ICS and operational technology datasets, achieving F1macro = 99.0%. Our results are a starting point for future work to enhance existing intrusion-detection systems and forensic analyses.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call