Anomaly Detection for Modbus over TCP in Control Systems Using Entropy and Classification-Based Analysis-Reference-Cited by-同舟云学术

Anomaly Detection for Modbus over TCP in Control Systems Using Entropy and Classification-Based Analysis

Published:2023-12-01 Issue:4 Volume:3 Page:895-913
ISSN:2624-800X
Container-title:Journal of Cybersecurity and Privacy
language:en
Short-container-title:JCP

Author:

Ghosh Tirthankar¹^ORCID,Bagui Sikha²^ORCID,Bagui Subhash³^ORCID,Kadzis Martin²,Bare Jackson²

Affiliation:

1. Department of Electrical & Computer Engineering and Computer Science, University of New Haven, West Haven, CT 06516, USA

2. Department of Computer Science, University of West Florida, Pensacola, FL 32514, USA

3. Department of Mathematics and Statistics, University of West Florida, Pensacola, FL 32514, USA

Abstract

This article presents a statistical approach using entropy and classification-based analysis to detect anomalies in industrial control systems traffic. Several statistical techniques have been proposed to create baselines and measure deviation to detect intrusion in enterprise networks with a centralized intrusion detection approach in mind. Looking at traffic volume alone to find anomalous deviation may not be enough—it may result in increased false positives. The near real-time communication requirements, coupled with the lack of centralized infrastructure in operations technology and limited resources of the sensor motes, require an efficient anomaly detection system characterized by these limitations. This paper presents extended results from our previous work by presenting a detailed cluster-based entropy analysis on selected network traffic features. It further extends the analysis using a classification-based approach. Our detailed entropy analysis corroborates with our earlier findings that, although some degree of anomaly may be detected using univariate and bivariate entropy analysis for Denial of Service (DOS) and Man-in-the-Middle (MITM) attacks, not much information may be obtained for the initial reconnaissance, thus preventing early stages of attack detection in the Cyber Kill Chain. Our classification-based analysis shows that, overall, the classification results of the DOS attacks were much higher than the MITM attacks using two Modbus features in addition to the three TCP/IP features. In terms of classifiers, J48 and random forest had the best classification results and can be considered comparable. For the DOS attack, no resampling with the 60–40 (training/testing split) had the best results (average accuracy of 97.87%), but for the MITM attack, the 80–20 non-attack vs. attack data with the 75–25 split (average accuracy of 82.81%) had the best results.

Publisher

MDPI AG

Subject

General Earth and Planetary Sciences,General Environmental Science

Link

https://www.mdpi.com/2624-800X/3/4/41/pdf

Reference27 articles.

1. Cardenas, A., Amin, S., Sinopoli, B., Giani, A., Perrig, A., and Sastry, S. (2009, January 22–24). Challenges for Securing Cyber Physical Systems. Proceedings of the Workshop in Cyber Physical Systems, Newark, NJ, USA.

2. Angseus, J., and Ekbom, R. (2017). Network-Based Intrusion Detection Systems for Industrial Control Systems. [Master’s Thesis, Computer Science, Chalmers University of Technology].

3. Koucham, O. (2018). Intrusion Detection for Industrial Control Systems. [Ph.D. Dissertation, Universite Grenoble Aples]. Available online: https://theses.hal.science/tel-02108208/file/KOUCHAM_2018_diffusion.pdf.

4. Industrial Control System Traffic Data Sets for Intrusion Detection Research;Butts;Critical Infrastructure Protection VIII, Proceedings of the ICCIP 2014, IFIP Advances in Information and Communication Technology, Arlington, VA, USA, 17–19 March 2014,2014

5. Bouckaert, R. (2004). Bayesian Network Classifiers in Weka, University of Waikato, Department of Computer Science.