A Method for Anomalies Detection in Real-Time Ethernet Data Traffic Applied to PROFINET

Sestito, Guilherme Serpa; Turcato, Afonso Celso; Dias, André Luís; Rocha, Murilo Silveira; Silva, Maíra Martins da; Ferrari, Paolo; Brandão, Dennis

doi:10.1109/tii.2017.2772082

Cited by 43 publications

(6 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Results show that accuracy, precision, and recall rates are acceptable when compared to previous studies; [14] and [18] are the most similar studies in terms of applied algorithms and testbed environment. In [14], accuracy was found to be between 92% and 99% for various ANN models, whereas the highest accuracy was found to be 100% with k-NN in our work. In [18], anomalies on the water management testbed were found by applying algorithms such as Best-first tree (BFTree), ANN and SVM.…”

Section: Results and Conclusionmentioning

confidence: 67%

“…In addition, Barford and Plonka defined anomalies in three groups: anomalies that are caused by hardware/configuration changes or interruptions in the network; anomalies that occur and disappear over time, such as increased access to a website; and anomalies which derive from manipulation of the network [13]. Similarly, Sestito et al stated that anomalies can be caused by four factors: attacks, network operations, flash crowds, and measurement errors [14].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection

Akpinar

Özçeli̇k

2019

IEEE Access

View full text Add to dashboard Cite

Today, the use of Ethernet-based protocols in industrial control systems (ICS) communications has led to the emergence of attacks based on information technology (IT) on supervisory control and data acquisition systems. In addition, the familiarity of Ethernet and TCP/IP protocols and the diversity and success of attacks on them raises security risks and cyber threats for ICS. This issue is compounded by the absence of encryption, authorization, and authentication mechanisms due to the development of industrial communications protocols only for performance purposes. Recent zero-day attacks, such as Triton, Stuxnet, Havex, Dragonfly, and Blackenergy, as well as the Ukraine cyber-attack, are possible because of the vulnerabilities of the systems; these attacksare carried by the protocols used in communication between PLC and I/O units or HMI and engineering stations. It is evident that there is a need for robust solutions that detect and prevent protocol-based cyber threats. In this paper, machine learning methods are evaluated for anomaly detection, particularly for EtherCAT-based ICS. To the best of the author's knowledge, there has been no research focusing on machine learning algorithms for anomaly detection of EtherCAT. Before testing anomaly detection, an EtherCAT-based water level control system testbed was developed. Then, a total of 16 events were generated in four categories and applied on the testbed. The dataset created was used for anomaly detection. The results showed that the k-nearest neighbors (k-NN) and support vector machine with genetic algorithm (SVM GA) models perform best among the 18 techniques applied. In addition to detecting anomalies, the methods are able to flag the attack types better than other techniques and are applicable in EtherCAT networks. Also, the dataset and events can be used for further studies since it is difficult to obtain data for ICS due to its critical infrastructure and continuous real-time operation.INDEX TERMS Anomaly detection, EtherCAT security, ICS security, machine learning for EtherCAT.

show abstract

Section: Results and Conclusionmentioning

confidence: 67%

Section: Related Workmentioning

confidence: 99%

Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection

Akpinar

Özçeli̇k

2019

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Authors in [133] proposed an anomaly detection scheme for PROFINET networks. The captured data are processed using the sliding window algorithm to extract a subset of trafficrelated features, while an artificial neural network is used to classify the traffic based on those features.…”

Section: Profinetmentioning

confidence: 99%

A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics

Pliatsios

Sarigiannidis

Λάγκας

et al. 2020

IEEE Commun. Surv. Tutorials

200

View full text Add to dashboard Cite

Supervisory Control and Data Acquisition (SCADA) systems are the underlying monitoring and control components of critical infrastructures, such as power, telecommunication, transportation, pipelines, chemicals and manufacturing plants. Legacy SCADA systems operated on isolated networks, that made them less exposed to Internet threats. However, the increasing connection of SCADA systems to the Internet, as well as corporate networks, introduces severe security issues. Security considerations for SCADA systems are gaining higher attention, as the number of security incidents against these critical infrastructures is increasing. In this survey, we provide an overview of the general SCADA architecture, along with a detailed description of the SCADA communication protocols. Additionally, we discuss certain high-impact security incidents, objectives, and threats. Furthermore, we carry out an extensive review of the security proposals and tactics that aim to secure SCADA systems. We also discuss the state of SCADA system security. Finally, we present the current research trends and future advancements of SCADA security.

show abstract

“…For example, several machine learning (ML)-based methods have been separately proposed for anomaly detection in physical-layer log features (Q learning [18], Dyna-Q [19], Linear SVM [23], BDT [20] and neural networks [24]). Anomaly detection based on network-traffic features is also studied in a number of papers (artificial neural networks [21]). Anomaly detection based on physical-layer features uses the predictable behaviour of industrial control systems to detect anomalous behaviour [22].…”

Section: Background and Related Workmentioning

confidence: 99%

Automated detection-in-depth in industrial control systems

Jadidi

Foo

Hussain

et al. 2021

Int J Adv Manuf Technol

View full text Add to dashboard Cite

Legacy industrial control systems (ICSs) are not designed to be exposed to the Internet and linking them to corporate networks has introduced a large number of cyber security vulnerabilities. Due to the distributed nature of ICS devices, a detection-in-depth strategy is required to simultaneously monitor the behaviour of multiple sources of ICS data. While a detection-in-depth method leads to detecting attacks, like flooding attacks in earlier phases before the attacker can reach the end target, most research papers have focused on anomaly detection based on a single source of ICS data. Here, we present a detection-in-depth method for an ICS network. The new method is called automated flooding attack detection (AFAD) which consists of three stages: data acquisition, pre-processing, and a flooding anomaly detector. Data acquisition includes data collection from different sources like programmable logic controller (PLC) logs and network traffic. We then generate NetFlow data to provide light-weight anomaly detection in ICS networks. NetFlow-based analysis has been used as a scalable method for anomaly detection in high-speed networks. It only analyses packet headers, and it is an efficient method for detecting flooding attacks like denial of service attacks, and its performance is not affected by encrypted data. However, it has not been sufficiently studied in industrial control systems. Besides NetFlow data, ICS device logs are a rich source of information that can be used to detect abnormal behaviour. Both NetFlow traffic and log data are processed in our pre-processing stage. The third stage of AFAD is anomaly detection which consists of two parallel machine learning analysis methods, which respectively analyse the behaviours of device logs and NetFlow records. Due to the lack of enough labelled training datasets in most environments, an unsupervised predictor and an unsupervised clustering method are respectively used in the anomaly detection stage. We validated our approach using traffic captured in a factory automation dataset, Modbus dataset, and SWAT dataset. These datasets contain physical and network level normal and abnormal data. The performance of AFAD was compared with single-layer anomaly detection and with other studies. Results showed the high precision of AFAD in detecting flooding attacks.

show abstract

A Method for Anomalies Detection in Real-Time Ethernet Data Traffic Applied to PROFINET

Cited by 43 publications

References 24 publications

Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection

Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection

A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics

Automated detection-in-depth in industrial control systems

Contact Info

Product

Resources

About