Industrial Control System Anomaly Detection and Classification Based on Network Traffic

Abstract

This paper proposes an anomaly detection and classification method for industrial control systems (ICSs). The proposed method is based on network traffic data of industrial field protocols like Modbus TCP and S7 Communication. First, the denoising autoencoder (DAE) is utilized to reduce data noise and extract core features from data. Second, the synthetic minority oversampling technique (SMOTE) and the Tomek link (T-Link) mechanism are employed to oversample and undersample data for addressing the data imbalance problem. Finally, extreme gradient boosting (XGBoost) is used to leverage the ensemble learning concept to avoid overfitting for achieving good performance. A real-life railway industry ICS dataset called Electra is used to evaluate the performance of the proposed method, and the evaluation results are compared with those of other related methods. The proposed method is shown to have the highest (100%) precision, recall and F1-score for anomaly detection, and have fairly high performance of anomaly classification. The contribution of this paper is to show that integrating the DAE, SMOTE, T-Link, and XGBoost schemes can achieve the highest or extremely high performance in the aspect of ICS anomaly detection and classification based on network traffic. The computational complexity and convergence analyses of the proposed method are also provided in this paper. Furthermore, the code implementing the proposed method is released for public access through IEEE Code Ocean so that the effectiveness and the applicability of the method can be validated.