Abstract:Modern Internet has enabled wider usage, resulting in increased network traffic. Due to the high volume of data packets in networking, sampling techniques are widely used in flow-based network management software to manage traffic load. However, sampling processes reduce the likelihood of anomaly detection. Many studies have been carried out at improving the accuracy of anomaly detection. However, only a few studies have considered it with sampled flow traffic. In our study, we investigate the use of an artifi… Show more
“…NetFlow-based analysis can be used to detect cyber-attacks which affect the volume of network traffic. This method is capable of detecting attacks like port scanning, DNS Poisoning, DoS, and DDoS attacks [6,7,29,30]. The lack of payload analysis makes the NetFlow-based methods scalable, fast and cost-effective for anomaly detection [41].…”
Section: Background and Related Workmentioning
confidence: 99%
“…NetFlow is a Cisco proprietary protocol, which can be enabled on router devices, to provide NetFlow records. A NetFlow record is defined as a group of packets with some common characteristics which pass a monitoring point in a specific time interval [6,8,9]. Compared with payload-based methods, a NetFlow-based analysis method significantly reduces the volume of traffic to be processed.…”
Section: Background and Related Workmentioning
confidence: 99%
“…Despite packet-based analysis, NetFlow-based methods process only packet headers and they provide light-weight analysis. The efficiency of NetFlow-based anomaly detection is illustrated in IT networks [6][7][8]46]. However, it has not been investigated in an ICS environment.…”
Legacy industrial control systems (ICSs) are not designed to be exposed to the Internet and linking them to corporate networks has introduced a large number of cyber security vulnerabilities. Due to the distributed nature of ICS devices, a detection-in-depth strategy is required to simultaneously monitor the behaviour of multiple sources of ICS data. While a detection-in-depth method leads to detecting attacks, like flooding attacks in earlier phases before the attacker can reach the end target, most research papers have focused on anomaly detection based on a single source of ICS data. Here, we present a detection-in-depth method for an ICS network. The new method is called automated flooding attack detection (AFAD) which consists of three stages: data acquisition, pre-processing, and a flooding anomaly detector. Data acquisition includes data collection from different sources like programmable logic controller (PLC) logs and network traffic. We then generate NetFlow data to provide light-weight anomaly detection in ICS networks. NetFlow-based analysis has been used as a scalable method for anomaly detection in high-speed networks. It only analyses packet headers, and it is an efficient method for detecting flooding attacks like denial of service attacks, and its performance is not affected by encrypted data. However, it has not been sufficiently studied in industrial control systems. Besides NetFlow data, ICS device logs are a rich source of information that can be used to detect abnormal behaviour. Both NetFlow traffic and log data are processed in our pre-processing stage. The third stage of AFAD is anomaly detection which consists of two parallel machine learning analysis methods, which respectively analyse the behaviours of device logs and NetFlow records. Due to the lack of enough labelled training datasets in most environments, an unsupervised predictor and an unsupervised clustering method are respectively used in the anomaly detection stage. We validated our approach using traffic captured in a factory automation dataset, Modbus dataset, and SWAT dataset. These datasets contain physical and network level normal and abnormal data. The performance of AFAD was compared with single-layer anomaly detection and with other studies. Results showed the high precision of AFAD in detecting flooding attacks.
“…NetFlow-based analysis can be used to detect cyber-attacks which affect the volume of network traffic. This method is capable of detecting attacks like port scanning, DNS Poisoning, DoS, and DDoS attacks [6,7,29,30]. The lack of payload analysis makes the NetFlow-based methods scalable, fast and cost-effective for anomaly detection [41].…”
Section: Background and Related Workmentioning
confidence: 99%
“…NetFlow is a Cisco proprietary protocol, which can be enabled on router devices, to provide NetFlow records. A NetFlow record is defined as a group of packets with some common characteristics which pass a monitoring point in a specific time interval [6,8,9]. Compared with payload-based methods, a NetFlow-based analysis method significantly reduces the volume of traffic to be processed.…”
Section: Background and Related Workmentioning
confidence: 99%
“…Despite packet-based analysis, NetFlow-based methods process only packet headers and they provide light-weight analysis. The efficiency of NetFlow-based anomaly detection is illustrated in IT networks [6][7][8]46]. However, it has not been investigated in an ICS environment.…”
Legacy industrial control systems (ICSs) are not designed to be exposed to the Internet and linking them to corporate networks has introduced a large number of cyber security vulnerabilities. Due to the distributed nature of ICS devices, a detection-in-depth strategy is required to simultaneously monitor the behaviour of multiple sources of ICS data. While a detection-in-depth method leads to detecting attacks, like flooding attacks in earlier phases before the attacker can reach the end target, most research papers have focused on anomaly detection based on a single source of ICS data. Here, we present a detection-in-depth method for an ICS network. The new method is called automated flooding attack detection (AFAD) which consists of three stages: data acquisition, pre-processing, and a flooding anomaly detector. Data acquisition includes data collection from different sources like programmable logic controller (PLC) logs and network traffic. We then generate NetFlow data to provide light-weight anomaly detection in ICS networks. NetFlow-based analysis has been used as a scalable method for anomaly detection in high-speed networks. It only analyses packet headers, and it is an efficient method for detecting flooding attacks like denial of service attacks, and its performance is not affected by encrypted data. However, it has not been sufficiently studied in industrial control systems. Besides NetFlow data, ICS device logs are a rich source of information that can be used to detect abnormal behaviour. Both NetFlow traffic and log data are processed in our pre-processing stage. The third stage of AFAD is anomaly detection which consists of two parallel machine learning analysis methods, which respectively analyse the behaviours of device logs and NetFlow records. Due to the lack of enough labelled training datasets in most environments, an unsupervised predictor and an unsupervised clustering method are respectively used in the anomaly detection stage. We validated our approach using traffic captured in a factory automation dataset, Modbus dataset, and SWAT dataset. These datasets contain physical and network level normal and abnormal data. The performance of AFAD was compared with single-layer anomaly detection and with other studies. Results showed the high precision of AFAD in detecting flooding attacks.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.