A network traffic analysis for critical automation system state detection in industrial networks

• Main Authors: Evgeny V. Andryukhin, Mihail K. Ridli
• Format: Article
• Language: English
• Published: Moscow Engineering Physics Institute 2018-09-01
• Series: Bezopasnostʹ Informacionnyh Tehnologij
• Subjects: industrial networks, traffic analysis, information security, machine learning, anomalies detection.
• Online Access: https://bit.mephi.ru/index.php/bit/article/view/1142

Industrial networks are one of the most important parts of the manufacturing execution system. Via these networks, it is possible to allocate tasks according to the network components load. Each network component - programming logic controller (PLC) has its set of parameter values, which can be read or even rewritten. The reading or writing process can be performed very often, for example, every 50-150 milliseconds. It allows collecting a huge amount of datasets for research purposes in a very short time. The datasets are represented as a time series, so the system states are ordered with respect to the selected moments of time at equal intervals. The information collected at these moments of time can provide an opportunity to make assumptions about the current state of the system, as well as about possible changes of state in the next few steps. The proposed approach allows detecting a critical system states via network traffic analysis without deep traffic inspection, to stop anomalies spread in the system, and to decrease the possible amount of harm to the system. The main goal of the present study is to obtain a set of industrial traffic parameters, which can be used to detect system state at any moment of time using machine learning clustering methods efficiently. Using a dataset obtained during the operation of the test oil-refinery stand as well as a set of anomalous events obtained as a result of attacks on the stand, a test sample was developed for training the system. As a result of this work, the key characteristics of traffic were identified, which allow to detect the system states in the most accurate way.