The current industrial modernization requires a deployment of communication networks that allow the operation and monitorization of diverse processes, such as water distribution or electricity generation. This cluster of neworks belongs to what is commonly known as Operation Technology (OT), which is sensible to suffer from different kinds of cyberattacks that may cause security breaches, physical damages to the industrial infrastructures and production halts, often with serious social consequences.
Originally, OT networks were designed to operate in an isolated environment. The operators could build their protection relying on physical separation with other kinds of networks (IT), as well as on the lack of public information regarding the environments, protocols and machines used: “security by obscurity”. However, in modern industrial infrastructures the OT and IT worlds converge in order to maximize efficiency, and reduce costs and risks. This implies a departure from the traditional security which vendors used to rely on, as OT networks become more accessible because of the use of interoperable systems, known protocols, remote machine connection, and so on. These changes make industrial systems more vulnerable to the existing threats.
In the face of this situation, the need to deploy new cybersecurity systems oriented to the necessities of industrial networks becomes evident. For this reason the protection of industrial environments is one of the lines of work in ÉGIDA, in which Gradiant is involved (https://egidacybersecurity.com).
There are several ways to address attack detection in communication networks. A common option is the implementation of rules, which create alerts when a new IP or unexpected port is used. Furthermore, there are signature-based algorithms that search for patterns from known attacks. While these kinds of systems are quite efficient at identifying specific attacks and have low false positive rates, they are unable to detect new attacks or variations of the known ones.
Anomaly detectors, however, learn the regular behaviour of a system and inform of a threat whenever an atypical deviation is detected. Thereby, they are able to identify attacks without previous information about them, under the assumption that anomalous traffic is also malicious. Usually, these systems are built applying Machine learning techniques, since they provide intelligent models which do not require any explicit instructions.
A common flaw of anomaly detectors is their high false positive rate, compared to other deterministic techniques. For this reason, its use is especially interesting in the context of industry, where communications tend to be stable and easy to model, resulting in reliable predictions.
Regarding the input variables of the models, usually the network’s flows are selected, which collect fundamental fields from communication between machines: their IPs and ports, the number of exchanged packets and bytes, or the conversation’s length, among others. The analysis of these variables is enough to detect a big number of attacks, such as denial of service. For instance, flooding attacks try to saturate a machine by sending numerous packets (TCP SYN-Flooding, ARP flooding , ), therefore their flows will contain a large (anomalous) number of packets. In order to detect attacks that focus on the packets’ content, such as a SQL injection , the payload may also be analyzed.
In Gradiant, we have experience working with a selection of state of the art anomaly detection models.
One kind are decision tree algorithms, such as Isolation Forest  or Extended Isolation Forest . They make partitions over the input traffic until every observation is isolated in a terminal node. These divisions are made based on attributes chosen arbitrarily by the algorithm. This way, the packets that have very different characteristics from the others will be isolated after very few divisions, at the start of the tree, allowing the algorithm to classify them as anomalies.
Of course, there also are proposals that use neural networks in their models. A very studied option is the Autoencoder , a neural network that trains by learning to encode the input data and reconstruct it afterwards. A large reconstruction error allows the algorithm to detect anomalous data.
Regarding payload-based algorithms, Anagram is worth noting . This algorithm divides each payload into consecutive subsequences called n-grams. During the training phase all of the n-grams are registered, and afterwards each packet receives a score based on the amount of unknown n-grams that form it. The use of innovative natural language processing techniques applied to the payloads’ bytes has also been studied.
In all the models mentioned above it is necessary to select a threshold which separates anomalous packets, a value that is hard to optimize and highly dependent on the traffic’s characteristics.
Despite the relevance of threat detection in OT networks, most of the state of the art encompasses non-industrial networks only. This fact is also reinforced by the lack of accessible industrial traffic which could be used to train new anomaly detection models. For this reason, Gradiant seeks to promote this field of research.
 Y. Purwanto, Kuspriyanto, Hendrawan, and B. Rahardjo, “Traffic anomaly detection in DDos flooding attack,” in 2014 8th International Conference on Telecommunication Systems Services and Applications (TSSA), Oct. 2014, pp. 1–6. doi: 10.1109/TSSA.2014.7065953.
 V. A. Siris and F. Papagalou, “Application of anomaly detection algorithms for detecting SYN flooding attacks,” Computer Communications, vol. 29, no. 9. pp. 1433–1442, 2006. doi: 10.1016/j.comcom.2005.09.008.
Author: Eugenia Kuchumova, researcher-engineer from Security & Privacy department at Gradiant
EGIDA is a network of excellence financed by the Cervera Program for Technological Centers, the national commitment to develop market-oriented research promoted by the Ministry of Science and Innovation and the Center for Industrial Technological Development (CDTI).