Using Temporal and Topological Features for Intrusion Detection in Operational Networks
This work addresses security for industrial networks, which are vulnerable due to legacy systems and lack of encryption, but it is incremental as it adapts existing methods to this domain.
The paper tackled intrusion detection in industrial networks by applying Matrix Profiles for outlier detection in process timing and graph-based analysis of communication patterns, achieving detection of malicious activities in experimental and emulated environments.
Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home- and office-environments, such as working without feedback to the process and compatibility with legacy systems. Industrial systems are commonly used for several decades, updates are often difficult and expensive. Furthermore, most industrial protocols do not have inherent authentication or encryption mechanisms, allowing for easy lateral movement of an intruder once the perimeter is breached. In this work, an algorithm for motif discovery in time series, Matrix Profiles, is used to detect outliers in the timing behaviour of an industrial process. This process was monitored in an experimental environment, containing ground truth labels after attacks were performed. Furthermore, the graph representations of a different industrial data set that has been emulated are used to detect malicious activities. These activities can be derived from anomalous communication patterns, represented as edges in the graph. Finally, an integration concept for both methods is proposed.