Session Duration Based Feature Extraction for Network Intrusion Detection in Control System Networks

The use and deployment of Industrial Control Systems (ICS) have become standard across many industries, though the security of these important systems have not kept pace with their current Internet focused deployment technologies. This technology gap has exposed an exploitable vector for would be attackers as ICS protocols do not have security mechanisms in place to handle Internet connectivity. This paper focuses on a critical component of a Network Telemetry based Intrusion Detection system (IDS) that can help eliminate this exploitable vector. This component is a method for extracting features using session duration based instantiation. After integrating this feature extraction method into the telemetry based IDS, it is able to achieve 99.98% accuracy when distinguishing between an engineer and an attacker on the same network.