Potentials of Using One-Class SVM for Detecting Protocol-Specific Anomalies in Industrial Networks

Support Vector Machines (SVM) have been considered for real-life machine learning applications in various fields. Security concerns in modern industrial networks, also used in critical infrastructures, require novel monitoring techniques applicable for these constrained, real-time environments. Characteristics of these networks' traffic indicate that SVM can be a powerful tool for realizing a self-configuring monitoring for industrial infrastructures regarding attacks as kind of anomalies. This paper presents the experimental results of applying one-class SVM (OCSVM) on a number of real-world industrial traffic traces from very different industrial control systems (ICS). Initially focusing on a few network packet attributes, the results are discussed in terms of f-score, precision, and recall for different mappings of the features. The results demonstrate the high potential of using one-class SVM for monitoring packets and packet sequences in these networks.