ZOE: Content-Based Anomaly Detection for Industrial Control Systems

Due its complexity and a multitude of proprietary components, industrial control systems are an immanently difficult field of application for intrusion detection. Proprietary binary protocols and the lack of public specifications have forced the research community to move away from content-based detection to more abstract concepts. In this paper, we show that in contrast to prior belief the content of unknown binary protocols can very well be modeled. ZOE derives prototype models that are specific to individual types of messages in order to capture the characteristics of arbitrary binary protocols and enable detecting different forms of attacks as anomalies. In an evaluation based on 6 days of network traffic recorded at a large power plant (1,900 MW) with over 92,000 unique devices, we demonstrate that ZOE improves upon related approaches by up to an order of magnitude in detection performance, but also significantly decreases false positives.