Attack and Fault Detection in Process Control Communication Using Unsupervised Machine Learning

In the course of industrial digitalization, the security of process control networks and especially critical infrastructures has become a major issue that requires novel methods to achieve a multi-level protection. An important feature of this protection is a protocol-specific monitoring within the process control networks that identifies faults and attacks which already have overcome the firewall protection. For a wide-spread application in various sites, this monitoring must be self-adaptive to the different traffic characteristics of the respective networks. Protocol knowledge combined with unsupervised machine learning algorithms can leverage this task. In this paper we present the latest results of applying two machine learning methods on real-world traffic datasets from two plant process control networks. The results for different mappings of the considered packet features are discussed in terms of f-score, precision, and recall. They demonstrate the high potential of using unsupervised learning for training anomaly detectors to identify intrusions in industrial networks.