Detection of Man-in-the-Middle Attacks on Industrial Control Networks

In this paper we present a method to detect Man-in-the-Middle attacks on industrial control systems. The approach uses anomaly detection by developing a model of normal behaviour of the industrial control system network. To come as close as possible to reality a simple industrial system, a conveyor belt with sensors and actuators, was set up with controllers widely used in industry. A machine learning approach based on the k-Nearest Neighbors algorithm with Bregman divergence was used to define a model of normal (valid) behaviour. Afterwards Man-in-the-Middle attacks were launched against the system and its behaviour during the attack was compared to the valid behaviour model. The results show that the approach taken was able to detect such attacks with satisfactory accuracy.