As industrial control systems are connected with networks, they are exposed to more security threats. To cope with cyber attacks, rule-based detection has been adopted but faces limitation as cyber attacks become more sophisticated. Therefore, Intrusion Detection System (IDS) has been deployed in reality but existing IDS primarily uses packet header information to perform traffic flow detection. However, such IDS has problems because it does not detect packet deformation properly.
To solve this problem, we propose to use packet payload in IDS to respond to a variety of attacks and at the same time achieve high performance. We use Convolution Neural Network (CNN) models, one of deep neural networks, which have been known to work well for image classification. To fit to the input of CNN, we need to convert the packet payload to corresponding images. To do so, we develop preprocessing methods: padding-based and filter-based, as well as existing histogram-based method. We further use N-Gram together with these preprocessing methods for performance enhancement.
We also propose detection models that detect both packet modification and traffic flow by inspecting each packet and a sequence of packets. For this, we generate abnormal data to address data imbalances without abnormal traffic during learning and testing. To verify the effectiveness of the proposed methods, the packet detection and sequence detection models are compared and analyzed in terms of the detection accuracy. For evaluation, cross-verification is conducted to increase the reliability of the statistics.
