Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection
Today, the use of Ethernet-based protocols in industrial control systems (ICS) communications has led to the emergence of attacks based on information technology (IT) on supervisory control and data acquisition systems. In addition, the familiarity of Ethernet and TCP/IP protocols and the diversity...
Main Authors: | , |
---|---|
Format: | Article |
Language: | English |
Published: |
IEEE
2019-01-01
|
Series: | IEEE Access |
Subjects: | |
Online Access: | https://ieeexplore.ieee.org/document/8936397/ |
id |
doaj-ed170c170e714d8689290d4adcd9a6a9 |
---|---|
record_format |
Article |
spelling |
doaj-ed170c170e714d8689290d4adcd9a6a92021-03-30T00:29:21ZengIEEEIEEE Access2169-35362019-01-01718436518437410.1109/ACCESS.2019.29604978936397Analysis of Machine Learning Methods in EtherCAT-Based Anomaly DetectionKevser Ovaz Akpinar0https://orcid.org/0000-0002-9859-6855Ibrahim Ozcelik1https://orcid.org/0000-0001-9985-5268Department of Computer Engineering, Sakarya University, Sakarya, TurkeyDepartment of Computer Engineering, Sakarya University, Sakarya, TurkeyToday, the use of Ethernet-based protocols in industrial control systems (ICS) communications has led to the emergence of attacks based on information technology (IT) on supervisory control and data acquisition systems. In addition, the familiarity of Ethernet and TCP/IP protocols and the diversity and success of attacks on them raises security risks and cyber threats for ICS. This issue is compounded by the absence of encryption, authorization, and authentication mechanisms due to the development of industrial communications protocols only for performance purposes. Recent zero-day attacks, such as Triton, Stuxnet, Havex, Dragonfly, and Blackenergy, as well as the Ukraine cyber-attack, are possible because of the vulnerabilities of the systems; these attacksare carried by the protocols used in communication between PLC and I/O units or HMI and engineering stations. It is evident that there is a need for robust solutions that detect and prevent protocol-based cyber threats. In this paper, machine learning methods are evaluated for anomaly detection, particularly for EtherCAT-based ICS. To the best of the author's knowledge, there has been no research focusing on machine learning algorithms for anomaly detection of EtherCAT. Before testing anomaly detection, an EtherCAT-based water level control system testbed was developed. Then, a total of 16 events were generated in four categories and applied on the testbed. The dataset created was used for anomaly detection. The results showed that the k-nearest neighbors (k-NN) and support vector machine with genetic algorithm (SVM GA) models perform best among the 18 techniques applied. In addition to detecting anomalies, the methods are able to flag the attack types better than other techniques and are applicable in EtherCAT networks. Also, the dataset and events can be used for further studies since it is difficult to obtain data for ICS due to its critical infrastructure and continuous real-time operation.https://ieeexplore.ieee.org/document/8936397/Anomaly detectionEtherCAT securityICS securitymachine learning for EtherCAT |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Kevser Ovaz Akpinar Ibrahim Ozcelik |
spellingShingle |
Kevser Ovaz Akpinar Ibrahim Ozcelik Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection IEEE Access Anomaly detection EtherCAT security ICS security machine learning for EtherCAT |
author_facet |
Kevser Ovaz Akpinar Ibrahim Ozcelik |
author_sort |
Kevser Ovaz Akpinar |
title |
Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection |
title_short |
Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection |
title_full |
Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection |
title_fullStr |
Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection |
title_full_unstemmed |
Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection |
title_sort |
analysis of machine learning methods in ethercat-based anomaly detection |
publisher |
IEEE |
series |
IEEE Access |
issn |
2169-3536 |
publishDate |
2019-01-01 |
description |
Today, the use of Ethernet-based protocols in industrial control systems (ICS) communications has led to the emergence of attacks based on information technology (IT) on supervisory control and data acquisition systems. In addition, the familiarity of Ethernet and TCP/IP protocols and the diversity and success of attacks on them raises security risks and cyber threats for ICS. This issue is compounded by the absence of encryption, authorization, and authentication mechanisms due to the development of industrial communications protocols only for performance purposes. Recent zero-day attacks, such as Triton, Stuxnet, Havex, Dragonfly, and Blackenergy, as well as the Ukraine cyber-attack, are possible because of the vulnerabilities of the systems; these attacksare carried by the protocols used in communication between PLC and I/O units or HMI and engineering stations. It is evident that there is a need for robust solutions that detect and prevent protocol-based cyber threats. In this paper, machine learning methods are evaluated for anomaly detection, particularly for EtherCAT-based ICS. To the best of the author's knowledge, there has been no research focusing on machine learning algorithms for anomaly detection of EtherCAT. Before testing anomaly detection, an EtherCAT-based water level control system testbed was developed. Then, a total of 16 events were generated in four categories and applied on the testbed. The dataset created was used for anomaly detection. The results showed that the k-nearest neighbors (k-NN) and support vector machine with genetic algorithm (SVM GA) models perform best among the 18 techniques applied. In addition to detecting anomalies, the methods are able to flag the attack types better than other techniques and are applicable in EtherCAT networks. Also, the dataset and events can be used for further studies since it is difficult to obtain data for ICS due to its critical infrastructure and continuous real-time operation. |
topic |
Anomaly detection EtherCAT security ICS security machine learning for EtherCAT |
url |
https://ieeexplore.ieee.org/document/8936397/ |
work_keys_str_mv |
AT kevserovazakpinar analysisofmachinelearningmethodsinethercatbasedanomalydetection AT ibrahimozcelik analysisofmachinelearningmethodsinethercatbasedanomalydetection |
_version_ |
1724188254028169216 |