Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection

Kevser Ovaz Akpinar; Ibrahim Ozcelik

doi:10.1109/ACCESS.2019.2960497

IEEE Access (Jan 2019)

Analysis of Machine Learning Methods in EtherCAT-Based Anomaly Detection

Kevser Ovaz Akpinar,
Ibrahim Ozcelik

Affiliations

Kevser Ovaz Akpinar: ORCiD; Department of Computer Engineering, Sakarya University, Sakarya, Turkey
Ibrahim Ozcelik: ORCiD; Department of Computer Engineering, Sakarya University, Sakarya, Turkey

DOI: https://doi.org/10.1109/ACCESS.2019.2960497
Journal volume & issue: Vol. 7
pp. 184365 – 184374

Abstract

Read online

Today, the use of Ethernet-based protocols in industrial control systems (ICS) communications has led to the emergence of attacks based on information technology (IT) on supervisory control and data acquisition systems. In addition, the familiarity of Ethernet and TCP/IP protocols and the diversity and success of attacks on them raises security risks and cyber threats for ICS. This issue is compounded by the absence of encryption, authorization, and authentication mechanisms due to the development of industrial communications protocols only for performance purposes. Recent zero-day attacks, such as Triton, Stuxnet, Havex, Dragonfly, and Blackenergy, as well as the Ukraine cyber-attack, are possible because of the vulnerabilities of the systems; these attacksare carried by the protocols used in communication between PLC and I/O units or HMI and engineering stations. It is evident that there is a need for robust solutions that detect and prevent protocol-based cyber threats. In this paper, machine learning methods are evaluated for anomaly detection, particularly for EtherCAT-based ICS. To the best of the author's knowledge, there has been no research focusing on machine learning algorithms for anomaly detection of EtherCAT. Before testing anomaly detection, an EtherCAT-based water level control system testbed was developed. Then, a total of 16 events were generated in four categories and applied on the testbed. The dataset created was used for anomaly detection. The results showed that the k-nearest neighbors (k-NN) and support vector machine with genetic algorithm (SVM GA) models perform best among the 18 techniques applied. In addition to detecting anomalies, the methods are able to flag the attack types better than other techniques and are applicable in EtherCAT networks. Also, the dataset and events can be used for further studies since it is difficult to obtain data for ICS due to its critical infrastructure and continuous real-time operation.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords