Visible to the public Unsupervised Anomaly Detection in RS-485 Traffic using Autoencoders with Unobtrusive Measurement

TitleUnsupervised Anomaly Detection in RS-485 Traffic using Autoencoders with Unobtrusive Measurement
Publication TypeConference Paper
Year of Publication2022
AuthorsChirupphapa, Pawissakan, Hossain, Md Delwar, Esaki, Hiroshi, Ochiai, Hideya
Conference Name2022 IEEE International Performance, Computing, and Communications Conference (IPCCC)
Date Publishednov
Keywordsanomaly detection, autoencoder, ICS Anomaly Detection, industrial control, industrial control system, integrated circuits, multilayer perceptrons, Physical layer, Protocols, pubcrawl, resilience, Resiliency, rs-485, Scalability, security, Time measurement, Time series analysis, univariate time series
AbstractRemotely connected devices have been adopted in several industrial control systems (ICS) recently due to the advancement in the Industrial Internet of Things (IIoT). This led to new security vulnerabilities because of the expansion of the attack surface. Moreover, cybersecurity incidents in critical infrastructures are increasing. In the ICS, RS-485 cables are widely used in its network for serial communication between each component. However, almost 30 years ago, most of the industrial network protocols implemented over RS-485 such as Modbus were designed without security features. Therefore, anomaly detection is required in industrial control networks to secure communication in the systems. The goal of this paper is to study unsupervised anomaly detection in RS-485 traffic using autoencoders. Five threat scenarios in the physical layer of the industrial control network are proposed. The novelty of our method is that RS-485 traffic is collected indirectly by an analog-to-digital converter. In the experiments, multilayer perceptron (MLP), 1D convolutional, Long Short-Term Memory (LSTM) autoencoders are trained to detect anomalies. The results show that three autoencoders effectively detect anomalous traffic with F1-scores of 0.963, 0.949, and 0.928 respectively. Due to the indirect traffic collection, our method can be practically applied in the industrial control network.
DOI10.1109/IPCCC55026.2022.9894318
Citation Keychirupphapa_unsupervised_2022