Using Data Mining Methods to Detect Simulated Intrusions on a Modbus Network

Abstract

In the era of Industry 4.0 we seek to create a smart factory environment in which everything is connected and well coordinated. Smart factories will also be connected to cloud service and/or all kinds of partners outside the boundary of the factory to achieve even better efficiency. However network connectivity also brings threats along with the promise of better efficiency, and makes Smart factories more vulnerable to intruders. There were already security incidents such as Iran's nuclear facilities' infection by the Stuxnet virus and German's steel mill destroyed by hackers in 2014. To protect smart factories from such threats traditional means of intrusion detection on the Internet could be used, but we must also refine them and have them adapted to the context of Industry 4.0. For example, network traffic in a smart factory might be more uniformed and predictable compared to the traffic on the Internet, but one should tolerate much less anomaly as the traffic is usually mission critical, and will cause much more loss once intrusion happens. The most widely used signature-based intrusion detection systems come with a large library of signatures that contains known attack have been proved to be very useful, but without the ability to detect unknown attack. We turn to supervised data mining algorithms to detect intrusions, which will help us to detect intrusions with similar properties with known attacks but not necessarily fully match the signatures in the library. In this study a simulated smart factory environment was built and a series of attacks were implemented. Neural network and decision trees were used to classify the traffic generated from this simulated environment. From the experiments we conclude that for the data set we used, decision tree performed better than neural network for detecting intrusion as it provides better accuracy, lower false negative rate and faster model building time.