Improving Performance of Machine Learning based Detection of Network Steganography in Industrial Control Systems

In view of the strong increase of targeted attacks on industrial control systems (ICS) of manufacturies and critical infrastructures, it can be noticed that for the concealment of communication, steganographic information hiding techniques become increasingly popular for attackers. Particularly in Advanced Persistent Threats, attackers focus on hiding network information flows between infected components from any possible detection mechanism in order to remain on the invaded system for as long as possible. In order to be able to detect these kinds of threats by hidden communication in future, defense concepts such as intrusion detection systems need to be supplemented by steganalytic detectors for ICS network traffic. First state-of-the-art detection mechanisms have been proposed and deliver decent but improvable results. This paper proposes a novel, convolutional neural network (CNN) based detection approach relying on a handcrafted feature space as CNN input layer. The detection approach is evaluated extensively in experiments. The evaluation results are compared to three state-of-the-art approaches in a laboratory ICS setup. We show that our novel approach is able to outperform all state-of-the-art approaches significantly. It delivers a performance of up to 94.3% correct classified test data samples.