Identification of industrial devices based on payload

článek ve sborníku ve WoS nebo Scopus

angličtina

Identification of industrial devices based on their behavior in network communication is important from a cybersecurity perspective in two areas: attack prevention and digital forensics. In both areas, device identification falls under asset management or asset tracking. Due to the impact of active scanning on these networks, particularly in terms of latency, it is important to use passive scanning in industrial networks. For passive identification, statistical learning algorithms are nowadays the most appropriate. The aim of this paper is to demonstrate the potential for passive identification of PLC devices using statistical learning based on network communication, specifically the payload of the packet. Individual statistical parameters from 15 minutes of traffic based on payload entropy were used to create the features. Three scenarios were performed and the XGBoost algorithm was used for evaluation. In the best scenario, the model achieved an accuracy score of 83% to identify individual devices.

PLC, OT, Identification, ICS, ML, XGBoost

POSPÍŠIL, O.; FUJDIAK, R.

30. 7. 2024

Association for Computing Machinery

New York, NY, USA

979-8-4007-1718-5

ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security

1

9

9

https://dl.acm.org/doi/10.1145/3664476.3670462