Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set

Simon Duque Antón; Suneetha Kanoor; Daniel Fraunholz; Hans Dieter Schotten

In: Proceedings of the 13th International Conference on Availability, Reliability and Security. International Conference on Availability, Reliability and Security (ARES-2018), August 27-30, Hamburg, Germany, Pages 1-9, No. 41, ISBN 978-1-4503-6448-5, ACM, New York, NY, USA, 2018.


In the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established communication protocols make this technology easy to integrate and use. Furthermore, productivity is increased in comparison to classic industrial control by making systems easier to manage, set up and configure. Unfortunately, most attack surfaces of home and office environments are introduced into industrial applications as well, which usually have very few security mechanisms in place. Over the last years, several technologies tackling that issue have been researched. In this work, machine learning-based anomaly detection algorithms are employed to find malicious traffic in a synthetically generated data set of Modbus/TCP communication of a fictitious industrial scenario. The applied algorithms are Support Vector Machine (SVM), Random Forest, k-nearest neighbour and k-means clustering. Due to the synthetic data set, supervised learning is possible. Support Vector Machine and k-nearest neighbour perform well with different data sets, while k-nearest neighbour and k-means clustering do not perform satisfactorily


German Research Center for Artificial Intelligence
Deutsches Forschungszentrum für Künstliche Intelligenz