Feature Selection for Machine Learning Based Anomaly Detection in Industrial Control System Networks

The nature of the traffic in industrial control system network is markedly different from more open networks. Industrial control system networks should be far more restricted in what types of traffic diversity is present. This enables the usage of approaches that are currently not as feasible in open environments, such as machine learning based anomaly detection. Without proper customization for the special requirements of industrial control system network environment many existing anomaly or misuse detection systems will perform sub-optimally. Machine learning based approach would reduce the amount of manual customization required for different restricted network environments of which an industrial control system network is an good example of. In this paper we present an initial analysis of data received from a ethernet network of a live running industrial site. This includes both control data and the data flowing between the control network and the office network. A set of possible features to be used for detecting anomalies is studied for this environment.