CNN-based Intrusion Detection System Using Packet Payload for Industrial Control Systems
CNN-based Intrusion Detection System Using Packet Payload for Industrial Control Systems
- 주제(키워드) Network security , Intrusion detection system , Anomaly detection , Convolution neural network
- 발행기관 아주대학교
- 지도교수 최영준
- 발행년도 2019
- 학위수여년월 2019. 2
- 학위명 석사
- 학과 및 전공 일반대학원 컴퓨터공학과
- 실제URI http://www.dcollection.net/handler/ajou/000000028414
- 본문언어 영어
- 저작권 아주대학교 논문은 저작권에 의해 보호받습니다.
초록/요약
As industrial control systems are connected with networks, they are exposed to more security threats. To cope with cyber attacks, rule-based detection has been adopted but faces limitation as cyber attacks become more sophisticated. Therefore, Intrusion Detection System (IDS) has been deployed in reality but existing IDS primarily uses packet header information to perform traffic flow detection. However, such IDS has problems because it does not detect packet deformation properly. To solve this problem, we propose to use packet payload in IDS to respond to a variety of attacks and at the same time achieve high performance. We use Convolution Neural Network (CNN) models, one of deep neural networks, which have been known to work well for image classification. To fit to the input of CNN, we need to convert the packet payload to corresponding images. To do so, we develop preprocessing methods: padding-based and filter-based, as well as existing histogram-based method. We further use N-Gram together with these preprocessing methods for performance enhancement. We also propose detection models that detect both packet modification and traffic flow by inspecting each packet and a sequence of packets. For this, we generate abnormal data to address data imbalances without abnormal traffic during learning and testing. To verify the effectiveness of the proposed methods, the packet detection and sequence detection models are compared and analyzed in terms of the detection accuracy. For evaluation, cross-verification is conducted to increase the reliability of the statistics.
more목차
Abstract I
1. Introduction 1
2. Related Work 4
3. Network Traffic and Machine Learning 7
3.1. Traffic Feature 7
3.2. Machine Learning for Detection 9
4. Anomaly Detection Model 10
4.1. Single Packet Detection Model 11
4.2. Sequence Detection Model 12
4.2.1. Packet sequence shuffle regardless of a window 14
4.2.2. Packet sequence shuffle within a window 14
4.2.3. Packet replacement with an in-window packet 15
4.2.4. Packet replacement with an out-of-window packet 15
4.3. Hybrid model 16
5. Preprocessing 17
5.1. Basic Preprocessing Methods 18
5.1.1. Histogram-based preprocessing 18
5.1.2. Padding-based preprocessing 19
5.1.3. Filter-based preprocessing 21
5.1.4. Example 22
5.2. Extension of Preprocessing using N-Gram 23
6. Experimental Results 24
6.1. Single Packet Detection Model 26
6.1.1. Comparison of basic preprocessing methods 26
6.1.2. Result of N-Gram extension 30
6.2. Sequence Detection Model 36
7. Conclusion 39
Reference 41
