工業4.0改變了工廠的生產模式，實現OT-IT整合和遠程監控，以提升工廠的自動化程度，但與外部網路的連接也打破了傳統工業控制系統的隔離性，增加來自外部攻擊的風險。此外，從能源供應到智慧醫療等，工業自動化也在各領域持續擴張，工控網路使用多種通訊協議，當防禦系統移植到新領域時，封包結構改變使得流量分析變得困難， 導致檢測效能下降。

為了解決這些挑戰，我們調整了入侵防禦系統的檢測方法，目的是從工控網路中提取更全面的流量數據。我們的方法包括利用深度封包檢測技術，增強與通訊協定相關的封包字段解析能力，使系統能在不同協定下保持穩定效能。此外，在工廠的生產過程中，網路流量通常是穩定且規律反覆的，我們透過聚合特定時間間隔內的流量資訊，來找尋連續流量之間的序列關聯性，以識別週期性傳輸模式。由於聚合過程需要進行統計分析，我們針對不同類型的數據設計了專門的統計方法，特別加強了模型對非數字數據的處理能力。

最終，我們獲得了一系列具有代表性的統計特徵，將這些特徵用於訓練異常檢測模型，最終能取得0.962的f1-Score，證明我們提出的特徵提取方法對入侵檢測具有優化作用。我們的系統是建立在開源的入侵防禦工具Zeek上，會移除檢測到的異常流量並發出警告，在入侵檢測的同時也達到即時防禦。

關鍵詞：入侵檢測、工控、工業通訊協定、深度封包檢測、聚合

Industry 4.0 implements OT-IT integration and remote monitoring to enhance automation, but the connection with external networks breaks the isolation of systems and increases the risk of external attacks. Industrial automation is also expanding across various sectors, from manufacturing to smart medical care. Industrial control networks use a variety of communication protocols. When prevention systems are migrated to new fields, changes in packet structure make traffic analysis difficult, resulting in a decline in detection performance.

To address these challenges, we propose a new intrusion prevention system designed to extract comprehensive traffic data from industrial control networks. Our approach includes deep packet inspection to enhance packet parsing across different protocols. Considering that network traffic is mostly stable and follows certain patterns during the industrial production process, by aggregating traffic data within specific intervals, we analyze sequence correlations between continuous traffic to identity periodic transmission patterns. Since aggregation requires statistical analysis, we designed statistical methods for various data types, enhancing the model's capability to handle non-numeric data, ultimately deriving a series of statistical features.

Finally, using these features to train the anomaly detection models, we achieved 0.962 F1-score, proving that the extraction method we proposed optimizes intrusion detection. Our system is built on the open-source intrusion prevention tool Zeek. The prevention system removes detected abnormal traffic and issues alerts, providing real-time defense alongside intrusion detection.

Keywords: intrusion detection, ICS, ICS protocols, deep packet inspection, aggregation

1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Background 5
2.1 Industrial Control Systems . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 ICS Structure . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 ICS Network Architecture . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.1 Communication Networks . . . . . . . . . . . . . . . . . . . 7
2.2.2 Transmission Mechanisms . . . . . . . . . . . . . . . . . . . 9
2.3 Industrial Communication Protocols . . . . . . . . . . . . . . . . . 11
2.4 Attack Mechanisms in ICS . . . . . . . . . . . . . . . . . . . . . . . 13
2.4.1 Infiltration Attack (Man-in-the-Middle Attack) . . . . . . . 13
2.4.2 Forging Attack . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.3 False Data Injection Attack . . . . . . . . . . . . . . . . . . 14
2.4.4 Distributed Denial of Service (DDoS) Attack . . . . . . . . . 15
2.5 Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . 15
2.5.1 Detection Methods . . . . . . . . . . . . . . . . . . . . . . . 15
2.5.2 Prevention Tool . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.6 Terminologies in Machine Learning . . . . . . . . . . . . . . . . . . 19
2.6.1 Feature Reduction . . . . . . . . . . . . . . . . . . . . . . . 19
2.6.2 Anomaly Detection Models . . . . . . . . . . . . . . . . . . 19
2.7 Relevant Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.7.1 Deep Packet Inspection . . . . . . . . . . . . . . . . . . . . . 20
2.7.2 Term Frequency-Inverse Document Frequency . . . . . . . . 21
3 Related Works 22
3.1 Overview of Anomaly Detection Methods . . . . . . . . . . . . . . . 22
3.1.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Modbus/TCP Protocol Function Code . . . . . . . . . . . . . . . . 25
4 Proposed Method 26
4.1 Dataset Pre-processing . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1.1 Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1.2 Traffic Parser: Deep Packet Inspection . . . . . . . . . . . . 27
4.2 Dataset Sampling: Sliding Window . . . . . . . . . . . . . . . . . . 29
4.2.1 Sort by Timestamp in Ascending Order . . . . . . . . . . . . 29
4.2.2 Select fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2.3 Sliding Window . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.3 Feature Engineer: Aggregation . . . . . . . . . . . . . . . . . . . . . 33
4.3.1 Statistical Method . . . . . . . . . . . . . . . . . . . . . . . 34
4.3.2 Connection Features . . . . . . . . . . . . . . . . . . . . . . 41
4.3.3 Protocol Features . . . . . . . . . . . . . . . . . . . . . . . . 45
4.4 Dimension Reduction: Identifying Important Features . . . . . . . . 48
4.4.1 Drop Features with Low Variance or High Correlation . . . . 48
4.4.2 Combine Features Using Dimension Reduction Techniques . 48
4.4.3 Rank High Importance Features Using Supervised Learning
4.4.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.5 Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.5.1 Unsupervised . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.5.2 Semi-Supervised Learning . . . . . . . . . . . . . . . . . . . 50
4.5.3 Supervised Classifiers . . . . . . . . . . . . . . . . . . . . . . 52
5 Experiment and Result 53
5.1 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.2 Evaluation metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.3 Intermediate Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.4 Pattern Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.4.1 Transition Probabilities Matrix of Function Codes . . . . . . 56
5.4.2 TF-IDF Analysis of Historical Data . . . . . . . . . . . . . . 56
5.5 Result and Compare . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6 Conclusion 58
6.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Bibliography 60

[1] Eslam Amer and Niall McLaughlin. Malicious behavioural detection in scada
networks based on analyzing modbus/tcp functions sequences. Preprint submitted to Elsevier, 2023. Available at SSRN: https://ssrn.com/abstract=4792053.
[2] Nisha Kumari Barsha and Neminath Hubballi. Detecting cyber attacks in
smart-grid networks with probability distribution comparison. In 2024 IEEE
21st Consumer Communications Networking Conference (CCNC), pages 648–
649, 2024.
[3] Inc. Corelight. Zeek logs version 3.0.4, 2021.
[4] Ali A. Ghorbani Kwasi Boakye-Boateng and Arash Habibi Lashkari. Cic modbus dataset 2023. Presented at the 20th International Conference on Privacy, Security and Trust (PST), 2023. Dataset includes network captures and
logs from a simulated substation network for research on security mechanisms.
Available at: https://www.unb.ca/cic/datasets/modbus-2023.html.
[5] Modbus Organization. MODBUS MESSAGING ON TCP/IP IMPLEMENTATION GUIDE V1.0b, 2006. Referenced for creating figures (Packet Format of MODBUS TCP), 3.1 PROTOCOL DESCRIPTION and 3.2 MODBUS
FUNCTIONS CODES DESCRIPTION, page 3-7.
[6] Modbus Organization. MODBUS APPLICATION PROTOCOL SPECIFICATION V1.1b3, 2012. Figure 5.1 from page 11.
[7] Osborn N. Nyasore, Pavol Zavarsky, Bobby Swar, Raphael Naiyeju, and Shubham Dabra. Deep packet inspection in industrial automation control system
to mitigate attacks exploiting modbus/tcp vulnerabilities. In 2020 IEEE 6th
Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl
Conference on High Performance and Smart Computing, (HPSC) and IEEE
Intl Conference on Intelligent Data and Security (IDS), pages 241–245, 2020.
[8] Wenbin Yu, Yiyin Wang, and Lei Song. A two stage intrusion detection system
for industrial control networks based on ethernet/ip. Electronics, 8(12), 2019.
[9] Wang Yusheng, Fan Kefeng, Lai Yingxu, Liu Zenghui, Zhou Ruikang, Yao
Xiangzhen, and Li Lin. Intrusion detection of industrial control system based
on modbus tcp protocol. In 2017 IEEE 13th International Symposium on
Autonomous Decentralized System (ISADS), pages 156–162, 2017.