Multigranularity Feature Automatic Marking-Based Deep Learning for Anomaly Detection of Industrial Control Systems

Industrial control systems are facing ever-increasing security challenges due to the large-scale access of heterogeneous devices in the open Internet environment. Existing anomaly detection methods are mainly based on the priori knowledge of industrial control protocols (ICPs) whose protocol specifications, communication mechanism, and data format are already known. However, when these knowledge are blank, namely, unknown ICPs, existing methods become powerless to detect the anomaly data. To tackle this challenge, we propose a multigranularity feature automatic marking-based deep learning method to classify unknown ICPs for anomaly detection. First, to obtain the feature sequences without priori knowledge assisting, we propose a multigranularity feature extraction algorithm to extract both byte and half-byte information by fully utilizing the intensive key information in the header field of the application layer. Then, to label the feature sequences for deep learning, we propose a feature automatic marking algorithm that utilizes the inconsistency feature sequences to dynamically update the feature sequence set. With the labeled feature sequences, we employ deep learning with 1-D convolutional neural network and gated recurrent unit to classify the unknown ICPs and realize anomaly detection. Extensive experiments on two public datasets show that both the accuracy and precision of the proposed method reach above 98.4%, which is better than the three benchmark methods.