Download PDFOpen PDF in browserEntropy Analysis for Modbus Traffic over TCP/IP in Industrial Control Systems9 pages•Published: March 18, 2022AbstractAnomalies in network traffic are usually detected by measuring unexpected deviation from what constitutes a baseline. Several statistical techniques have been proposed to create baselines and measure deviation. However, simply looking at traffic volume to find anomalous deviation may result in increased false positives. Traffic feature distributions need to be created, and deviations need to be measured for these features. An effective approach to finding anomalous deviations starts with entropy analysis on these features. In this paper, we presented an initial entropy analysis on an industrial control system network using selected features with datasets obtained from an HVAC system. We started with the fundamental question: whether a preliminary entropy analysis on Modbus-over-TCP data using only a few TCP/IP features without going into the Modbus traffic itself gives us information about an anomaly in the network. We acknowledge that the initial entropy analysis provides only a starting point that would lead to several questions and investigating relevant issues resulting in an optimal system design and implementation. *Keyphrases: entropy analysis, industrial control system security, modbus over tcp/ip In: Bidyut Gupta, Ajay Bandi and Mohammad Hossain (editors). Proceedings of 37th International Conference on Computers and Their Applications, vol 82, pages 63-71.
|