Graph Convolutional Network-based Suspicious Communication Pair Estimation for Industrial Control Systems
share
Whitelisting is considered an effective security monitoring method for networks used in industrial control systems, where the whitelists consist of observed tuples of the IP address of the server, the TCP/UDP port number, and IP address of the client (communication triplets). However, this method causes frequent false detections. To reduce false positives due to a simple whitelist-based judgment, we propose a new framework for scoring communications to judge whether the communications not present in whitelists are normal or anomalous. To solve this problem, we developed a graph convolutional network-based suspicious communication pair estimation using relational graph convolution networks, and evaluated its performance. For this, we collected the network traffic of three factories owned by Panasonic Corporation, Japan. The proposed method achieved a receiver operating characteristic area under the curve of 0.957, which outperforms baseline approaches such as DistMult, a method that directly optimizes the node embeddings, and heuristics, which score the triplets using first- and second-order proximities of multigraphs. This method enables security operators to concentrate on significant alerts.
READ FULL TEXT
