Log In Sign Up

Modern Problems Require Modern Solutions: Hybrid Concepts for Industrial Intrusion Detection

The concept of Industry 4.0 brings a disruption into the processing industry. It is characterised by a high degree of intercommunication, embedded computation, resulting in a decentralised and distributed handling of data. Additionally, cloud-storage and Software-as-a-Service (SaaS) approaches enhance a centralised storage and handling of data. This often takes place in third-party networks. Furthermore, Industry 4.0 is driven by novel business cases. Lot sizes of one, customer individual production, observation of process state and progress in real-time and remote maintenance, just to name a few. All of these new business cases make use of the novel technologies. However, cyber security has not been an issue in industry. Industrial networks have been considered physically separated from public networks. Additionally, the high level of uniqueness of any industrial network was said to prevent attackers from exploiting flaws. Those assumptions are inherently broken by the concept of Industry 4.0. As a result, an abundance of attack vectors is created. In the past, attackers have used those attack vectors in spectacular fashions. Especially Small and Mediumsized Enterprises (SMEs) in Germany struggle to adapt to these challenges. Reasons are the cost required for technical solutions and security professionals. In order to enable SMEs to cope with the growing threat in the cyberspace, the research project IUNO Insec aims at providing and improving security solutions that can be used without specialised security knowledge. The project IUNO Insec is briefly introduced in this work. Furthermore, contributions in the field of intrusion detection, especially machine learning-based solutions, for industrial environments provided by the authors are presented and set into context.


page 1

page 3


Intrusion Detection in Binary Process Data: Introducing the Hamming-distance to Matrix Profiles

The digitisation of industry provides a plethora of novel applications t...

Security in Process: Detecting Attacks in Industrial Process Data

Due to the fourth industrial revolution, industrial applications make us...

Putting Together the Pieces: A Concept for Holistic Industrial Intrusion Detection

Besides the advantages derived from the ever present communication prope...

Implementing SCADA Scenarios and Introducing Attacks to Obtain Training Data for Intrusion Detection Methods

There are hardly any data sets publicly available that can be used to ev...

A Survey on Industrial Control System Testbeds and Datasets for Security Research

The increasing digitization and interconnection of legacy Industrial Con...

Intrusion Detection Systems: A Cross-Domain Overview

The cybersecurity ecosystem continuously changes with the growth of cybe...

I Introduction

In the past two decades, attacks on industrial systems have increased in a spectacular manner [1]. Malicious actors, supposedly state-sponsored and criminal groups, have taken an interest in industrial organisations. Attacks on critical infrastructures, such as the power grid in the Ukraine in December 2015 [2], have a severe impact, potentially matching a political agenda. Attributing these attacks, however, is a non-trivial task [3, 4]. Espionage and sabotage to gain financial or technical benefits and hinder a competitor are scenarios that need to be taken into consideration as well. In Germany, hundreds of so-called hidden champions, enterprises unknown by the customer but leading in their area, exist [5]. Despite their importance for economy, they are often Small and Medium-sized Enterprises. Due to their size, Information Technology (IT) security is commonly not a priority. Investments in IT security are expensive in terms of personnel and resources but do not provide measurable revenue. Additionally, increases in IT security measures are commonly perceived as a hindrance to productivity. Non-technical requirements on IT security measures for application in SMEs include ease of use, scalability and usability by non-experts in the security field. The publicly funded research project IUNO [6] aimed at providing such measures in order for industrial enterprises to integrate them into their production environments. After it was finshed, the research project IUNO Insec [7] was established as a succeeding research project. The scope is the improvement and further development of the tools implemented in IUNO. In this work, the research project IUNO Insec is presented. Furthermore, different aspects of intrusion detection suitable for industrial environments are presented. Apart from the IT networks, industrial environments contain control networks or Operation Technology (OT). Legacy protocols and security not being a design target make OT networks vulnerable to attackers. The usage of Cyber-Physical Systems and Cyber-Physical Production Systems in OT networks enables attackers to have an effect on the physical world by means of the digital world.

The remainder of this work is structured as follows. In Section II, a brief overview of the state of the art is provided. The research project IUNO Insec and its goals are introduced in Section III. An exemplary summary of intrusion detection methods developed for industrial use is presented in Section IV. Potentially beneficial combinations of those methods are discussed in Section V. This work is concluded in Section VI.

Ii State of the Art

Due to the relevance of critical infrastructures on supply chains and nations, the effects of incidents on production and revenue and the dangers of digital attacks on phyiscal systems, information security has gained importance in the industrial community. Therefore, an industry focusing on industrial intrusion detection solutions has evolved. Additionally, the research community has taken an interest in solutions for industrial Intrusion Detection Systems. After the first work of Denning in 1987 [8], intrusion detection has become established as a field of research and application. A brief overview of intrusion detection approaches is provided in Table I.

Subject Covered Research Work
Surveys & Taxonomies [9, 10, 11]
Wireless Networks [12, 13]
Industrial Networks [14, 15, 12]
IT Networks [16, 17]
Machine Learning-based [18, 19]

Applications of Anomaly Detection by the Individual Works

Zhu discusses attacks on Supervisory Control And Data Acquisition (SCADA) systems [9]. A summary of existing systems as well as challenges in anomaly-based network intrusion detection is provided by Garcia-Teodoro et al. [10]. Lee and Stolfo provide an overview of data mining approaches for intrusion detection [11]. Zhang et al. analyse techniques to detect intrusions in mobile networks [13]. Detecting intrusions in mobile ad-hoc networks is discussed by Zhang and Wenke as well [20]. Shin et al. discuss intrusion detection for industrial wireless networks [12]. This is motivatied by the increasing relevance of wireless sensors, organised in so-called Wireless Sensor Networks. Industrial networks often contain fixed sequences of operations. These can be exploited to detect deviations, as performed by  Caselli et al. [14]. Many industrial networks contain legacy protocols that have to be integrated into working intrusion detection solutions. Morris et al. present an intrusion detection system to fit Modbus communication [15]. Detection of intrusions in IT networks is discussed by Northcutt and Novak [16]. Mukherjee et al. present work on detecting intrusions in networks [17]. Mukkamala et al.

employ neural networks and

Support Vector Machines to detect intrusions in the infamous Defense Advanced Research Projects Agency (DARPA) Knowledge Discovery in Databases (KDD) cup ’99 [18]. Ryan et al. employ neural networks as well to detect intrusions [19].

Iii Enter IUNO Insec

IUNO Insec [7] is the succeeding research project of the national reference project for IT security in Industry 4.0 (IUNO) [6]. In IUNO, four application uses cases were addressed:

  • Customer-individual production

  • Technology data market place

  • Remote maintenance

  • Visual Security Control

These application use cases were derived in coordination with the industrial partners, ensuring their relevance. Solutions were developed, with different degrees of technology readiness. They were then collected in the toolbox used to provide the solutions to interested third parties. As the goal of IUNO was to provide means to secure their digital assets to SMEs, the toolbox was published. However, many solutions were introduced by academic partners, lacking technology readiness to be used as they were. In order to increase technology readiness, refine the tools and adjust them to different application use cases, the research project IUNO Insec was established. The main areas of research and development in IUNO Insec are shown in Figure 1.

Fig. 1: Methods and Tools Addressed by IUNO Insec

The two major security controls addressed by IUNO Insec are detection and prevention of malicious activities, meaning the goal is to either hinder an attacker from performing malicious acts or detecting the process of an attacker doing so. Other security controls, such as recovery, prevention or correction are not in the scope of IUNO Insec. Automated tools that actively engage in activities in an industrial networks always contain the danger of negatively influencing production. This could amount to enormous costs and is thus undesirable in industrial use cases, as opposed to home and office environments where short disruptions of the productive system are tolerable. Since industrial environments are commonly highly application specific, security solutions need to be capable of abstracting and transferring functionality. Furthermore, they need to be usable by non-experts while still meeting functional and non-functional requirements of the users. User-centric workshops are organised to ensure these features.

Iv Industrial Intrusion Detection Approaches

In the course of research project IUNO, the German Research Center for Artificial Intelligence (DFKI) has evaluated and implemented several solutions to detecting anomalies in industrial networks and processes. Anomalies are events in a set of events that deviate with respect to certain features. Even though the correspondence of an anomaly to an intrusion is not always given and non-trivial to evaluate, anomalies are events a human operator should take a look at. In this work, analyses of packet-based intrusion detection are presented, as well as time series-based anomaly detection in

OT network traffic and process data.

Iv-a Packet-based Detection

Detecting intrusions based on features of singular network packets is a well-researched method [21]. Each network packet contains metainformation, such as source and destination, size, ports and many more. Furthermore, each packet contains a payload that, given it is not encrypted, can be used to determine malicious intents. A special kind of packet-based intrusion detection is Deep Packet Inspection (DPI) where a sequence of packets is considered. This is relevant as many attacks, e.g. the ACK-scan, rely on disruptions of the sequences while not providing packets that are anomalous in themselves.

In this work, data sets provided by Lemay and Fernandez are evaluated with respect to packets [22]. They provided data sets monitored in an emulated environment, simulation power circuit breakers with Modbus-based communication. In some data sets, operations of a human were simulated. After monitoring, different kinds of attacks were introduced to the data sets. However, all attacks are TCP/IP-based, none exploits Modbus-specific vulnerabilities as presented by Morris et al. [23]. The data sets used in this work and their corresponding name in the work of Lemay and Fernandez are listed in Table II.

ID Name Len. (s) Attacks
DS1 Moving_two_files_Modbus_6RTU 190 4
DS2 Send_a_fake_command_Modbus_6RTU_with_operate 670 1
DS3 CnC_uploading_exe_modbus_6RTU_with_operate 70 2
TABLE II: Data Sets Used as Presented by Lemay and Fernandez

In a previous work [24], these data sets have been evaluated with four different anomaly detection algorithms:

In order to evaluate the performance, the accuracy as shown in (1) as well as the f1-score (2) that is based on precision (3) and recall (4) are used.


denotes the positive events that are classified correctly,

the negative ones that are classified correctly. and denote the positive and negative events respectively that are misclassified. The results are shown in Table III.

Algorithm Metric DS1 DS2 DS3
Random Forest Acc. 1.0 0.99970 0.99997
F1 1.0 0.99985 0.99999
SVM Acc. 1.0 1.0 0.99994
F1 1.0 1.0 0.99997
k-nearest Neighbour Acc. 0.99710 0.99912 0.99941
F1 0.99853 0.99956 0.99971
k Means Clustering Acc. 0.98102 0.55624 0.63362
F1 0.99038 0.71485 0.77573
TABLE III: Results of Packet-based Anomaly Detection

It can be seen that SVM and Random Forest perform very well with near perfect scores, while k-nearest Neighbour performs well in certain areas and k Means Clustering does not perform satisfactorily at all, allowing too many false positives.

Iv-B Time Series-based Detection in Network Traffic

Industrial network communication is expected to be highly periodic. Processes produce repeating patterns in communication, the number and structure of entities communicating is expected to stay constant. In order to detect deviations in the time domain, time series anomaly detection was applied in a previous work [25]. As an algorithm, Matrix Profiles were used, as presented by Yeh et al. [26]. The concept of Matrix Profiles is the calculation of distances between sequences of length . Any sequence of length is compared to any other sequence of length . Then the minimal distance is derived. Originally an algorithm for motif discovery, Matrix Profiles

can detect outliers if the minimal distance is high. This indicates that a sequence was singular, being a hint on anomalous behaviour. The minimal distances of packet number, port and IP pairs of

DS3 as defined in Table II is shown in Figure 2.

Fig. 2: Time Series-based Intrusion Detection in Industrial Network Traffic

It shows that the Matrix Profiles can be used to detect any attack with the black line showing a minimal threshold value needed to create no false negatives. The length of increases in minimal distance can be explained with the window length , as any attack influences all following sequences as well. However, automatically detecting a threshold that performs well is a non-trivial challenge to be solved.

Iv-C Time Series-based Detection in Process Data

Apart from the network traffic characteristics, time series can be used to detect deviations in the process behaviour. An exemplary process using batch processing has been created using real world hardware [27]. It is shown in Figure 3. A pump is used to pump water from Container 102 to Container 101. Due to natural reflow, the level of Container 101 decreases over time. A hysteresis value activates the pump again once too much water has reflown.

Fig. 3: Real-world Time Series of Process

This process has been the base for a simulated environment, introducing attacks to a simulation of the same process [28]. The water flow as well as the water level of Container 102 are shown in c.

Fig. 4: Time Series-based Intrusion Detection in Industrial Process Data

Normal operation is pictured until packet number 4000. After that and until packet 4800, the speed of reflow is doubled, halving the periods of pump activity and the water level refill. The same behaviour is shown again starting at packet number 6500 to the end of the trace. Minimal distances as calculated with Matrix Profiles rises significantly during the attacks as clearly indicated in Figure 4. As a result, time series-based anomaly detection methods are capable of detecting deviations and anomalies in regular process behaviour that can be indicators of attacks.

V Combining the Pieces

As discussed, attacks on industrial networks have to undergo different stages [28]. First, the perimeter has to be breached, commonly by phishing or other social engineering attacks. This grants an attacker access to the IT network. The IT network is commonly connected to OT networks by De-Militarized Zones, network segmentation and firewalls. Moving laterally from IT to OT networks is crucial for attackers in order to execute the intended activity. If the perimeter has been breached without triggering counter measures, the lateral movement is the next phase of an attack to be detected. A context-based aggregation model has been introduced that allows for distributed collection of data in order to determine sources, destinations and effects of attacks [29]. Context information can provide valuable insight on attacks and aid in detecting anomalies [30].

Vi Conclusion

In this work, the research project IUNO Insec was introduced. It aims at providing much needed security solutions for German industrial enterprises, especially SMEs that cannot afford to build expertise themselves. The approach of IUNO Insec includes the improvement and development of easy to use security modules. Furthermore, approaches to detect anomalies in an industrial context are discussed. Industrial environments contain characteristic requirements for security solutions as well as unique properties with respect to topology and communication behaviour. This motivates the use of certain technologies, such as time series or packet-based analysis. Additionally, deceptive technologies, such as feints, distraction and obfuscation [31] or honeypots [32] can provide an additional layer of security to provide German SMEs the means to securely participate in the fourth industrial revolution.


This work has been supported by the Federal Ministry of Education and Research of the Federal Republic of Germany (Foerderkennzeichen 16KIS0932, IUNO Insec). The authors alone are responsible for the content of the paper.


  • [1] S. Duque Anton, D. Fraunholz, C. Lipps, F. Pohl, M. Zimmermann, and H. D. Schotten, “Two decades of SCADA exploitation: A brief history,” in 2017 IEEE Conference on Application, Information and Network Security (AINS), November 2017, pp. 98–104.
  • [2] A. Cherepanov, “Win32/Industroyer - a new threat for industrial control systems,” ESET, Tech. Rep., June 2017.
  • [3] D. Fraunholz, S. Duque Anton, and H. D. Schotten, “Introducing gamfis: A generic attacker model for information security,” International Conference on Software, Telecommunications and Computer Networks, vol. 25, 2017.
  • [4] D. Fraunholz, D. Krohmer, S. Duque Anton, and H. D. Schotten, “Yaas - on the attribution of honeypot data,” International Journal on Cyber Situational Awareness, vol. 2, no. 1, pp. 31–48, 2017.
  • [5] C. Bayley. (2017) Germany’s ’hidden champions’ of the mittelstand. [Online]. Available:
  • [6] IUNO. IT-Sicherheit in der Industrie 4.0. [Online]. Available:
  • [7] IUNO Insec. Integrations- und Migrationsstrategien für industrielle IT-Sicherheit. [Online]. Available:
  • [8] D. E. Denning, “An Intrusion-Detection Model,” IEEE Transactions on Software Engineering, vol. SE-13, no. 2, pp. 222–232, Feburary 1987.
  • [9] B. Zhu, A. Joseph, and S. Sastry, “A taxonomy of cyber attacks on SCADA systems,” in Proceedings of the 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, ser. ITHINGSCPSCOM.   Washington, DC, USA: IEEE Computer Society, 2011, pp. 380–388.
  • [10] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Dernandez, and E. Vazquez, “Anomaly-based network intrusion detection: Techniques, systems and challenges,” Computers & Security, no. 28, pp. 18–28, February 2009.
  • [11] W. Lee and S. Stolfo, “Data mining approaches for intrusion detection,” 1998.
  • [12] S. Shin, T. Kwon, G.-Y. Jo, Y. Park, and H. Rhy, “An experimental study of hierarchical intrusion detection for wireless industrial sensor networks,” IEEE Transactions on Industrial Informatics, vol. 6, no. 4, pp. 744–757, 2010.
  • [13] Y. Zhang, W. Lee, and Y.-A. Huang, “Intrusion detection techniques for mobile wireless networks,” Wirel. Netw., vol. 9, no. 5, pp. 545–556, Sep. 2003.
  • [14] M. Caselli, E. Zambon, and F. Kargl, “Sequence-aware intrusion detection in industrial control systems,” in Proceedings of the 1st ACM Workshop on Cyber-Physical System Security.   ACM, 2015, pp. 13–24.
  • [15] T. Morris, R. Vaughn, and Y. Dandass, “A retrofit network intrusion detection system for modbus rtu and ascii industrial control systems,” in 2012 45th Hawaii International Conference on System Sciences.   IEEE, 2012, pp. 2338–2345.
  • [16] S. Northcutt and J. Novak, Network intrusion detection.   Sams Publishing, 2002.
  • [17] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, “Network intrusion detection,” IEEE Network, vol. 8, no. 3, pp. 26–41, May 1994.
  • [18] S. Mukkamala, G. Janoski, and A. Sung, “Intrusion detection using neural networks and support vector machines,” in Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN’02 (Cat. No.02CH37290), vol. 2, May 2002, pp. 1702–1707.
  • [19] J. Ryan, M.-J. Lin, and R. Miikkulainen, “Intrusion detection with neural networks,” in Advances in neural information processing systems, 1998, pp. 943–949.
  • [20] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc networks,” in Proceedings of the 6th Annual International Conference on Mobile Computing and Networking, ser. MobiCom ’00.   New York, NY, USA: ACM, 2000, pp. 275–283.
  • [21] M. Roesch et al., “Snort: Lightweight intrusion detection for networks.” in Lisa, vol. 99, no. 1, 1999, pp. 229–238.
  • [22] A. Lemay and J. M. Fernandez, “Providing SCADA network data sets for intrusion detection research,” in 9th Workshop on Cyber Security Experimentation and Test (CSET 16), Austin, TX, 2016.
  • [23] T. H. Morris and W. Gao, “Industrial control system cyber attacks,” in Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research, 2013, pp. 22–29.
  • [24] S. Duque Anton, S. Kanoor, D. Fraunholz, and H. D. Schotten, “Evaluation of machine learning-based anomaly detection algorithms on an industrial Modbus/TCP data set,” in Proceedings of the 13th International Conference on Availability, Reliability and Security (ARES).   ACM, 2018.
  • [25] S. Duque Anton, L. Ahrens, D. Fraunholz, and H. D. Schotten, “Time is of the essence: Machine learning-based intrusion detection in industrial time series data,” in IEEE International Conference on Data Mining Workshops (ICDMW).   IEEE, 2018.
  • [26] C.-C. M. Yeh, Y. Zhu, L. Ulanova, N. Begum, Y. Ding, H. A. Dau, D. F. Silva, A. Mueen, and E. Keogh, “Matrix profile i: All pairs similarity joins for time series: A unifying view that includes motifs, discords and shapelets,” in 2016 IEEE 16th International Conference on Data Mining (ICDM), December 2016, pp. 1317–1322.
  • [27] S. Duque Anton, M. Gundall, D. Fraunholz, and H. D. Schotten, “Implementing scada scenarios and introducing attacks to obtain training data for intrusion detection methods,” in International Conference on Cyber Warfare and Security (ICCWS), 2019.
  • [28] S. Duque Anton, A. Hafner, and H. D. Schotten, “Devil in the detail: Attack scenarios in industrial applications,” in 2019 IEEE Security and Privacy Workshops, IEEE.   IEEE, 2019.
  • [29] S. Duque Anton, D. Fraunholz, J. Zemitis, F. Pohl, and H. D. Schotten, “Highly scalable and flexible model for effective aggregation of context-based data in generic iiot scenarios,” in 9th Central European Workshop on Services and their Composition (ZEUS-2017), February 13-14, Lugano, Switzerland, April 2017, pp. 51–58.
  • [30] S. Duque Anton, D. Fraunholz, S. Teuber, and H. D. Schotten, “A question of context: Enhancing intrusion detection by providing context information,” in 13th Conference of Telecommunication, Media and Internet Techno-Economics (CTTE-17), 2017.
  • [31] D. Fraunholz and H. D. Schotten, “Defending web servers with feints, distraction and obfuscation,” International Conference on Computing, Networking and Communications, 2018.
  • [32] D. Fraunholz, M. Zimmermann, A. Hafner, and H. D. Schotten, “Data mining in long-term honeypot data,” IEEE International Conference on Data Mining series - Workshop on Data Mining for Cyber-Security, 2017.