SECURITY OF COMMUNICATION PROTOCOLS IN INDUSTRIAL CONTROL SYSTEMS

Modbus/RS-485 Attack Detection on

Communication Signals with Machine Learning
Hideya Ochiai, Md Delwar Hossain, Pawissakan Chirupphapa, Youki Kadobayashi, and Hiroshi Esaki

Abstract es were compromised. Thus, the security of this

The authors propose a novel
Modbus/RS-485 is one of the most popular network is getting important because they are not unobtrusive communication sig-
standards used worldwide at the edges of industri- isolated now but connected (Fig. 1). Attack to field- nal monitoring method for attack
al control systems (ICSs) as field buses. These net- bus may lead to the incidents of global systems. detection on this type of field bus
works were traditionally secured by isolating them Modbus/RS-485 is used worldwide as a de-fac-
from others, but nowadays, they are connected to standard in wide ranges of industrial sectors. with machine learning.
and function as components of a whole ICS. An Here, “/” means the layered structure of the
attack on a field bus will deceive global control protocols. RS-485 provides the infrastructure of
and can result in severe security incidents. In this a half-duplex serial communication bus allow-
article, we propose a novel unobtrusive com- ing over 1.2km’s multi-drop connections. There
munication signal monitoring method for attack are many application-layer protocols, including
detection on this type of field bus with machine vendor-specific ones, implemented on RS-485.
learning. We define five types of field-bus attacks This article focuses on Modbus as a case study
and develop datasets with ground truth labels on because it is a standard used in many industrial
our real-world testbed. In our performance eval- sectors. Modbus is used to get sensor readings
uation, supervised learning with extreme gradi- from, or to set control signals to multiple devices
ent boosting (XGBoost) achieved the best with on the multi-drop serial bus. Modbus/RS-485 is
an accuracy of 0.9999 for attack detection and cost-effective. For example,
classification. 1D convolutional neural network 1. Integrated circuit (IC) of an RS-485 driver is
(1D-CNN) achieved alternatively. Unsupervised available in the market for only 15 cents.
learning with an MLP-autoencoder achieved 2. Modbus protocol stack can be implement-
the area under the curves of receiver operating ed on an 8-bit microcontroller unit (MCU),
characteristics between 0.9992 and 0.9999 for which also manages the basic applications
anomaly detection. These results indicate that our for power metering, HVAC controlling, and
proposed unobtrusive monitoring method can system health checking along with Modbus
achieve a high detection rate for field-bus attacks. communication.
Even though the communication is slow, e.g.,
Introduction 9600 bps, it can realize facility control and man-
With the recent advancement of digital transfor- agement applications efficiently. This is one of the
mation, industrial control systems (ICSs) are built reasons for being used everywhere.
upon the Internet. ICSs are deployed to operate the We propose a current transformer (CT)-based
facilities of buildings, transportation, factories, and approach for monitoring the analog signals of the
other public infrastructures such as power grids, field-bus network for attack detection, adding a
water distributions, and gas/oil pipelines, which are security feature with supervised and unsupervised
necessary to support our daily lives. The security of machine learning. By attaching a CT to an RS-485
those systems is seriously considered, as incidents in line in an unobtrusive manner, we monitor the
ICSs may cause critical damage to our lives [1–3]. current flow on the communication lines and can
At the moment, the study of ICS security is detect suspicious activities including the corrup-
mostly focused on IP-based communication pro- tion of legitimate flow made by an attacker. This
tocols like Modbus/TCP and IEC 60870-5-104 [4] monitoring system can contribute to an early find-
or the data in SCADA systems [7]. The security ing of an attacker by allowing the detection of
of non-IP protocols such as fieldbuses was recog- suspicious activities.
nized as important but not fully paid attention to. We admit that adding basic security features
In this article, we focus on the security of RS-485 known as encryption and authentication would
— a serial-based fieldbus, which was traditionally be the most straightforward approach. If it is TCP/
secured by physical isolation from other systems. IP-based communication protocol, they can be
As fieldbus is a very basic communication media, added relatively easily. For example, Modbus/
if an attacker could tap the communication wire, TCP can be secured by transport-layer security
they can observe, read, write, or override the sys- (TLS), and BACnet/IP can be secured by a virtual
tem without any authentication. Malware can also private network (VPN). However, as Fauri et al.
virtually tap remotely if any of the connected devic- [5] discuss, this should be carefully considered

Hideya Ochiai, Pawissakan Chirupphapa, and Hiroshi Esaki are with University of Tokyo, Japan; Digital Object Identifier:
Md Delwar Hossain and Youki Kadobayashi are with Nara Institute of Science and Technology (NAIST), Japan. 10.1109/MCOM.002.2200553

IEEE Communications Magazine • June 2023 0163-6804/23/$25.00 © 2023 IEEE 43

Authorized licensed use limited to: Shenyang Institute of Automation. Downloaded on April 14,2024 at 03:37:40 UTC from IEEE Xplore. Restrictions apply.
 Modbus/RS-485 Attack Detection
n Communication Signals with Machine Learning
a Ochiai1, Md Delwar Hossain, Pawissakan Chirupphapa, Youki Kadobayashi, Hiroshi Esaki, Member, IEEE

act—Modbus/RS-485 is one of the most popular standards

rldwide at the edges of industrial control systems (ICSs) Global Management and Control Services ious contexts. Liu et al. [2] proposed a taxono-
This article demonstrates a as my of security assessment for IP-based building
ses. These networks were traditionally secured by isolating SCADA
om others, but nowadays, theycaseare
study with Modbus,
connected and but
function (Global) ADR HMI APP automation systems, Pan et al. [3] proposed an
onents of a whole ICS. An attack on a field bus will deceive intrusion detection system for power systems, and
the method
ontrol and can result in severe securitycanincidents.
be appliedIn this
we propose a novel unobtrusive communication signal The Internet Morris et al. [6] and Mathur et al. [7] developed
to other protocols
ing method for attack detection on this type without
of field bus (IEEE 1888, MQTT, OPC-UA, OpenADR, …) testbeds for pipelines and water management sys-
achine learning. We define five types of field-bus attacks
any changes because the tems. Regarding fieldbuses, the security of CAN-
elop datasets with ground truth labels on our real-world bus, which is mainly used inside cars but also in
In our performance evaluation, supervised
machine learninglearning
model with
gradient boosting (XGBoost) achieved the best with an
SCADA ICSs, is studied by Seo et al. [8] and Hossain et
(Local) Local Area Network
y of 0.9999 for attack detectioncan automatically obtain 1D
and classification. (Modbus/TCP, BACnet/IP, …)
al. [9]. The most recent study on the security of
tional neural network (1D-CNN) achieved alternatively. RS-485 is published by Liu et al. [11].
features from the protocol
rvised learning with an MLP-autoencoder achieved the
nder the curves of receiver operating characteristics GW GW GW GW GW Although they have different scopes in appli-
used. These results
0.9992 and 0.9999 for anomaly detection. cation domains and protocols, they use digital
Lonworks CAN
that our proposed unobtrusive monitoring method can Modbus BACnet Profibus
Programmable Logic Controller
values in the protocol fields in common for attack
a high detection rate for field-bus attacks. RS-485 RS-485 RS-485 ZigBee Proprietaries …
detection. In other words, they focus on the con-
Terms—Attack Detection, Communication Network,
tents or profiles of network-layer, transport-layer,
al Control System, Machine Learning, Security Field buses, Field systems
Count: 5118 and application-layer data, where protocol fields
Fig. 1. An architecture of industrial control systems (ICSs).
FIGURE 1. An architecture ofis industrial
Modbus/RS-485 one control
of the systems (ICSs). Modbus/
standard field-bus are digital values.
I. INTRODUCTION RS-485 is one ofused
the standard field-bus technologies
edges ofused worldwide at We, in this article, do not care about such

W
technologies worldwide at the ICSs.
ITH the recent advancement of digital the edges of ICSs. digital values in the protocol fields but analog
structure of the protocols. RS-485 provides the infrastructure of signals of the communication line. We focus on
transformation, industrial control systems (ICSs)
a half-duplex serial communication bus allowing over 1.2km’s
are built upon the Internet. ICSs are deployed to for both technical
multi-drop connections.andThere
operational
are manyreasons, espe-
application-layer the physical layer that allows data transmissions
the facilities of buildings, transportation, factories, and cially in the
protocols, case vendor-specific
including of RS-485 networks in our case.
ones, implemented on RS- on the physical medium. Analog signal analysis is
public infrastructures such as power grids, water First, encryption
485. This paper focusesandonauthentication
Modbus as a caseincrease
study becausetraf-it more powerful than digitalized value analysis. For
tions, and gas/oil pipelines, which are necessary to fiisc avolumes,
standard used which
in many may causesectors.
industrial congestion
Modbus isunderused to example, the Spoofing attack and Evil Twin attack
our daily lives. The security of those systems is
the available
get sensor bandwidth.
readings from, or to setSecond, such features
control signals to multiple introduced in this article cannot be detected only
y considered, as incidents in ICSs may cause critical devices on the multi-drop serial bus. Modbus/RS-485 is cost-
to our lives [1-3].
require larger computation power and technical by analyzing digitalized protocol fields, but our
effective. For example, (1) integrated circuit (IC) of an RS-485
e moment, the study of ICS security is mostly focused difficulties in implementation, especially in the approach can. Weinger et al. [10] discuss the
driver is available in the market for only 15 cents. (2) Modbus
ased communication protocols like Modbus/TCP and case
protocolof 8-bit MCU
stack can — they willonneed
be implemented an 8-bittomicrocontroller
re-develop analysis of Modbus protocol fields, concluding
870-5-104 [4] or the data in SCADA systems [7]. The the
unitsystem
(MCU), from whichthealsochoice
managesofthe hardware architec-
basic applications for that “the distributions of normal and anomalous
of non-IP protocols such as fieldbuses was recognized ture.
powerThird, maybe
metering, this is
HVAC the mostand
controlling, critical
systemreason,
health records are very close to each other, which sug-
ortant but not fully paid attention to. In this paper, we authentication
checking along with requires additional confi
Modbus communication. Evengurations
though the gests that it would be difficult to differentiate the
n the security of RS-485 - a serial-based fieldbus, which atcommunication
the phase of installation
is slow, e.g., 9600and
bps, system updates
it can realize facility instances between these two classes.”
ditionally secured by physical isolation from other tocontrol
the and
field management
engineers. applications
Especially,efficiently.
in the This is one
case ofof Regarding RS-485, Liu et al. [11] published a
. As fieldbus is a very basic communication media, if the reasons for being used everywhere.
emergency troubleshooting, they need to debug novel work of physical access detection in their
ker could tap the communication wire, they can observe, We propose a current transformer (CT)-based approach for
the system with a protocol analyzer, but they
monitoring the analog signals of the field-bus network for
RS-485 network by monitoring the change of
rite, or override the system without any authentication. voltage signal with electric contacts to the com-
cannot read the
attack detection, payloads.
adding a security This
featureincreases
with supervisedother and
e can also virtually tap remotely if any of the connected
risks -- operational
unsupervised failure, By
machine learning. i.e.,attaching
humana CT error.
to anFor
RS- munication line. In our work, we monitor the
were compromised. Thus, the security of this network
ng important because they are not isolated now but the above
485 line in an reasons,
unobtrusive we consider
manner, we monitor “detection of
the current flow current signal (not voltage) with a current trans-
ed (Fig. 1). Attack to fieldbus may lead to the incidents attack by monitoring”
on the communication would
lines and be the
can detect most practi-
suspicious activities former, allowing unobtrusive measurement of the
al systems. cal approach
including now compared
the corruption to encryption
of legitimate flow and
made by an attacker. communication line. In electronics, voltage and
odbus/RS-485 is used worldwide as a de-facto standard authentication
This monitoring system for adding security.
can contribute to an early finding of an current are independent domains, having differ-
ranges of industrial sectors. Here, “/” means the layered The by
attacker contributions of thisof article
allowing the detection suspicious are summa-
activities. ent characteristics in general. Thus, we need to
rized as follows: explore the attack detection scheme with the cur-
• We propose a novel unobtrusive RS-485 net-
esponding Author: Hideya Ochiai ([email protected]; [email protected]) rent monitoring approach.
work monitoring framework with machine There are many combinations of the applica-
learning for field-bus level attack detection tion layer and physical layer for facility networking
and classification. as Fig. 1 shows. BACnet, Profibus can be also built
• We define five types of attacks and develop with RS-485. There are also many vendor-specific
datasets using a real Modbus/RS-485 testbed. protocols that use RS-485 as their physical layer.
The datasets are novel in that there were no This article demonstrates a case study with Mod-
monitoring studies with our unobtrusive moni- bus, but the method can be applied to other pro-
toring method for an RS-485 network. tocols without any changes because the machine
• We provide fundamental evaluations of our learning model can automatically obtain features
novel detection tasks with both supervised from the protocol used.
and unsupervised learning on the datasets. This article is based on our previous preliminary
We demonstrate high accuracy and good works on supervised learning [12] and unsuper-
area-under-the-curve (AUC) characteristics vised learning [13] for attack detection in RS-485.
with our method. For this article, we have carried out fundamental
This article is organized as follows. We analyses to make the study comprehensive.
describe the related work. We propose our
RS-485 monitoring architecture. We describe the rs-485 lIne MonItorIng: ArchItecture
profiles of our dataset. We describe the results of
supervised and unsupervised learning applications PrelIMInAry of Modbus/rs485-network
respectively. We describe future research direc- Figure 2 shows the RS-485 multi-drop serial-bus
tions. We provide the conclusion of this article. network which we target in this study. RS-485 con-
nects multiple devices with lines “A” and “B,” which
relAted work usually come with a twisted-pair cable although not
With the rising awareness of security risks in ICSs shown in the figure. A device in the network trans-
[1], the security of ICSs has been studied in var- mits a binary bit with differential signaling, i.e., line

44 IEEE Communications Magazine • June 2023

Authorized licensed use limited to: Shenyang Institute of Automation. Downloaded on April 14,2024 at 03:37:40 UTC from IEEE Xplore. Restrictions apply.
 3


,/',   ŝĨĨĞƌĞŶƚŝĂů^ŝŐŶĂůŝŶŐ
3
ĨŽƌƐĞŶĚŝŶŐϬĂŶĚϭ

DŽĚďƵƐ DŽĚďƵƐ
ůŝĞŶƚ ƚƚĂĐŬĞƌ
ϭ Ϭ
>Kt ,/',     ŝĨĨĞƌĞŶƚŝĂů^ŝŐŶĂůŝŶŐ The Client requested all
Z^ϰϴϱ Z^ϰϴϱ    
ĨŽƌƐĞŶĚŝŶŐϬĂŶĚϭ
the servers with specifying
DŽĚďƵƐ DŽĚďƵƐ


Z^ϰϴϱDƵůƚŝͲƌŽƉ^ĞƌŝĂůͲƵƐ
ůŝĞŶƚ
 
ƚƚĂĐŬĞƌ
ϭ Ϭ those register addresses
>Kt  
Z^ϰϴϱ Z^ϰϴϱ     one by one. Each request
k l  Z^ϰϴϱDƵůƚŝͲƌŽƉ^ĞƌŝĂůͲƵƐ   k l 
frame was captured by the

k l k l  data logger under 30kHz
d l k
Z^ϰϴϱ Z^ϰϴϱ Z^ϰϴϱ d l k
 Z^ϰϴϱ A/D sampling frequency 383
Z d l
DŽĚďƵƐ Z^ϰϴϱDŽĚďƵƐZ^ϰϴϱ DŽĚďƵƐ
k
Z^ϰϴϱ d l
Z
k
DŽĚďƵƐ
Z^ϰϴϱ times per frame.
ϯϬŬ
Z ^ĞƌǀĞƌ DŽĚďƵƐ^ĞƌǀĞƌDŽĚďƵƐ ^ĞƌǀĞƌ
DŽĚďƵƐ Z
ϯϬŬ
^ĞƌǀĞƌ
DŽĚďƵƐ
ϯϬŬ
^ĞƌǀĞƌ ^ĞƌǀĞƌ ^ĞƌǀĞƌ ϯϬŬ
^ĞƌǀĞƌ
ͬ ^ĞŶƐŽƌ ^ĞŶƐŽƌ ͬ ^ĞŶƐŽƌ
ŽŶǀĞƌƚĞƌ ͬ ^ĞŶƐŽƌ ^ĞŶƐŽƌ ͬ
ŽŶǀĞƌƚĞƌ ^ĞŶƐŽƌ
ŽŶǀĞƌƚĞƌ ŽŶǀĞƌƚĞƌ
ĂƚĂ^ĞƚϭĂƚĂ^Ğƚϭ
^ĞƌǀĞƌ/сϭ^ĞƌǀĞƌ/сϭ ^ĞƌǀĞƌ/сϮ ^ĞƌǀĞƌ/сϯ
^ĞƌǀĞƌ/сϮ ^ĞƌǀĞƌ/сϯ ĂƚĂ^ĞƚϮ
ĂƚĂ^ĞƚϮ ^ĞƌǀĞƌ/сϰ
^ĞƌǀĞƌ/сϰ

DŽŶŝƚŽƌŝŶŐĞǀŝĐĞďĞƚǁĞĞŶůŝĞŶƚĂŶĚƚƚĂĐŬĞƌ
DŽŶŝƚŽƌŝŶŐĞǀŝĐĞďĞƚǁĞĞŶůŝĞŶƚĂŶĚƚƚĂĐŬĞƌ DŽŶŝƚŽƌŝŶŐĞǀŝĐĞĂƚƚŚĞ&ĂƌŶĚ
DŽŶŝƚŽƌŝŶŐĞǀŝĐĞĂƚƚŚĞ&ĂƌŶĚ

Fig. 2.2.Monitoring
Fig. 2. MonitoringFIGURE
of theMonitoring offlow
the current
of the flow
current onflow
RS-485
on line
line “A”
RS-485
“A”by line “A”aby
attaching
byData
attaching
current
attaching
a currentWe
transformer
current(CT).
transformer
generate Data(CT). We
Set 1 by generate
attaching a CTData Setthe
between 1 by
attaching current
a CT between onClient
the RS-485 and Attacker, and Set 2 by aattaching it transformer (CT).
at the far end. Here, We
RS-485 generate
multi-dropData serial-Set 1 by
busClient
attaching a CT between and
theAttacker,
network Client andand
exchanges Data Set 2 by attaching
Attacker,
messages anditelectronically
on two atData
the farSet
end. Here,
byRS-485
2common multi-drop
attaching
lines “A”itserialbus
“B”network
at the
and far exchanges
withend. Here,
differential messages
RS-485
voltage onsignals
twomulti-drop
electronically
[13]. serial-
bus network exchanges common lines “A” andon
messages “B” with
twodifferential voltage signals
electronically [13].
common lines “A” and “B” with differential voltage signals [13].
protocols commonly define the target device that should receive ZĞƋƵĞƐƚDĞƐƐĂŐĞ ZĞƐƉŽŶƐĞDĞƐƐĂŐĞ
and respond to thethe
broadcasted
protocols commonly “B” is always
define the target devicemessage.
reverse of line
that Modbus
should [14] allows
“A.”receive
This assumes ĨƌŽŵůŝĞŶƚƚŽ^ĞƌǀĞƌ
ZĞƋƵĞƐƚDĞƐƐĂŐĞ ZĞƐƉŽŶƐĞDĞƐƐĂŐĞ
ƚŽůŝĞŶƚĨƌŽŵ^ĞƌǀĞƌ
multiple
serial end devices “Servers,”
communication among and
the a nodes
single control
on the device
net- LJƚĞ LJƚĞ
and respond to the “Client”.
broadcasted Whenmessage. Modbus
Client transmits [14] assumes
a and
request to the RS-485
&ŝĞůĚ
/ŶĚĞdž
&ŝĞůĚ
ĨƌŽŵůŝĞŶƚƚŽ^ĞƌǀĞƌ /ŶĚĞdž
ƚŽůŝĞŶƚĨƌŽŵ^ĞƌǀĞƌ
work. Communication lines A B are physical-
multiple end devices “Servers,”
network,
ly sharedallamong
andallreceive
servers athe
single
the control
request, device
devices, and buttheyonly
sense the LJƚĞ
Ϭ ^ĞƌǀĞƌ/
&ŝĞůĚ
Ϭ
LJƚĞ
&ŝĞůĚ
^ĞƌǀĞƌ/
/ŶĚĞdž ϭ &ƵŶĐƚŝŽŶŽĚĞ ϭ/ŶĚĞdž &ƵŶĐƚŝŽŶŽĚĞ
“Client”. When Client
corresponding
the same transmitsserver atransmits
voltage request
level,
thetoresponse
meaning the
that
to the RS-485
RS-485
sequences of Ϯ
network. This response is received by all the devices, but only Ϭ Ϯ ZĞŐŝƐƚĞƌ
^ĞƌǀĞƌ/ Ϭ LJƚĞƐZĞƐƉŽŶĚĞĚ
^ĞƌǀĞƌ/
network, all serversdata receive
are always thebroadcasted.
request, but only the
Upper-layer
the Client reads its payload. As for detail, please referproto-
to [13]. ϭ
ϯ ĚĚƌĞƐƐ
&ƵŶĐƚŝŽŶŽĚĞ
ϯ
ϭ &ƵŶĐƚŝŽŶŽĚĞ
ZĞŐŝƐƚĞƌϭ
corresponding servercols3transmits
Fig. commonly define
the
shows the protocol the target
response
format yourdevice
for to the that should
RS-485
reference. ϰ ϰ
ZĞŐŝƐƚĞƌƐƚŽZĞĂĚ
receive
network. This response and respond
is received by all to the
the devices,
broadcasted message.
but only Ϯ ϱ ZĞŐŝƐƚĞƌ ϱ Ϯ LJƚĞƐZĞƐƉŽŶĚĞĚ
B. Monitoring by assumes
Current Transformer ZĞŐŝƐƚĞƌϮ
Modbus
the Client reads itsTopayload. [14]
As for detail, multiple
please end devices
refer to [13]. “Serv- ϯ ϲ ĚĚƌĞƐƐ ϲ ϯ
detect attacks, we take the approach of capturing theWhen
“analog Zϭϲ ZĞŐŝƐƚĞƌϭ
ers,” and a single control device “Client.” ϰ ϳ …
ϰ ……
Fig. 3 shows the protocol
values” offormat for flow
the current yourofreference.
RS-485 line “A” or “B” by using
Client transmits a request to the RS-485 network, ϱ
ZĞŐŝƐƚĞƌƐƚŽZĞĂĚ ŶͲϮ
ϱ Zϭϲ
aall
CTservers
as depicted in Fig. 4the
receive (a). request,
As RS-485but has 120Ω
only termination
the cor- ŶͲϭ ZĞŐŝƐƚĞƌϮ
B. Monitoring by Current
resistors ifTransformer
the voltage between the lines is 3V, about 25mA ϲ ϲ
responding server transmits the response to the Zϭϲ
To detect attacks, we
shalltake
flowthe approach
on the line. Then, for example, the
ofresponse
capturing with“analog
a CT of winding Fig.
ϳ 3. Modbus frame format. … ……
RS-485
rate flow
network.
1:3000ofand
This
a 30kΩ line
burden resistor,
iswereceived
get using
by all
250mV at CT
values” of the current RS-485 “A” or “B” by
output pins. This is observed as a difference ofits
the devices, but only the Client reads payload.
about 80 on a server had five registers. The ClientŶͲϮ
requested all the servers
Zϭϲ
a CT as depicted in10-bit
Fig.
As 4 detail,
(a).converter
forA/D Asplease
RS-485 has to
withrefer
3.3V 120Ω
[13].termination
reference. Figure 3 shows
To clearly capture with specifying those register addresses
ŶͲϭ one by one. Each
thewaveform
resistors if the voltage
the protocol
between offormat
9600bps,forweyour
the lines reference.
isrecommend
3V, about 25mA
30kHz for the A/D request frame was captured by the data logger under 30kHz A/D
sampling frequency 383 times per frame. Thus, a record in our
shall flow on the line. Then, for example, with a CT of winding
sampling rate. FIGURE
Fig. 3.Modbus
3.hasModbus frame format.
frame
There are several M
onitoring by regarding
choices C
urrent ransformer
the CT Tattachment. It can dataset 383 features. Theformat.
attacker was also connected to the
rate 1:3000 and a 30kΩ burden resistor, we get 250mV at CT line at Server 2, and sometimes it carried out attacks. To put
To detect attacks, we take the approach of cap-
output pins. This isbe
turing the as a“B”
attached to line
observed “analog
instead of “A”.
difference
values” of
of
The direction
about
the 80 onof
current a CT can
flow
server
of
had
ground
five registers.
truthThe
registers. labels,
The Client
the requested
Client
requested
attack statusall(attack
theone
all the
or not) with
servers was
servers
10-bit A/D converterbe also reversed.
withline 3.3V It can be
reference.attached
To around
clearly the Client
capture or at with
the specifying those register addresses
explicitly notified to the data logger via a separated line. by one. Each
RS-485
far end of the“A” or “B”Inbythis
network. using a CT
study, weasconsider
depicted two specifying those register addresses one by one.
the waveform of 9600bps, request frame
In this was
study, captured
we have by the
performed data
the logger
following under
five 30kHz
types of A/D
in Fig. 4a.we
monitoring Asrecommend
cases RS-485 has30kHz
for simplicity: 120Ω
(1) for
near the
a CT termination A/D and
the Client resis- Each request
(2) attacks. The numbers
frame was
intimes
captured
the brackets
by theindicate
( ) below
data log-the in our
sampling frequency 383 per frame. Thus, a record
sampling rate. ators
CT atif the
thefarvoltage between
end as Fig. 2. We calltheDatalines
Set 1is(DS1
3V,forabout ger under
short) numbers 30kHzrecords.
of collected A/D Here,
sampling frequency
the total 383
Benign records
25mA
There are severalforchoices shall flow
data on
regarding
the collected the
with theCTline.
the Then,
attachment.
former forIt example,
configuration canand Datadataset
were
has(DS1:
times 383 features.
per203261;
frame.DS2: The
Thus, attacker
a recordwas
296909).
also
in our connected
dataset has to the
with
Set a CTwith
2 (DS2) of the
winding rate 1:3000 and a 30kΩ
latter configuration. line at383
Server 2, and The
features. sometimes
attackerit wascarried
alsoout attacks. To put
connected
“B” instead
be attached to line burden of “A”.
resistor, The250mV
we get directionat of
CTCT can pins.
output groundtotruth
the line at Server
labels, 2, and status
the attack sometimes
(attackit carried
or not) was
be also reversed. ItThis
can isbeobserved
IV. Mattached as a A
around
ODBUS/RS-485 difference
the Client
TTACK ofor
DATASET about
at the80 on
PROFILES
explicitly notified to the data logger via a separatedattack
out attacks. To put ground truth labels, the line.
a 10-bit
far end of the network.
We carried A/D
out converter
In five
this study,
types with
weand3.3V
of attacks reference.
consider
generated two with
datasets To status (attack or not) was explicitly notified to the
In this study, we have performed the following five types of
monitoring cases forclearly
our capture
real RS-485
simplicity: (1)the waveform
platform.
a CT We used
near ofClient
four
the 9600bps,
Modbusand we rec-
servers.
(2) Each data logger via a separated line.
ommend 30kHz for the A/D sampling rate. attacks. The numbers
In this in the
study, we havebrackets
performed ( ) the
below indicate the
following
a CT at the far end as Fig. 2. We call Data Set 1 (DS1 for short) numbers fiveoftypes
collected records.
TheHere, the total Benign
brack-records
There are several choices regarding the CT of attacks. numbers in the
for the collected data with the Itformer
attachment. can beconfiguration
attached to line and“B”Datainstead were (DS1:
ets ( )203261; DS2: 296909).
below indicate the numbers of collected
Set 2 (DS2) with theof latter configuration.
“A.” The direction of CT can be also reversed. records. Here, the total Benign records were
It can be attached around the Client or at the far (DS1: 203261; DS2: 296909).
IV. MODBUSend of theAnetwork.
/RS-485 In this study,
TTACK DATASET we consider two
PROFILES 1. Spoofing Attack (DS1: 30519; DS2: 34209):
monitoring cases for simplicity: This attack can alternate the real values.
We carried out five1.types
A CTofnear
attacks
the and generated datasets with
Client For example, the reported values of smoke
our real RS-485 platform.
2. A CT We used
at the farfour
end Modbus
as Fig. 2 servers. Each detectors can be alternated as false, and a
We call Data Set 1 (DS1 for short) for the collect- fire might not have been noticed before it
ed data with the former configuration and Data gets out of control. An attacker transmits
Set 2 (DS2) with the latter configuration. jamming signals on the communication line
after reading the first four bytes of a request
Modbus/RS-485 Attack Dataset Profiles from the Client. Here, the first four bytes con-
We carried out five types of attacks and gener- tain the Server ID and register address, and
ated datasets with our real RS-485 platform. We the attacker can identify the spoofing target.
used four Modbus servers. Each server had five The jamming signals break the later part of

IEEE Communications Magazine • June 2023 45

Authorized licensed use limited to: Shenyang Institute of Automation. Downloaded on April 14,2024 at 03:37:40 UTC from IEEE Xplore. Restrictions apply.
 4


In the case of Spoofing and 56 %

Random Collision attacks, k l 56 $

the previously collected
data needs to be validated l k
&XUUHQW
7UDQVIRUPHU
by collecting manually from
Servers if available. 9 9

$5()
N
$QDORJ,Q

$QDORJWR'LJLWDO
&RQYHUWHU
ELWN+]

D ,QWHUIDFHWR$'&RQYHUWHU E %HQLJQ$WWDFN3DWWHUQVLQ'6 F 80$3SURMHFWLRQVRI%HQLJQDQG$WWDFNVLQ'6

Fig. 4. Profiles
FIGURE 4. Profilesofof attack dataset.
attack dataset. This This
datasetdataset is captured
is captured withto(a)
with: a) interface A/Dinterface
converter; b)toshows
A/D example
converter. (b)in shows
records example
DS2; c) shows recordsofin
the projections
DS2. (c) shows the projections of all the records into the two-dimensional space by UMAP [15].
all the records into the two-dimensional space by UMAP [15].
1) Spoofing Attack (DS1: 30519; DS2: 34209)
Thisthe frame
attack including
can alternate the values.
the real CRC16 Forchecksum
example, the whether
When the occurred
an attack registerandvalues were
is detected, the maliciously
system operator
area.values
reported Then,ofthe smoke legitimate
detectorsserver
can bereceives
alternatedaas deployed
must identify the as device
a backdoor or not.
and remove it from the network. In the
broken
false, and a fire message
might not andhave does
beennothing.
noticed beforeInstead,
it gets case ofFigure
Spoofing 4a shows
and Randomthe monitoring circuit.the
Collision attacks, Figure 4b
previously
out the attacker
of control. Anresponds its spoofed
attacker transmits jamming message.
signals on is an example
collected data needs of benign and attack
to be validated records inmanually
by collecting DS2.
the
2. communication
Random Collision line afterAttack
reading (DS1:
the first 35054;
four bytes WeServers
from can see that the In
if available. signals
the caseareofvery complex
Horizontal and
or Vertical
of aDS2:
request from the
77012): This Client.
attack Here,
canthe firstcommu-
deny four bytes there
Scan seem
attacks, thenowholeheuristic
network approaches
configuration formay
classifying
need to be
contain the Server
nications, and the ID field-bus
and register address,will
operation andbethe them. Attack
reconstructed becausedetection
they have in actively
DS2 is explored
more advanced
the network,
attacker can identify
suspended. An the spoofing
attacker target. The
transmits jamming
jamming thanmay
which in be
DS1 usedbecause we attacks.
for targeted observeInonly small
the case differ-
of Evil Twin
signals break onthethelater part of the frame including
randomthe ences
signals communication line at attacks, webetween benign and
need to investigate attack
whether records.
the register But, were
values it
CRC16
whenchecksum area. aThen, the legitimate server could bedeployed
performed with machine
it observes legitimate signal. This maliciously as a backdoor or not.learning, which
receives a brokenthe message
requestand does nothing.
from theInstead,
Client,the is described in the latter sections.
destroys frames Fig. 4 (a) shows the monitoring circuit.Fig.
Fig.4c4 shows
(b) is an
attacker responds its spoofed message.
and the communication between the Client the 2-dimensional
example of benign and projections
attack recordsofinallDS2.the Webenign andthat
can see
2) Random Collision Attack (DS1: 35054; DS2: 77012)
and the Server would be denied.
This attack can deny communications, and the field-bus theattack
signalsrecords
are verybycomplexUMAP and [15].there
These seemrepresenta-
no heuristic
3. Horizontal
operation will be Scan Attack (DS1:
suspended. 29959;transmits
An attacker DS2: tions indicate
approaches that machine
for classifying them. learning algorithms
Attack detection can is
in DS2
55435):
jamming signalsThisonattack can steal the
the communication linenetwork
at random clearly
more separate
advanced thanbenign
in DS1and attack
because werecords.
observe only small
whenconfiguration,
it observes a legitimatewhich can be used
signal. for plan-the
This destroys The dataset
differences between benignis available:
and attack https://github.com/
records. But, it could be
ningframes
request further from attacks,
the Client,such andasthe spoofing.
communication An jo2lxq/rs485-sec
performed with machine learning, which is described in the
between the Client and the Server would be denied. by
attacker requests Servers on the network
3) changing
Horizontal Scan the Server
Attack (DS1: IDs, expecting
29959; some
DS2: 55435) A D
benignetection
and attack S
withrecords
upervised L
latter sections. Fig. 4 (c) shows the 2-dimensional projections
of all thettack by UMAP earning
[15]. These
Thisresponses,
attack can steal including
the network error responses,
configuration, from
which can representations indicate that machine learning algorithms can
the for
be used specified
planningServer furtherifattacks,
exist. such as spoofing. An clearly separate benign andMattack otivation
records.
4. Vertical
attacker requests Scan
Servers Attack
on the(DS1:
network29440; DS2:the
by changing If the
The dataset
dataset has ground
is available: truth labels, we can
https://github.com/jo2lxq/rs485-sec
68672):
Server This attack
IDs, expecting can stealincluding
some responses, the Serv- error apply supervised learning as a classification prob-
er device
responses, from information,
the specified Server which can be used
if exist. lem.
V. AInTTACK
this section, weWITH
DETECTION evaluate the performance
SUPERVISED LEARNING
4) for planning
Vertical Scan Attack further attacks.
(DS1: 29440; DS2: An68672)
attacker of classification with machine learning algorithms,
Thisrequests
attack canto steal
readthe from
Serveradevice
widerinformation,
range of reg- which A. Motivation
showing that XGBoost performs the best as the
can ister
be used for planning
addresses one by further
one.attacks.
This attackAn attacker
can If the dataset has
state-of-the-art ground
for our truth labels, we can apply
dataset.
requests
explore to readdata from – awhich
wider range of register
are usually notaddresses
used supervised learning as a classification problem. In this section,
one and
by one. This attack
exchanged on canthe explore data – which
communication lineare ExperimentofSclassification
we evaluate the performance etting with machine
usually
but notare used and exchanged
still existed on the communication
on the Server. learning algorithms, showing
For preprocessing, that XGBoostthe
we normalized performs the best
A/D sam-
line but are
5. Evil Twin stillAttack
existed (DS1:
on the Server.
69896; DS2: 61297): as the
pledstate-of-the-art
values andforsplit
our dataset.
the whole dataset by 80
5) EvilThis
Twinattack
Attackcan (DS1: 69896; DS2:
override register61297)values on percent and 20 percent for training and testing
This attack can override register values on the Server and B. Experiment Setting
the Server and the ICS operation mode respectively. We then, used a support vector
the ICS operation mode can be changed without being For preprocessing, we normalized the A/D sampled values
can be changed without being noticed. An machine (SVM), decision tree (DT), long short-
noticed. An attacker sends requests on behalf of the and split the whole dataset by 80% and 20% for training and
attacker
legitimate sends
Client. Therequests
requests canon behalf
be identicalof the legit-of
to those term memory (LSTM), multilayer perceptron
testing respectively. We then, used a support vector machine
imate Client. The requests can
the legitimate Client. However, accepting and responding be identical (MLP), random forest (RF), 1D-convolutional
(SVM), decision tree (DT), long short-term memory (LSTM),
to attacker’s
to the those of requeststhe legitimateshould be Client.
avoided,However,
and these neural network (1D-CNN), and extreme gradient
multilayer perceptron (MLP), random forest (RF), 1D-
accepting and responding
kinds of anomalous requests should be detected. to the attacker’s boosting (XGBoost) for comparison. LSTM-based
convolutional neural network (1D-CNN), and extreme gradient
requests should be avoided, and these kinds approach was previously proposed [12]. We used
of anomalous requests should be detected. the scikit-learn for SVM, DT, and RF, the xgboost
When an attack occurred and is detected, library, and PyTorch for LSTM, MLP and 1D-CNN.
the system operator must identify the device and For MLP we used three fully-connected (FC)
remove it from the network. In the case of Spoof- layers with hidden vector sizes 128 and 32. For
ing and Random Collision attacks, the previously 1D-CNN, we used 2 convolution layers with
collected data needs to be validated by collecting batch normalization and max-pooling, and three
manually from Servers if available. In the case of FC layers followed with input vector size 2912
Horizontal or Vertical Scan attacks, the whole net- and hidden vector sizes 256 and 32. We used
work configuration may need to be reconstructed cross-entropy loss, and an Adam optimizer with a
because they have actively explored the network, learning rate of 0.0001. We trained 500 epochs
which may be used for targeted attacks. In the with a batch size of 64 for MLP, 50 epochs with a
case of Evil Twin attacks, we need to investigate batch size of 8 for LSTM and 1D-CNN.

46 IEEE Communications Magazine • June 2023

Authorized licensed use limited to: Shenyang Institute of Automation. Downloaded on April 14,2024 at 03:37:40 UTC from IEEE Xplore. Restrictions apply.
 Performance of Classification Model Accuracy Precision Recall F1 Score

Table 1 shows the accuracy, precision, recall, and SVM 0.9883 0.9897 0.9795 0.9843
F1 score of the algorithms. As these results show, DT 0.9935 0.9919 0.9910 0.9914
all the algorithms performed more than 0.98
accuracy. Especially, both XGBoost and 1D-CNN LSTM 0.9969 0.9953 0.9946 0.9949
performed 0.9999, which were much better than MLP 0.9971 0.9951 0.9952 0.9951
SVM, DT, RF, and MLP. In detail, XGBoost mis-
classified only 2 records of 59430 test benign RF 0.9977 0.9970 0.9961 0.9966
records into attacks and only 3 records of all the
1D-CNN 0.9999 0.9998 0.9999 0.9999
test attack records (59268 records) into benign.
This indicates that, from the positive (alerting) or XGBoost 0.9999 0.9999 0.9999 0.9999
negative (non-alerting) point of view, XGBoost
TABLE 1. Performance of supervised learning algorithms.
achieved 0.99997 for the true positive rate,
0.00003 for the false positive rate, 0.00005 for
the false negative rate, 0.99995 for the true neg- anomaly scores, receiver operating characteristics
ative rate. XGBoost basically performs the best, (ROC), and the area under the curves (AUCs).
but 1D-CNN can also perform alternatively. These
performances would be practically enough for Experiment Setting
real operations. In our experiment, we used two layers for the
encoder and the other two layers for the decod-
Discussions on the Results er. The detailed model architecture was: FC (in
As we have observed, even with a basic machine = 383, out = 128) – ReLU – FC (in = 128, out
learning model, it could achieve good perfor- = 64) – ReLU – FC (in = 64, out = 128) – ReLU
mance for attack detection and classification. We – FC (in = 128, out = 383) - Sigmoid. We used
consider that there were at least two reasons for mean squared error (MSE) for both the loss func-
achieving such high accuracies. tion and the anomaly score, an Adam optimizer
• The communication signals were very stable with a learning rate of 0.0001, and trained 500
even in the analog form. The signals were epochs with a batch size of 64. We used 80 per-
developed by electronic devices, not by cent of the Benign records for training and the
humans, so generated signals were always rest of 20 percent of the Benign records and the
very precise, and not influenced by other whole attack records for testing. We normalized
factors. the A/D sampled values for preprocessing.
• The request patterns were periodically
repeated. For example, the Client sent read Performances of Anomaly Detection
requests specifying the same Servers and Figure 5 shows the stacked histograms of anom-
registers periodically. aly scores in log scales. The size of each bin is
These are very common characteristics of 10–5. Because of log-scale illustrations, the overlap
field-bus systems. They periodically repeat the between Benign and Evil Twin attacks is empha-
same communication signals for talking with sized, i.e., the major portions of data were not
programmed electronic devices. In general, a overlapped. Other attacks were clearly separated
machine learning model is very good at learning from Benign cases. There are overlaps among dif-
such precisely repeated patterns, indicating that ferent attacks, but it is not an issue because, in the
our approach is effective in many field buses. case of unsupervised learning, we usually consid-
er true positive, true negative, false positive, and
Attack Detection with Unsupervised Learning false negative rates between Benign and Attack. It
is not a problem of attack classifications.
Motivation Because those positive/negative rates change
When we consider the practical deployment depending on the threshold settings, we analyzed
cases, we will soon realize that we cannot easi- the receiver operating characteristics (ROC) per
ly obtain attack records with ground truth labels attack type to evaluate the performance of the
from real operating systems. In this context, unsu- trained autoencoder model itself. The results of
pervised learning is more promising. It will learn the area under the curves (AUCs) were:
the benign patterns from the daily traffic, fitting to • Spoofing: 0.9998
the target network, and if something occurred in • Random Collision: 0.9999
the network, it detects the event as an anomaly. • Horizontal Scan: 0.9999
Autoencoder can be used as one of the anom- • Vertical Scan: 0.9999
aly detection schemes for this purpose. It trains • Evil Twin: 0.9992
itself to reconstruct the input benign records as These results indicate that MLP-autoencoder can
precisely as possible. At the prediction phase, if potentially perform anomaly detection precisely.
the error between the input and reconstruction
is larger than a certain threshold – this case is Future Research Directions
expected for an abnormal input, we consider the In this study, we carried out experiments on lab-
input record as an anomaly. oratory-based testbeds. The results of our basic
Depending on the configurations of the auto- supervised and unsupervised learning models
encoder, we could have many variations, such have shown good performances. This may lead to
as MLP-autoencoder, 1D-CNN autoencoder, and the next questions:
LSTM-autoencoder. In this article, we focus on 1. How about larger deployment cases in a
MLP-autoencoder as the most basic and the best noisy environment?
example [13], and further study the distribution of 2. How about other kinds of field buses?

IEEE Communications Magazine • June 2023 47

Authorized licensed use limited to: Shenyang Institute of Automation. Downloaded on April 14,2024 at 03:37:40 UTC from IEEE Xplore. Restrictions apply.
 6


We used Modbus as a target

protocol in this study, but
we didn’t include them in
designing our machine
learning architecture.

FIGURE 5. Histograms
Fig. 5. Histograms of anomaly scores
of anomaly for test
scores forBenign
testand Attack records.
Benign and The size of each
Attack bin is 10–5The
records. . Because
sizeof log-scale
of eachillustrations,
bin is 10 the -5overlap between of log-scale
. Because
illustrations,Benign
theand overlap between
Evil Twin attacks Benign
is emphasized, and
i.e., the majorEvil Twin
portions of dataattacks is emphasized,
were not overlapped. Other attacksi.e., the major
were clearly separated portions of data were not
from Benign cases.
overlapped. Other attacks were clearly separated from Benign cases.
Because Answering these open questions
those positive/negative rates change willdepending
be the next on This is demonstrated onclusionC
with our unsupervised approach.
the thresholdresearch
settings, direction.
we analyzed the receiver operating A large-scale RS-485 network will have many devices (such
In this article, we have taken the approach of
characteristics (ROC) Practicalper attack
Problems type
in Large -ScaletoNetworks
evaluate the as 16 devices, or 32 devices) from many vendors with many
attack detection to add security features to
performanceOur of the trained autoencoder
supervised-based study is good for model itself. Theunder-
results configurations. networks
Modbus/RS485 The resistance and taking
rather than inductance
the of the
of the area under
standing the thecurves
use (AUCs)
of machine were: learning for field-bus communication
approach lines will
of encryption andalso change theWe
authentication. forms of the
security, however, we still need to consider the communication
have proposed asignals. Noises caused
novel current by power
transformer (CT) conditioners
applications
⚫ Spoofing: 0.9998to other RS-485 concrete networks. based
of solarmonitoring
farms, radio method and developed
transmissions, a ground
and thunders may appear in
⚫ Random The patterns
Collision: of communication
0.9999 signals would be truth dataset that signals.
the monitored contains five
We types
might of attacks.
sometimes In need to
different in
⚫ Horizontal Scan: 0.9999 many ways. They might have a different our evaluation,
differentiate thesupervised learning
detected events with XGBoost
between security incidents and
number of servers, including different server IDs achieved a classification accuracy of 0.9999,
⚫ Vertical Scan: 0.9999
and register addresses. They might also have other
mechanical/electrical faults. However, at least, our monitoring
and unsupervised learning with MLP-autoencod-
⚫ EvilkindsTwin: of 0.9992
devices such as HVAC controllers and light system
er will contribute
achieved the area under to an the
early finding
curves of security
(AUCs) of incidents
status monitors along with power meters. RS-485 or machine
receiver faults. Solutions
operating to these
characteristics practical
(ROC) betweenproblems should
These results
driverindicate
IC, thethat MLP-autoencoder
length of communication can lines,
potentially
and be explored
0.9992 in the future.
and 0.9999. We have also identified future
communication
perform anomaly detection stacks will be also different.
precisely. research directions for large-scale networks and
For these issues, as we have discussed, the B. Application
applications to Other
to other Communication
field-bus protocols. Protocols
unsupervised
VII. FUTUREapproach RESEARCHcould be more promising
DIRECTIONS Our machine learning-based systems do not require any
because we cannot develop attack datasets with AcknowledgmentWe used Modbus as a target
protocol format information.
In this study, weinstalled
real carried and out experiments
operating systems.on laboratory-based
Instead, an This article is based on but
the we
results obtained
protocol in this study, didn’t includefromthema in designing
testbeds. Theautoencoder
results of our can theoretically
basic supervisedlearn benign pat-
and unsupervised project commissioned by the NEDO, Japan. Part
our machine learning architecture. This means that other
ternshave
learning models fromshown the given
good environment
performances.automatically
This may lead of this study was funded by the ICS-CoE Core
and find anomalies. This is larger
demonstrated withcases
our protocolsResources
Human such as Development
BACnet and Program,
Profibus, Japan.
including vendor-
to the next questions – (1) how about deployment
unsupervised approach. specific proprietary protocols, can be also applicable. The
in a noisy environment? or (2) how about other kinds of field
A large-scale RS-485 network will have many model will be ableReferences to learn the features of the protocol
buses? Answering
devices (such these asopen questions
16 devices, willdevices)
or 32 be thefromnext [1] K. Stouffer, J. Falco, and K. Scarfone, “Guide to Industrial
automatically. Lonworks does not use RS-485 at the physical
Control Systems (ICS) Security,” NIST Special Publication,
research direction.
many vendors with many configurations. The resis- layer
vol.but
800, has a similar
no. 82, physical bus, thus our method can be
201, pp. 16–16.
tance and inductance of the communication lines [2] Y. Liu et al., “A Taxonomy for the Security Assessment
applied.
A. Practical Problems in Large-Scale Networks
will also change the forms of the communication of IP-Based Building Automation Systems: The Case of
Our supervised-based
signals. Noises studycaused
is goodbyfor understanding
power conditionersthe use
of Thread,” IEEE Trans. Industrial Informatics, vol. 14, no. 9,
2018, pp. 4113–23. VIII. CONCLUSION
of machine solar farms,
learning forradio transmissions,
field-bus security,and thunders
however, wemaystill [3] S. Pan, T. Morris, and U. Adhikari, “Developing A Hybrid
appearthe
need to consider in the monitoredtosignals.
applications other We RS-485mightconcrete
some- In this paper,
Intrusion we System
Detection have taken
Using the
Dataapproach
Mining for of attack detection
Power
networks. Thetimespatterns
need toofdifferentiate
communication the detected
signals wouldevents be to Systems.” IEEE Trans. Smart Grid 6.6, 2015, pp. 3104–13.
add security features to Modbus/RS485 networks rather than
[4] P. Radoglou-Grammatikis et al., “Modeling, Detecting, and
different in between
many ways. security incidents and mechanical/electri-
They might have a different number of taking the approach
Mitigating of encryption
Threats Against and authentication.
Industrial Healthcare Systems: A We have
cal faults. However, at least, our monitoring system Combined Software Definedtransformer
Networking and Reinforce-
servers, including differenttoserver
will contribute an earlyIDsfinding
and register addresses.
of security inci- proposed a novel current (CT) based monitoring
ment Learning Approach,” IEEE Trans. Industrial Informatics
They mightdentsalso orhave other faults.
machine kinds Solutions
of devices to such
theseas HVAC
practical method
vol. 18,and
no. developed a ground truth dataset that contains five
3, 2021, pp. 2041–52.
controllers and light status
problems shouldmonitors
be explored alongin with power meters.
the future. [5] D. Fauri
types et al., “Encryption
of attacks. In ourinevaluation,
ICS Networks: supervised
A Blessing or Alearning with
Curse?,” IEEE Int’l. Conf. Smart Grid Commun., 2017.
RS-485 driver IC, the length of communication lines, and XGBoost
[6] achieved
Morris, Thomas, and WeiaGao.
classification accuracy
“Industrial Control of 0.9999, and
System Traffic
communication stacks Application
will beto Oalso
ther Cdifferent.
ommunication Protocols unsupervised learning
Data Sets for Intrusion with MLP-autoencoder
Detection achieved the area
Research,” Int’l. Conf. Critical
For theseOur machine
issues, as we learning-based
have discussed, systems thedounsupervised
not require underInfrastructure Protection, Springer, Berlin, Heidelberg, 2014.
the curves (AUCs) of receiver operating characteristics
[7] A. P. Mathur and N. O. Tippenhauer, “SWaT: A Water Treat-
any protocol format information. We used Mod-
approach could be more promising because we cannot develop (ROC)ment between
Testbed for0.9992
Researchand 0.9999.onWe
and Training have also identified
ICS Security,”
bus as a target protocol in this study, but we didn’t IEEE CySWater, 2016.
attack datasets
include with them realin installed
designingand our operating systems.
machine learning future research directions for large-scale
[8] E. Seo, H. M. Song, and H. K. Kim, “GIDS: GAN Based Intru-
networks and
Instead, an autoencoder
architecture. can Thistheoretically
means that other learn protocols
benign patterns
such applications
sion Detectionto other
Systemfield-bus protocols.
for In-Vehicle Network,” IEEE 16th
from the given environment
as BACnet automatically
and Profibus, including andvendor-specific
find anomalies. Annual Conf. Privacy, Security and Trust, 2018.
[9] M. D. Hossain et al., “LSTM-Based Intrusion Detection Sys-
proprietary protocols, can be also applicable. The tem for In-Vehicle Can Bus Communications,” IEEE Access,
model will be able to learn the features of the pro- vol. 8, 2020, pp. 185,489–502.
tocol automatically. Lonworks does not use RS-485 [10] B. Weinger et al., “Enhancing IoT Anomaly Detection Per-
at the physical layer but has a similar physical bus, formance for Federated Learning,” Elsevier Digital Communi-
cations and Networks, 2022.
thus our method can be applied. [11] Liu, Pengfei, et al. “Channel-State-Based Fingerprinting

48 IEEE Communications Magazine • June 2023

Authorized licensed use limited to: Shenyang Institute of Automation. Downloaded on April 14,2024 at 03:37:40 UTC from IEEE Xplore. Restrictions apply.
 against Physical Access Attack in Industrial Field Bus Net- University of Professionals and a Ph.D. degree in information
work,” IEEE Internet of Things J., 2022. science and engineering from the Nara Institute of Science and
[12] M. D. Hossain et al., “Smart Meter RS-485 Spoofing Attack Technology (NAIST), Japan. He is currently an Assistant Pro-
Detection by LSTM Deep Learning Approach,” IEEE Swiss fessor with the Laboratory for Cyber Resilience at NAIST. His
Conf. Data Science, 2022. research interests include cybersecurity, artificial intelligence,
[13] P. Chirupphapa et al., “Unsupervised Anomaly Detection in automotive security, smart grid security, and industrial control
RS-485 Traffic using Autoencoders with Unobtrusive Mea- systems security.
surement,” IEEE Int’l. Performance, Computing, and Com-
mun.Conf., 2022. Pawissakan Chirupphapa received his B.E. degree from Chu-
[14] MODBUS Application Protocol Specification: V1. 1b3. lalongkorn University, Thailand, in 2016, and received his M.E.
Modbus Organization, 2012. degree in information science and technology from The Uni-
[15] L. McInnes, J. Healy, and J. Melville, “UMAP: Uniform Man- versity of Tokyo, Japan, in 2022. His research interests include
ifold Approximation and Projection for Dimension Reduc- vehicular ad hoc networks, data engineering, artificial intelli-
tion,” arXiv preprint arXiv:1802.03426, 2018. gence, and network security.

BIOGRAPHIES Youki Kadobayashi [M] received his Ph.D. degree in computer

science from Osaka University, Japan, in 1997. He is currently a
H ideya O chiai [M] ([email protected], ochiai@g. Professor in the Graduate School of Information Science, Nara
ecc.u-tokyo.ac.jp) received his Ph.D. degree in information sci- Institute of Science and Technology (NAIST), Japan. Since 2013,
ence and technology from the University of Tokyo, Japan, in he has also been working as the Rapporteur of ITU-T Q.4/17
2011. He became an assistant professor, and associated profes- for cybersecurity standardization. His research interests include
sor in 2011, and 2017 at the University of Tokyo respectively. cybersecurity, web security, and distributed systems.
His research ranges from IoT system and protocol designs to
peer-to-peer overlay networks, delay-disruption tolerant net- Hiroshi Esaki [M] received Ph.D. from the University of Tokyo,
works, network security, and decentralized machine learning. Japan, in 1998. In 1987, he joined Research and Development
He joined the standardization activities of IEEE in 2008 and of Center, Toshiba Corporation. From 1990 to 1991, he was at
ISO/IEC JTC1/SC6 in 2012. He is a chair of the board of the Bell-core Inc., as a residential researcher. From 1994 to 1996, he
Green University of Tokyo Project since 2016, a chair of the was at Columbia University. Since 1998, he has been serving as
LAN-security monitoring project since 2018, and a chair of the a professor at the University of Tokyo, and as a board member
decentralized AI project since 2022. of the WIDE Project. Currently, he is the executive director
of the IPv6 promotion council, vice president of JPNIC, IPv6
M d D elwar H ossain [M] received the M.Sc. in Engineering Forum Fellow, and director of WIDE Project, chief architect of
in Information Systems Security degree from the Bangladesh Digital Agency, Japan.

IEEE Communications Magazine • June 2023 49

Authorized licensed use limited to: Shenyang Institute of Automation. Downloaded on April 14,2024 at 03:37:40 UTC from IEEE Xplore. Restrictions apply.