A module for anomaly detection in ICS networks

Network security monitoring using machine learning algorithms is a topic that has been well researched and found to be difficult to use. We propose to use a specific approach in restricted IP network environments and leverage the network state information and information from individual connections for increased level of sensitivity. The approach is meant for use in restricted IP networks which exhibit a level of determinism that enables the use of machine learning approach. In this work we use algorithm called Self-Organizing Maps. We introduce an implementation of self-organizing maps engine built on top of the Bro network security monitor. An implemented selection of initial features for the Self-Organizing Maps is provided and a sample sub-set is used when training a SOM lattice for network data from an industrial control system environment. The anomaly detection prototype described in this paper is meant as a complementary mechanism, not a standalone solution for network security monitorin