IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems
share
The increasing interconnection of industrial networks with the Internet exposes them to an ever-growing risk of cyberattacks. A well-proven mechanism to detect such attacks is industrial intrusion detection, which searches for anomalies in otherwise predictable communication or process behavior. However, efforts to improve these detection methods mostly focus on specific domains and communication protocols, leading to a research landscape that is broken up into isolated silos. Thus, existing approaches cannot be applied to other industrial scenarios that would equally benefit from powerful detection approaches. To better understand this issue, we survey 53 detection systems and conclude that there is no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenario in theory. To unlock this potential for intrusion detection across industrial domains and protocols, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial communication protocols. We show the practical applicability and correctness of IPAL through a reproducibility study in which we re-implement eight detection approaches from related work on top of IPAL. Finally, we showcase the unique benefits of IPAL for industrial intrusion detection research by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols.
READ FULL TEXT