Graph Convolutional Network-based Suspicious Communication Pair Estimation for Industrial Control Systems

Abstract

Whitelisting is considered an effective security monitoring method for networks used in industrial control systems, where the whitelists consist of observed tuples of the IP address of the server, the TCP/UDP port number, and IP address of the client (communication triplets). However, this method causes frequent false detections. To reduce false positives due to a simple whitelist-based judgment, we propose a new framework for scoring communications to judge whether the communications not present in whitelists are normal or anomalous. To solve this problem, we developed a graph convolutional network-based suspicious communication pair estimation using relational graph convolution networks, and evaluated its performance. For this, we collected the network traffic of three factories owned by Panasonic Corporation, Japan. The proposed method achieved a receiver operating characteristic area under the curve of 0.957, which outperforms baseline approaches such as DistMult, a method that directly optimizes the node embeddings, and heuristics, which score the triplets using first- and second-order proximities of multigraphs. This method enables security operators to concentrate on significant alerts.Comment: 9 pages, 3 figure

Similar works

Full text

arXiv.org e-Print ArchiveProvided a free PDF (195.62 KB)

2007.10204oai:arXiv.org:2007.10204
Last time updated on July 22, 2020View original full text link

This paper was published in arXiv.org e-Print Archive.

Having an issue?

Is data on this page outdated, violates copyrights or anything else? Report the problem now and we will take corresponding actions after reviewing your request.