A Network Traffic Processing Library for ICS Anomaly Detection


The research paper offers an in-depth glimpse into cutting-edge research, focused primarily on advancements in network anomaly detection within industrial control systems (ICS). Several referenced studies explore the development, implementation, and assessment of machine learning algorithms, analyzing their efficacy in identifying irregularities in network traffic. These findings are crucial as they can significantly impact the detection and mitigation of potential cyber threats in diverse network environments.

Anomaly Detection in ICS Networks

Anomaly detection (AD) systems in ICS are specific Intrusion Detection Systems (IDS) that analyze network communication to identify difference between actual and expected system behaviors.
Classification-based Methods:

Employ techniques like One-Class Support Vector Machine (OCSVM)and Deep Neural Networks to detect irregularities in communication protocols like Modbus.

Model-based Methods:

Use Finite-Automata and Discrete Multi-Input and Multi-Output (MIMO) system models which represent Modbus communication.

Time-series Analysis:

Exploits periodicity in ICS communication to learn traffic patterns and detect deviations.

Various methods and algorithms are explored and compared to detect anomalies in ICS environments effectively, with many achieving accuracies greater than 90%.

Building the Library for AD

The idea is to build a library that can process ICS communication, extract relevant information, and provide it with a user-specified anomaly detection method. It is created in C# and targets the .NET Core framework, is versatile, working on various operating systems, and is designed for projects needing packet capture processing. It encompasses main components like Capture trace providers, Protocol decoders, and a central Traffic store, each serving to manage, interpret, and store packet and conversation data, respectively, ensuring optimal performance and extensive data support.

This library supports integration with command-line tools and Jupyter notebooks, making it a powerful tool during both the implementation and prototyping stages of development. The conversations and packet processors in the library play pivotal roles, allowing analysis and feature extraction from bidirectional flows and individual packets.

Evaluation and Performance

The evaluation illustrates that the proposed data preprocessing library got improved performance and user experience in the data preparation phase compared to Tshark. Based on datasets from the 4SICS cybersecurity conference, emphasizes the library’s efficiency and its seamless integration with machine learning frameworks through demonstrations involving anomaly detection methods. The library demonstrated faster processing and versatility in handling different ICS communication protocols, showcasing its potential utility in various industrial cybersecurity scenarios.


Overall, the paper outlines the development of a network data preprocessing library, designed to enhance anomaly detection in ICS by offering optimized processing capabilities and integration with machine learning libraries, representing a significant advancement in the field despite its early stage of development.

Author: Ondřej Ryšavý , Petr Matoušek

A Network Traffic Processing Library for ICS Anomaly Detection