# A Question of Context: Enhancing Intrusion Detection by Providing   Context Information

**Authors:** Simon Duque Anton, Daniel Fraunholz, Stephan Teuber, Hans Dieter, Schotten

arXiv: 1905.11735 · 2019-05-29

## TL;DR

This paper demonstrates that incorporating contextual information from industrial networks significantly improves the reliability of intrusion detection systems in identifying malicious activities compared to using network data alone.

## Contribution

The study introduces a simulation framework and compares context-based and context-less intrusion detection methods, highlighting the benefits of using context information in industrial network security.

## Key findings

- Context-aware detection outperforms context-less methods in identifying attacks.
- Industrial networks' uniformity aids in detecting outliers.
- Simulation results show improved detection reliability with context information.

## Abstract

Due to the fourth industrial revolution, and the resulting increase in interconnectivity, industrial networks are more and more opened to publicly available networks. Apart from the huge benefit in manageability and flexibility, the openness also results in a larger attack surface for malicious adversaries. In comparison to office environments, industrial networks have very high volumes of data. In addition to that, every delay will most likely lead to loss of revenue. Hence, intrusion detection systems for industrial applications have different requirements than office-based intrusion detection systems. On the other hand, industrial networks are able to provide a lot of contextual information due to manufacturing execution systems and enterprise resource planning. Additionally, industrial networks tend to be more uniform, making it easier to determine outliers. In this work, an abstract simulation of industrial network behaviour is created. Malicious actions are introduced into a set of sequences of valid behaviour. Finally, a context-based and context-less intrusion detection system is used to find the attacks. The results are compared and commented. It can be seen that context information can help in identifying malicious actions more reliable than intrusion detection with only one source of information, e.g. the network.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.11735/full.md

## Figures

14 figures with captions in the complete paper: https://tomesphere.com/paper/1905.11735/full.md

## References

24 references — full list in the complete paper: https://tomesphere.com/paper/1905.11735/full.md

---
Source: https://tomesphere.com/paper/1905.11735