Graph Convolutional Network-based Suspicious Communication Pair Estimation for Industrial Control Systems

TL;DR

This paper introduces a graph convolutional network-based framework for detecting suspicious communication pairs in industrial control systems, significantly reducing false positives and improving security monitoring accuracy.

Contribution

The paper presents a novel GCN-based approach for scoring and identifying anomalous communication pairs, outperforming existing baseline methods in industrial network security.

Findings

Achieved an ROC AUC of 0.957, surpassing baseline methods.

Effectively reduces false positives in security alerts.

Demonstrated applicability on real factory network data.

Abstract

Whitelisting is considered an effective security monitoring method for networks used in industrial control systems, where the whitelists consist of observed tuples of the IP address of the server, the TCP/UDP port number, and IP address of the client (communication triplets). However, this method causes frequent false detections. To reduce false positives due to a simple whitelist-based judgment, we propose a new framework for scoring communications to judge whether the communications not present in whitelists are normal or anomalous. To solve this problem, we developed a graph convolutional network-based suspicious communication pair estimation using relational graph convolution networks, and evaluated its performance. For this, we collected the network traffic of three factories owned by Panasonic Corporation, Japan. The proposed method achieved a receiver operating characteristic area under the curve of 0.957, which outperforms baseline approaches such as DistMult, a method that directly optimizes the node embeddings, and heuristics, which score the triplets using first- and second-order proximities of multigraphs. This method enables security operators to concentrate on significant alerts.