CapBad: Content-Agnostic, Payload-Based Anomaly Detector for Industrial Control Protocols

Efficient anomaly detection methods are urgently needed to prevent attacks in the application layer of the Industrial Internet of Things (IIoT). The existing intrusion detection systems have certain limitations in detecting abnormal packets exploited by application layer attacks. In this paper, a content-agnostic payload-based anomaly detector named the CapBad is proposed to detect malicious packets in the application layer of the IIoT system. Specifically, a phase-aware hidden semi-Markov Model (pHSMM) is used to model the industrial control protocol packets and automatically learn the packets' payload characteristics. The packet types are then inferred based on the packet likelihoods obtained by the pHSMM. In addition, the probabilistic suffix tree is employed to analyze the packets' contextual similarity to the historical packets. The abnormal packets are finally detected by comparing their contextual similarity with that of the historical normal packets. The proposed algorithm is verified by simulations, and the results show that the CapBad has an excellent performance in detecting abnormal packets in the application layer.