Using Heuristics and Byte Histograms to Detect Anomalies in OT Network Traffic

Abstract:
Anomaly detection is a significant problem in Operational Technology (OT) networks. Given a collection of network traffic, detecting anomalies is paramount due to safety and functionality concerns. This paper seeks to prove the effectiveness of anomaly-based Intrusion Detection Systems (IDS) to protect Industrial Control Systems (ICS) from cyberattacks.

Our two-stage anomaly detection strategy employs heuristics and the byte histogram data structure to detect malicious activity as packets enter the network. The novelty of our byte histogram data structure is the ability to detect anomalies in packets where the details of every protocol in the packet are unknown.

This paper discusses the heuristics used in Stage One, the usage and effectiveness of byte histograms used in Stage Two, and the algorithms used to process packet information. Using an OT network traffic dataset, we evaluate our approach using multiple attack examples, achieving an average F2 Score of 99.81%.

Philip Rahal, Jack Nunnelee, Alex Howe, Mauricio Papa
DOI: 10.1007/978-3-031-85923-6_24.

This material is based upon work supported by the ERDC under Contract No. W912HZ23C0011.

Enhancing Intrusion Detection in Industrial Control Systems: An Adaptive Protocol-Agnostic Approach

Jack Nunnelee, Philip Rahal, Alex Howe, Mauricio Papa
DOI: 10.1109/ISDFS65363.2025.11012043

Abstract:
This paper enhances an existing anomaly-based Intrusion Detection System (IDS) for Operational Technology (OT) networks. In particular, techniques are proposed to improve detection performance in diverse network environments with-out domain-specific knowledge. Traditional anomaly-based IDS implementations in critical infrastructure settings often require specialized knowledge to achieve accuracy, limiting scalability and adaptability.

This study enhances a protocol-agnostic approach by incorporating field masks and conditional filtering to reduce false positives and improve overall detection efficacy. Leveraging byte histograms to identify anomalous byte values in network traffic, we integrate field masks and conditional filtering as key mechanisms for optimizing anomaly detection by focusing on relevant packet fields and conditional rule application.

The IDS is evaluated in an unsupervised environment, demonstrating its robustness across varying network conditions. The burden on security analysis is minimized through a multi-stage evaluation that generates a detailed and explainable output with each test on incoming traffic. Experimental results reveal the proposed technique effectively maintains high detection rates with reduced false positives, underscoring the practical value of these enhancements in OT network security.

This material is based upon work supported by the ERDC under Contract No. W912HZ23C0011.

IoT Device Fingerprinting Using
Byte Histograms

Jack Nunnelee, Alex Howe, Philip Rahal, Mauricio Papa
DOI: 10.1109/ICPS65515.2025.11087826

Abstract:
Device fingerprinting in the Internet of Things (IoT) is a promising security technique which allows organizations to leverage unique device characteristics in order to classify future unknown devices and validate outputs from known devices.

This paper introduces two novel contributions: a device fingerprinting method using byte histograms and a classification technique based on the Jensen-Shannon divergence score. Byte histograms represent the true behavior of a device by capturing byte-level data from its network packets, offering enhanced explainability for similarities observed between devices.

Unlike traditional feature-based fingerprints, byte histograms are device and protocol-agnostic, making them highly generalizable for use in different environments. Furthermore, byte histograms simplify the network restructuring process, ensuring seamless adaptability. We demonstrate the robust fingerprinting capabilities and accurate classification of the proposed byte histogram-based method by classifying both known and unknown IoT devices.

Three state-of-the-art machine learning algorithms are used for comparison to validate the proposed approach. This work demonstrates the efficacy of byte histogram-based fingerprints and highlights the advantages of byte-level granularity for IoT network security and device classification applications.

This material is based upon work supported by the ERDC under Contract No. W912HZ23C0011.