Feature Engineering in Machine Learning-Based Intrusion Detection Systems for OT Networks

This paper evaluates the importance of feature exploration and engineering when applying machine learning for intrusion detection in OT (Operational Technology) networks. Data used consisted of raw network traffic captures from a simulated OT environment communicating over the Modbus/TCP protocol. Feature engineering efforts identified thirty eight attributes of interest at the different layers of the network stack. The Random Forest algorithm was used to analyze the importance of each feature for the detection of anomalous network behavior. Both supervised and unsupervised learning methods were evaluated including Random Forest, Support Vector Machines, K-Nearest Neighbors, K-Means Clustering, and Isolation Forest. Results indicate that statistical based features as well as features derived from the protocol and application layers contained information best suited for detecting anomalous OT behavior. Additionally, variable importance-based feature selection helped reduce complexity and improved detection rate when compared with models trained on the original high dimensional data. Random Forest and Support Vector Machines had the best detection performance but required a large amount of labeled data for training and validation. Notably, Isolation Forest shows potential for anomaly detection in OT networks as it requires no labeled data and produced promising results.