Self-similarity based network anomaly detection for industrial control systems

Network traffic has been shown to be self-similar across a wide range of protocols, including Ethernet, Wi-Fi, and cellular traffic. However, the composition of the Internet has grown since these initial findings to include machine-to-machine (M2M) traffic, which behaves differently than the human-generated traffic previously analyzed. In this changing landscape, it has yet to be shown if the M2M traffic generated in industrial control systems (ICS) is self-similar. This paper investigates the self-similarity of M2M traffic using network traffic from three publicly available datasets. We find that the M2M traffic was not self-similar for two of the datasets, while the third showed a low degree of self-similarity. Furthermore, we demonstrate using physical data that the Hurst parameter can be used as a metric to observe changes in the system configuration of an ICS and to detect anomalous activity in the network.