Unknown Attack Traffic Classification in SCADA Network Using Heuristic Clustering Technique

Attack Traffic Classification (ATC) technique is an essential tool for Industrial Control System (ICS) network security, which can be widely used in active defense, situational awareness, attack source traceback and so on. At present, the state-of-the-art ATC methods are usually based on traffic statistical features and machine learning techniques, including supervised classification methods and unsupervised clustering methods. However, it is difficult for these methods to overcome the problems of lack of attack samples and high real-time requirement in ATC in Supervisory Control and Data Acquisition (SCADA) networks. In order to address the above problems, we propose a self-growing ATC model based on a new density-based heuristic clustering method, which can continuously and automatically detect and distinguish different kinds of unknown attack traffic generated by various attack tools against SCADA networks in real time. An effective representation method of SCADA network traffic is proposed to further improve the performance of ATC. In addition, a large number of experiments are conducted on a compound dataset consisting of the SCADA network dataset, the attack tool dataset and the ICS honeypot dataset, to evaluate the proposed method. The experimental results show that the proposed method outperforms existing state-of-the-art ATC methods in the crucial situation of only normal SCADA network traffic.