Strengthening ICS defense: Modbus-NFA behavior model for enhanced anomaly detection

The rise of the Internet of Things (IoT) has significantly transformed Industrial Control Systems (ICS) by increasing their dependence on interconnected devices for automating processes. This growing integration of IoT technologies within ICS has heightened concerns about security and privacy, underscoring the importance of protecting sensitive data. This paper addresses the challenge of detecting anomalies within ICS environments that utilize the Modbus protocol. Modbus requests are encapsulated in Modbus frames, which direct devices on the specific actions to undertake. Thus, the sequence of Modbus frames in network traffic serves as a comprehensive indicator of device behavior on the network. To tackle this challenge, we introduce a novel approach for anomaly detection by modeling device interactions on the network through the analysis of Modbus frame sequences using a Non-deterministic Finite Automaton (NFA) framework, termed the Modbus-NFA Behavior Distinguisher (MNBD) model. The NFA framework is particularly effective for this purpose as it can represent multiple potential states and transitions within a network, thereby capturing the complexity and variability of network behaviors. This capability allows the MNBD model to detect deviations from normal behavior, identifying potential anomalies with high accuracy. Our MNBD model was evaluated against several existing ICS network traffic datasets. The results demonstrate that the Modbus-NFA approach not only surpasses traditional machine learning models but also outperforms sequence-based deep learning models. Additionally, cross-dataset testing reveals that the MNBD model exhibits superior generalization capabilities compared to deep learning-based approaches. These findings highlight the MNBD model’s potential as a robust tool for anomaly detection, advancing research and development efforts in ICS security.