Anomaly Detection Sensors for a Modbus-Based Oil and Gas Well-Monitoring System

Abstract

Timely detection of network traffic anomalies in oil and gas wells is critical to support operations. This paper describes a network sensor that has been specifically designed to operate within an existing well-monitoring infrastructure. Network traffic and flow features are extracted in real-time and compared against pre-set and moving averages to detect and report anomalies. A prototype has been tested using the Modbus protocol and network traffic covering several months of operations. In order to avoid potential impact on the production environment, scripts captured network packets that were then replayed on the IMUNES network emulator. Preliminary results have identified useful metrics for anomaly detection in a production environment.