Metric Learning with Neural Network for Modbus/TCP Anomaly Detection

Abstract

In cyber security field, anomaly detection is triggered when detected network data traffic behaves obviously differently from normal data traffic. Traditional approaches typically create or define the normal pattern for the data and compare the normal pattern with the detected object. When a significantly different object appears, it is regarded as abnormal data. This paper proposes a novel neural network structure for anomaly detection, called a metric learning network, which aims to directly learn the differences between abnormal and normal data rather than set up a normal pattern. The network comprises an auto-encoder, which is used to encode the abnormal and normal data, and a metric learning component, which is designed to understand the difference between abnormal and normal data via a comparison approach. A deviation score is produced by the metric learning component to recognize the detected object. Research based on the Modbus/Transmission Control Protocol (TCP) network demonstrates that this approach can not only learn the difference between normal data and outliers, but is suitable for anomaly detection tasks. Our method has greater overall detection rates than a baseline model.