Anomaly Detection in ICS Networks with Fuzzy Hashing

Abstract

The recent increase in attacks against publicly networked industrial control systems (ICS) has demonstrated a need for network-based anomaly detection systems, offering real-time flagging of potentially malicious activity by internal and external threat actors. Fuzzy hashing, also known as similarity hashing, has gained popularity in malware analysis and digital forensics circles as it provides analysts functionality to determine the similarity of two pieces of data by providing a similarity score. This work proposes a scheme that utilizes the similarity score to find variations from a self-establishing baseline in an ICS network to identify anomalous network traffic sections that could sign..