Kolloquiumsvortrag: 23. September 2025, Debanjali Banerjee (Betreuer: Muhammad)

Bild Besprechungsraum 04.137
Bild der Präsentationsfläche
2025-07-28

AI-Enhanced Network Monitoring Framework for Real-Time Analysis of Simulated Modbus TCP Traffic

This thesis presents a real-time anomaly detection framework for Modbus/TCP networks that integrates machine learning techniques with live traffic monitoring via port mirroring. The proposed system facilitates concurrent simulation and detection of multiple attack vectors while enabling immediate response actions, including real-time mitigation alerts for high-confidence threats.

Modbus/TCP, a widely adopted and easily deployable protocol in industrial environments, lacks layered security mechanisms and encryption, rendering it susceptible to diverse cyber threats. To address these vulnerabilities, this work introduces a scalable, virtualized testbed for real-time Modbus/TCP traffic analysis, implemented using Linux network namespaces. The testbed emulates a realistic Industrial Control System (ICS) environment comprising four isolated components: a secure Modbus/TCP server, a legitimate Modbus/TCP client, an adversarial node, and a monitoring node. Within this controlled environment, benign and malicious traffic including replay attacks and Denial of Service attempts are generated concurrently to assess detection performance.

The anomaly detection component employs the Isolation Forest algorithm for unsupervised learning, leveraging custom flow-based features extracted from live traffic and mapped to Modbus/TCP protocol semantics using the PySpark packet parser. Traffic mirroring is achieved through the Switched Port Analyzer (SPAN), enabling non-intrusive observation of server-bound traffic across isolated containers. Furthermore, Shapley Additive Explanations (SHAP) are utilized to enhance interpretability by quantifying feature influence during both training and live inference phases, thereby elucidating the contribution of critical features to attack detection.

By combining dynamic threat simulation, protocol-aware feature engineering, and explainable machine learning, the proposed system delivers a scalable and reproducible approach to ICS cybersecurity. Experimental evaluations confirm the effectiveness of flow-based features and hybrid unsupervised learning techniques incorporating behavioral indicators and adaptive thresholds in mitigating Modbus/TCP vulnerabilities, thus offering a practical framework for protecting real-world industrial networks.

 

Ort: Raum 04.137, Martensstr. 3, Erlangen

oder

Zoom-Meeting beitreten:
https://fau.zoom-x.de/j/68350702053?pwd=UkF3aXY0QUdjeSsyR0tyRWtLQ0hYUT09

Meeting-ID: 683 5070 2053
Kenncode: 647333

Kategorie: Aktuelles, Kolloquiumsvorträge, Lehre