Industrial control system device classification using network traffic features and neural network embeddings

Characterization of modern cyber–physical Industrial Control System (ICS) devices is critical to the evaluation of their security posture and an understanding of the underlying industrial processes with which they interact. In this work, we address two related ICS device identification tasks: (1) separating ICS from non-ICS devices and (2) identifying specific ICS device types. We propose two distinct methods (one based on the existing IP2Vec method, and a novel traffic-features-based method) for achieving the first task. For transferability of the first task between two datasets, the traffic-features-based method performs significantly better (75% overall accuracy) compared to IP2Vec (22.5% overall accuracy). We further propose a novel method called DNP2Vec to address the second task. DNP2Vec is evaluated on two different datasets and achieves perfect multi-class classification accuracy (100%) for both datasets. © 2021 The Authors