Detecting Anomalies by using Self-Organizing Maps in Industrial Environments

Detecting anomalies caused by intruders are a big challenge in industrial environments due to the complex environmental interdependencies and proprietary fieldbus protocols. In this paper, we proposed a network-based method for detecting anomalies by using unsupervised artificial neural networks called Self-Organizing Maps (SOMs). Therefore, we published an algorithm which identifies clusters and cluster centroids in SOMs to gain knowledge about the underlying data structure. In the training phase we created two neural networks, one for clustering the network data and the other one for finding the cluster centroids. In the operating phase our approach is able to detect anomalies by comparing new data samples with the first trained SOM model. We used a confidence interval to decide if the sample is too far from its best matching unit. A novel additional confidence interval for the second SOM is proposed to minimize false positives which have been a major drawback of machine learning methods in anomaly detection. We implemented our approach in a robot cell and infiltrated the network like an intruder would do to evaluate our method. As a result, we significantly reduced the false positive rate to 0.07% using the second interval while providing an accuracy of 99% for the detection of network attacks.