Early Intrusion Detection System using honeypot for industrial control networks

Man-in-the-Middle (MITM) and Distributed Denial of Service (DDoS) attacks are significant threats, especially to Industrial Control Systems (ICS). The honeypot is one of the most common approaches to protecting the network against such attacks. This study proposes a Markov Decision Process (MDP) called the state-action-reward-state -action (SARSA) for honeypot design. The proposed system using environmental experiments can achieve greater accuracy and convergence speed than traditional IDSs. Here, we use two types of agents, one for classification and the other for the environment. The environmental agent tries to minimize the rewards given to the classi-fying agent. Therefore, the classification agent is forced to learn the most complicated policies, increasing its learning capability in the long term. Thus, the proposed method improves the level of interaction for the early detection of honeypots by recording aggressive behavior. It can be especially suitable for very imbalanced datasets. To evaluate the performance of the proposed method, we compare it with two categories of malicious ICS attacks, including MITM and DDoS. The results show that the proposed model is superior to traditional non-linear IDS models in terms of accuracy (<0.99) and F-measure (0.98).