Exploring the power of convolutional neural networks for encrypted industrial protocols recognition

The main objective of this paper is to classify unencrypted and encrypted industrial protocols using deep learning, especially Convolutional Neural Networks. Protocol recognition is important for network security and network analysis. Overall knowledge of industrial protocols and networks is crucial, especially in operational technologies. Five industrial protocol standards are under investigation, namely IEC 60870-5-104, IEC 61850 (MMS, GOOSE, SV) and Modbus/TCP. It is also investigated whether the selected protocols can be recognized in their encrypted version. Furthermore, it is investigated whether this encrypted traffic is recognizable from the use of VPN technology. Three convolutional neural network models were trained to recognize industrial protocols. These networks outperform traditional machine learning in pattern recognition in several areas of classification. By converting the captured traffic into image data that convolutional neural networks work with, differences in the encrypted traffic of different industrial protocols can be recognized. Three scenarios (1D, 2D, PKT) are presented using convolutional neural network models with 1D and 2D architectures. Training, testing and validation data are used to verify each scenario. An accuracy of 96-97 % is achieved for the recognition of unencrypted and encrypted industrial protocols. According to the results, 2D convolutional neural network model is faster than 1D and PKT models. The 1D and 2D models are suitable for use in protocol specific networks. Another application of these models can be anomaly detection in these networks. The PKT model is useful in networks with multiple industry protocols because it can evaluate network traffic on a packet-by-packet basis.