In many data communication networks, detection systems are deployed to detect malicious intrusions. Such intrusions comprise data from attackers or infected computers that may affect the working of servers, computers or other equipment.
There are two main types of such intrusion detection systems: signature-based and anomaly-based intrusion detection systems.
A signature-based intrusion detection system (SBS) relies on pattern-matching techniques. The system contains a database of signatures, i.e. sequences of data that are known from attacks of the past. These signatures are matched against the tested data. When a match is found, an alert is raised. The database of signatures needs to be updated by experts after a new attack has been identified.
Differently, an anomaly-based intrusion detection system (ABS) first builds a statistical model describing the normal network traffic during a so-called “learning phase”. Then, during a so-called “testing phase” the system analyses data and classifies any traffic or action that significantly deviates from the model, as an attack. The advantage of an anomaly-based system is that it can detect zero-day attacks, i.e. attacks that not yet have been identified as such by experts. To detect most attacks, ABSes need to inspect the network traffic payload. Existing methods are based on n-gram analysis, which is either applied on the (raw) packet payload or to portions of it.
However, in some data communication networks malicious data is very similar to legitimate data. This may be the case in a so called SCADA (Supervisory Control and Data Acquisition) network or other Industrial Control Network. In a SCADA or other Industrial Control network protocol messages are exchanged between computers, servers and other equipment on an application layer of the data communication network. These protocol messages may comprise instructions to control machines. A protocol message with a malicious instruction (“set rotational speed at 100 rpm”) may be very similar to a legitimate instruction (“set rotational speed at 10 rpm”).
When the malicious data is very similar to legitimate data, the malicious data may be classified as normal or legitimate data by the anomaly-based intrusion detection system, which could endanger the working of computers, servers and other equipment in the network.