Utilizing BERT for Estimating Anomalous Byte Locations in Packet Payloads

Abstract

Industrial control systems (ICS), which are becoming more and more open with the emergence of smart factories, are threatened by cyber-attacks, and the control command communication used in ICS can cause unintended behaviors even if the content of the payload is modified by just one byte. For this reason, several intrusion detection systems have been proposed for the packet payloads of various protocols used in ICS, and in particular, methods for detecting cyber attacks using deep learning models have attracted much attention recently. However, most of these intrusion detection systems are not able to provide evidence of which part of the packet payload is considered to be anomaly. In this study, we propose a method for estimating the location of anomalous bytes in packets. We experimentally show the effectiveness of the proposed method on several ICS datasets.