Performance Evaluation of Anomaly Communication Detection using BERT for Feature Extraction of Packet Payload

Abstract

Anomaly Communication Detection is important to ensure the safety of industrial control systems (ICS). However, it is difficult to create detection rules for all the various communication protocols used in an ICS, including proprietary ones. Therefore, anomaly communication detection using Bidirectional Encoder Representations for Transformers (BERT) for feature extraction of packet payload has attracted attention, since it learns the characteristics of packet payloads without prior knowledge and can handle a wide range of protocols. In this paper, we conduct experiments to investigate the features and usefulness of this method. Specifically, we (1) measure the detection performance of random rewriting of payloads of typical protocols and (2) confirm the performance improvement by applying an overdetection correction technique. Through these experiments, we demonstrate the performance of anomaly communication detection using BERT for feature extraction of packet payloads and consider its effectiveness.