Purpose <p>Industrial Control Systems (ICS) using the Modbus protocol are highly vulnerable to cyber attacks due to the lack of built-in authentication and encryption mechanisms. Detecting such attacks is challenging because of severe class imbalance, dynamic traffic behavior, and the need for well-calibrated probabilistic predictions. This study aims to develop an adaptive intrusion detection framework that effectively addresses these challenges.</p> Methods <p>Our proposed SA-CRT approach integrates the advantages of curriculum learning and rare-class-aware training into a cohesive framework. Our model uses a residual MLP network with batch normalization and the GELU nonlinearity, along with three important features: (i) a curriculum-ramped weighting schedule, (ii) adaptive minority boosting, and (iii) calibration mechanisms including logit correction, exponential moving average smoothing, temperature scaling, and post-hoc bias adjustment.</p> Results <p>Experiments on the CIC-Modbus2023 dataset demonstrate that the proposed SA-CRT framework achieves strong performance, with an accuracy of approximately 99.90%, a weighted F1 score of 99.91%, and a macro F1 score of 96.03%. Unlike a baseline MLP with the same architecture that exhibits relatively higher calibration error (ECE ≈ 0.0007), the proposed SA-CRT method demonstrates lower calibration error while showing improved detection of attack classes with few instances. Although XGBoost shows comparable predictive capability, SA-CRT offers a better overall balance across performance and reliability.</p> Conclusions <p>The results prove the effectiveness of curriculum-guided adaptive re-weighting in conjunction with calibration-aware optimization in achieving reliable Modbus-based intrusion detection in ICSs. Further work is aimed at extending the scope to multi-protocol industrial networks and real-time implementation at the edge.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A Self-Adaptive Curriculum and Rare-Class-Aware Training (SA-CRT) Framework for Reliable Modbus/TCP Intrusion Detection

  • Vijay Kalmani,
  • Amol Adamuthe,
  • Smita Nirkhi

摘要

Purpose

Industrial Control Systems (ICS) using the Modbus protocol are highly vulnerable to cyber attacks due to the lack of built-in authentication and encryption mechanisms. Detecting such attacks is challenging because of severe class imbalance, dynamic traffic behavior, and the need for well-calibrated probabilistic predictions. This study aims to develop an adaptive intrusion detection framework that effectively addresses these challenges.

Methods

Our proposed SA-CRT approach integrates the advantages of curriculum learning and rare-class-aware training into a cohesive framework. Our model uses a residual MLP network with batch normalization and the GELU nonlinearity, along with three important features: (i) a curriculum-ramped weighting schedule, (ii) adaptive minority boosting, and (iii) calibration mechanisms including logit correction, exponential moving average smoothing, temperature scaling, and post-hoc bias adjustment.

Results

Experiments on the CIC-Modbus2023 dataset demonstrate that the proposed SA-CRT framework achieves strong performance, with an accuracy of approximately 99.90%, a weighted F1 score of 99.91%, and a macro F1 score of 96.03%. Unlike a baseline MLP with the same architecture that exhibits relatively higher calibration error (ECE ≈ 0.0007), the proposed SA-CRT method demonstrates lower calibration error while showing improved detection of attack classes with few instances. Although XGBoost shows comparable predictive capability, SA-CRT offers a better overall balance across performance and reliability.

Conclusions

The results prove the effectiveness of curriculum-guided adaptive re-weighting in conjunction with calibration-aware optimization in achieving reliable Modbus-based intrusion detection in ICSs. Further work is aimed at extending the scope to multi-protocol industrial networks and real-time implementation at the edge.