A Self-Adaptive Curriculum and Rare-Class-Aware Training (SA-CRT) Framework for Reliable Modbus/TCP Intrusion Detection
摘要
Industrial Control Systems (ICS) using the Modbus protocol are highly vulnerable to cyber attacks due to the lack of built-in authentication and encryption mechanisms. Detecting such attacks is challenging because of severe class imbalance, dynamic traffic behavior, and the need for well-calibrated probabilistic predictions. This study aims to develop an adaptive intrusion detection framework that effectively addresses these challenges.
MethodsOur proposed SA-CRT approach integrates the advantages of curriculum learning and rare-class-aware training into a cohesive framework. Our model uses a residual MLP network with batch normalization and the GELU nonlinearity, along with three important features: (i) a curriculum-ramped weighting schedule, (ii) adaptive minority boosting, and (iii) calibration mechanisms including logit correction, exponential moving average smoothing, temperature scaling, and post-hoc bias adjustment.
ResultsExperiments on the CIC-Modbus2023 dataset demonstrate that the proposed SA-CRT framework achieves strong performance, with an accuracy of approximately 99.90%, a weighted F1 score of 99.91%, and a macro F1 score of 96.03%. Unlike a baseline MLP with the same architecture that exhibits relatively higher calibration error (ECE ≈ 0.0007), the proposed SA-CRT method demonstrates lower calibration error while showing improved detection of attack classes with few instances. Although XGBoost shows comparable predictive capability, SA-CRT offers a better overall balance across performance and reliability.
ConclusionsThe results prove the effectiveness of curriculum-guided adaptive re-weighting in conjunction with calibration-aware optimization in achieving reliable Modbus-based intrusion detection in ICSs. Further work is aimed at extending the scope to multi-protocol industrial networks and real-time implementation at the edge.