Applying domain-specific knowledge to construct features for detecting distributed denial-of-service attacks on the GOOSE and MMS protocols

This paper evaluates a number of features described in the literature that may be used to detect distributed denial-of-service attacks on the GOOSE and MMS protocols. However, these features do not include advanced features that capture the periodic transmission behavior of SCADA protocols. Three SCADA-protocol-specific steps are specified for constructing new GOOSE and MMS advanced features by leveraging domain knowledge and adopting a time-window-based feature construction method. The resulting feature set, which comprises seventeen new GOOSE and MMS advanced features, outperforms the feature sets described in previous research when used with the popular decision tree, neural network and support vector machine classifiers. The evaluations also reveal that the decision tree classifier is superior to the neural network and support vector machine classifiers. A key contribution of this research is the application of SCADA-protocol-based domain knowledge to develop high-performance intrusion detection systems that require reduced training and testing times.