Date of Graduation

5-2025

Document Type

Thesis

Degree Name

Master of Science in Computer Science (MS)

Degree Level

Graduate

Department

Electrical Engineering and Computer Science

Advisor/Mentor

Farnell, Chris

Committee Member

Panda, Brajendra N.

Second Committee Member

Jin, Kevin

Keywords

operational technology network; cybersecurity; sequence-to-sequence autoencoder model; anomaly detection

Abstract

Operational Technology (OT) networks, particularly those used in critical infrastructure, face increasing cyber threats that target network-level protocols and behaviors. While most anomaly detection research for OT systems has traditionally relied on sensor data, this thesis explores the viability of detecting malicious activity directly from network telemetry. We propose a sequence-to-sequence autoencoder model based on Gated Recurrent Units (GRUs) with multilevel attention, trained to reconstruct normal patterns of packet-level communication extracted from raw PCAP data. The developed feature engineering pipeline integrates general networking attributes such as IP and MAC addresses, ports, and transport protocols with OT-specific protocol information from Modbus and DNP3. In the first-ever machine learning–based analysis of a recently released OT dataset, models were trained and evaluated at varying sequence lengths (25, 50, and 100 packets) to determine optimal performance trade-offs. Only the model trained on 100- packet sequences (Seq100) yielded meaningful detection performance, achieving approximately 81% precision in a partially labeled scenario and identifying half of the known attacker network artifacts within the dataset. Temporal visualization of reconstruction errors indicated alignment with known attack periods. In contrast, per-feature error analysis highlighted that high-cardinality fields such as ports and application protocols contributed most significantly to anomaly detection. To evaluate practical applicability, the Seq100 model was quantized, exported to ONNX, and deployed on an AMD Neural Processing Unit (NPU) and an NVIDIA V100 GPU. With a mean inference time of just 5.6 milliseconds on the NPU, the model demonstrated strong real-time feasibility in resource-constrained environments. This thesis establishes a foundation for deploying interpretable, real-time anomaly detection systems based on unsupervised deep learning techniques in OT networks, demonstrating both strong detection capability and practical inference efficiency.

Download

Included in

Cybersecurity Commons

Share

COinS