Download

Download Full Text (697 KB)

Date of Graduation

5-2026

Description

Industrial control systems (ICS) and industrial Internet of Things (IIoT) networks support critical infrastructure such as power generation, water treatment, and manufacturing. As these systems become more connected, they are increasingly exposed to cyber threats. However, many existing intrusion detection approaches rely on detailed packet inspection or supervised machine learning techniques that require labeled attack data and extensive tuning, making them difficult to deploy in real industrial environments.ICS networks typically generate highly regular and predictable communication patterns due to periodic control logic and deterministic device behavior. Because of this structure, abnormal or malicious activity often appears as a disruption to normal communication patterns rather than as a single malicious packet. This observation motivates the need for detection methods that focus on overall communication behavior rather than low-level packet content.This thesis proposes FLAIR (Flow-Level Anomaly Intrusion Recognition), an unsupervised anomaly detection framework designed specifically for ICS networks. FLAIR operates on sequences of network flows, which summarize communication between devices using statistical features such as packet counts, byte counts, transmission rates, and flow durations. By analyzing sequences of flows instead of individual packets, FLAIR captures how communication behavior evolves over time. The proposed approach uses a gated recurrent unit (GRU)–based autoencoder trained only on normal network traffic to learn typical patterns of operation. During deployment, deviations from learned behavior are identified using reconstruction error, which serves as an anomaly score.FLAIR is designed to be evaluated using flow-level data from a publicly available IIoT dataset collected from a realistic industrial testbed. While full experimental evaluation is ongoing, the expected outcome is that FLAIR will be able to distinguish normal traffic from anomalous behavior without requiring labeled attack data during training. This approach is particularly well-suited to industrial environments, where attack data may be limited or unavailable.If successful, FLAIR could provide a practical and scalable intrusion detection solution for real-world ICS networks. By leveraging flow-level data and unsupervised learning, the proposed framework has the potential to improve early detection of cyber threats while remaining compatible with the operational constraints of industrial systems. Additionally, this work may inform future research on sequence-based anomaly detection and contribute to the development of more resilient cybersecurity solutions for critical infrastructure.

Publication Date

2026

Document Type

Book

Degree Name

Bachelor of Science in Computer Science

Degree Level

Undergraduate

Department

Electrical Engineering and Computer Science

Advisor/Mentor

Farnell, Chris

Disciplines

Computer Sciences | Engineering

Keywords

Engineering

FLAIR- Flow-Level Anomaly Intrustion Recognition

Share

COinS