Do's and Don'ts of Distributed Intrusion Detection for Industrial Network Topologies

New methods for anomaly and intrusion detection systems for industrial use cases promise to detect yet unknown attack vectors. Advances in big data processing and machine learning brought many methods with great detection possibilities to reduce human workload required. However, many of the detection methods suffer from false positive alerts which counter this goal. As optimization of detection rates is often linked to an increase of false positive rates, we analyze their impact regarding attack detection throughout networks. This enables orchestrated distributed anomaly detection and better forensic analyses of attack strategies.For this purpose, we propose a concept for information aggregation enabling a compound analysis of the involved systems. Using simulations of different configurations, we estimate the impact of detection rates, false positive rates, as well as network topologies on the global system performance. By this study, we provide a method for analyzing the detection capabilities of specific distributed detection system setups allowing for the derivation of appropriate requirements before actual deployment.