{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,28]],"date-time":"2026-03-28T12:47:25Z","timestamp":1774702045827,"version":"3.50.1"},"reference-count":30,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2021,9,19]],"date-time":"2021-09-19T00:00:00Z","timestamp":1632009600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>With the development of the Industrial Internet in recent years, security issues have been a hot topic of the industrial control system (ICS) network management. Identifying the protocol traffic in the communication process of the ICS is an important prerequisite to avoid security problems, especially in ICSs that use many private protocols. The private protocols cannot be analyzed due to the unknown internal structure of the protocols, which makes the ICS protocol identification work more difficult. However, the Internet-oriented protocol identification method is not applicable to the scenario of the private ICS protocols network environment. With this problem in mind, this paper proposes a method of ICS protocol identification based on the raw traffic payload. The method firstly performs data preprocessing such as data selection, interception, cleaning conversion, and labeling on the raw traffic of the protocol based on the characteristics of the industrial control protocol. Then it uses an AM-1DCNN + LSTM deep learning model to extract temporal and spatial features of the ICS raw traffic, and performs protocol identification. This method can effectively extract ICS protocol features in scenarios where protocol parsing is impossible compared with existing methods. We constructed a dataset for ICS protocol identification based on open-source data and tested the proposed method for experiments, and the identification accuracy rate reached 93%.<\/jats:p>","DOI":"10.3390\/sym13091743","type":"journal-article","created":{"date-parts":[[2021,9,21]],"date-time":"2021-09-21T22:35:20Z","timestamp":1632263720000},"page":"1743","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["Identification of Private ICS Protocols Based on Raw Traffic"],"prefix":"10.3390","volume":"13","author":[{"given":"Liang","family":"Zhai","sequence":"first","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Qiuhua","family":"Zheng","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Xu","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Haizhong","family":"Hu","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Weihao","family":"Yin","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Yingpei","family":"Zeng","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]},{"given":"Ting","family":"Wu","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Hangzhou Dianzi University, Hangzhou 310018, China"}]}],"member":"1968","published-online":{"date-parts":[[2021,9,19]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Plissonneau, L., Costeux, J.L., and Brown, P. (2005). Analysis of peer-to-peer traffic on ADSL. International Workshop on Passive and Active Network Measurement, Springer.","DOI":"10.1007\/978-3-540-31966-5_6"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"58","DOI":"10.1109\/COMST.2007.4317616","article-title":"A survey of application-layer multicast protocols","volume":"9","author":"Hosseini","year":"2007","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_3","unstructured":"Bayat, N., Jackson, W., and Liu, D. (2021). Deep learning for network traffic classification. arXiv."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/MCOM.2019.1800819","article-title":"Deep learning for encrypted traffic classification: An overview","volume":"57","author":"Rezaei","year":"2019","journal-title":"IEEE Commun. Mag."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Tong, V., Tran, H.A., Souihi, S., and Mellouk, A. (2018, January 9\u201313). A novel quic traffic classifier based on convolutional neural networks. Proceedings of the 2018 IEEE Global Communications Conference (GLOBECOM), Abu Dhabi, United Arab Emirates.","DOI":"10.1109\/GLOCOM.2018.8647128"},{"key":"ref_6","unstructured":"Touch, J., Mankin, A., and Kohler, E. (2021, September 15). Service Name and Transport Protocol Port Number Registry [EB\/OL]. Available online: https:\/\/www.iana.org\/assignment-s\/service-names-port-numbers\/service-names-port-numbers.xhtml."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Moore, A.W., and Zuev, D. (2005, January 6\u201310). Internet traffic classification using Bayesian analysis techniques. Proceedings of the 2005 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, Banff, AB, Canada.","DOI":"10.1145\/1064212.1064220"},{"key":"ref_8","unstructured":"Madhukar, A., and Williamson, C. (2006, January 14). A longitudinal study of P2P traffic classification. Proceedings of the 14th International Symposium on Modeling, Analysis, and Simulation, Monterey, CA, USA."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Ma, J., Levchenko, K., Kreibich, C., Savage, S., and Voelker, G.M. (2006, January 25\u201327). Unexpected means of protocol inference. Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, Brazil.","DOI":"10.1145\/1177080.1177123"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"62","DOI":"10.1109\/TPWRS.2016.2556620","article-title":"A new feature selection technique for load and price forecast of electrical power systems","volume":"32","author":"Oveis","year":"2017","journal-title":"IEEE Trans. Power Syst."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Sen, S., Spatscheck, O., and Wang, D. (2004, January 17\u201320). Accurate, scalable innetwork identification of p2p traffic using application signatures. Proceedings of the 13th International Conference on World Wide Web, New York, NY, USA.","DOI":"10.1145\/988672.988742"},{"key":"ref_12","unstructured":"Hu, X., and Gong, J. (2009, January 12\u201314). Relevance analysis of network traffic classification measure. Proceedings of the 16th Annual Academic Conference, Tianjin, China."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"2476","DOI":"10.1016\/j.comnet.2009.05.003","article-title":"Support vector machines for TCP traffic classification","volume":"53","author":"Este","year":"2009","journal-title":"Comput. Netw."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Zhou, W., Dong, L., Bic, L., Zhou, M., and Chen, L. (2011, January 21\u201323). Internet traffic classification using feed-forward neural network. Proceedings of the 2011 International Conference on Computational Problem-Solving, Chengdu, China.","DOI":"10.1109\/ICCPS.2011.6092257"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1326","DOI":"10.1016\/j.comnet.2010.12.002","article-title":"Can encrypted traffic be identified without port numbers, IP addresses and payload inspection","volume":"55","author":"Alshammari","year":"2011","journal-title":"Comput. Netw."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"1457","DOI":"10.1016\/j.comcom.2012.04.012","article-title":"Feature selection for optimizing traffic classification","volume":"35","author":"Zhang","year":"2012","journal-title":"Comput. Commun."},{"key":"ref_17","first-page":"1229","article-title":"Review of convolutional neural network","volume":"40","author":"Zhou","year":"2017","journal-title":"Chin. J. Comput."},{"key":"ref_18","unstructured":"Wang, Z. (2021, September 15). The Applications of Deep Learning on Traffic Identification [EB\/OL]. Available online: https:\/\/www.black-hat.com\/docs\/us-15\/materials\/us-15-Wang-The-Applications-Of-Deep-Learning-On-Traffic-Identification-wp.pdf."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Ma, R., and Qin, S. (2017, January 13\u201316). Identification of unknown protocol traffic based on deep learning. Proceedings of the 3rd IEEE International Conference on Computer and Communications, Chengdu, China.","DOI":"10.1109\/CompComm.2017.8322732"},{"key":"ref_20","unstructured":"Wang, W., Zhu, M., Zeng, X., Ye, X., and Sheng, Y. (2017, January 11\u201313). Malware traffic classification using convolutional neural network for representation learning. Proceedings of the 2017 International Conference on Information Networking (ICOIN), Da Nang, Vietnam."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1109\/MNET.2012.6135854","article-title":"Issues and future directions in traffic classification","volume":"26","author":"Dainotti","year":"2021","journal-title":"IEEE Netw."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"1999","DOI":"10.1007\/s00500-019-04030-2","article-title":"Deep packet: A novel approach for encrypted traffic classification using deep learning","volume":"24","author":"Lotfollahi","year":"2020","journal-title":"Soft Comput."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Harris, D., and Harris, S. (2012). Digital Design and Computer Architecture, Morgan Kaufmann. [2nd ed.].","DOI":"10.1016\/B978-0-12-394424-5.00006-9"},{"key":"ref_24","unstructured":"Xu, K., Ba, J., Kiros, R., Cho, K., Courville, A., Salakhudinov, R., Zemel, R., and Bengio, Y. (2015). Show, attend and tell: Neural image caption generation with visual attention. International Conference on Machine Learning, PMLR."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"1735","DOI":"10.1162\/neco.1997.9.8.1735","article-title":"Long short-term memory","volume":"9","author":"Hochreiter","year":"1997","journal-title":"Neural Comput."},{"key":"ref_26","unstructured":"(2021, September 15). Available online: https:\/\/www.netresec.com."},{"key":"ref_27","unstructured":"(2021, September 15). Available online: https:\/\/4sics.se."},{"key":"ref_28","unstructured":"(2021, September 15). Available online: https:\/\/www.shodan.io."},{"key":"ref_29","unstructured":"(2021, September 15). Available online: https:\/\/github.com."},{"key":"ref_30","unstructured":"(2018, January 23\u201327). Tor traffic classification from raw packet header using convolutional neural network. Proceedings of the 2018 1st IEEE International Conference on Knowledge Innovation and Invention (ICKII), Jeju Island, Korea."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/13\/9\/1743\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:02:12Z","timestamp":1760166132000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/13\/9\/1743"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,9,19]]},"references-count":30,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2021,9]]}},"alternative-id":["sym13091743"],"URL":"https:\/\/doi.org\/10.3390\/sym13091743","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,9,19]]}}}