{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T22:09:20Z","timestamp":1777500560735,"version":"3.51.4"},"reference-count":52,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2022,2,16]],"date-time":"2022-02-16T00:00:00Z","timestamp":1644969600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"H2020 ECSEL","award":["692466 and 783119"],"award-info":[{"award-number":["692466 and 783119"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Electronics"],"abstract":"<jats:p>The Fourth Industrial Revolution (Industry 4.0) has transformed factories into smart Cyber-Physical Production Systems (CPPSs), where man, product, and machine are fully interconnected across the whole supply chain. Although this digitalization brings enormous advantages through customized, transparent, and agile manufacturing, it introduces a significant number of new attack vectors\u2014e.g., through vulnerable Internet-of-Things (IoT) nodes\u2014that can be leveraged by attackers to launch sophisticated Distributed Denial-of-Service (DDoS) attacks threatening the availability of the production line, business services, or even the human lives. In this article, we adopt a Machine Learning (ML) approach for network anomaly detection and construct different data-driven models to detect DDoS attacks on Industry 4.0 CPPSs. Existing techniques use data either artificially synthesized or collected from Information Technology (IT) networks or small-scale lab testbeds. To address this limitation, we use network traffic data captured from a real-world semiconductor production factory. We extract 45 bidirectional network flow features and construct several labeled datasets for training and testing ML models. We investigate 11 different supervised, unsupervised, and semi-supervised algorithms and assess their performance through extensive simulations. The results show that, in terms of the detection performance, supervised algorithms outperform both unsupervised and semi-supervised ones. In particular, the Decision Tree model attains an Accuracy of 0.999 while confining the False Positive Rate to 0.001.<\/jats:p>","DOI":"10.3390\/electronics11040602","type":"journal-article","created":{"date-parts":[[2022,2,15]],"date-time":"2022-02-15T22:44:47Z","timestamp":1644965087000},"page":"602","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":70,"title":["Machine Learning for DDoS Attack Detection in Industry 4.0 CPPSs"],"prefix":"10.3390","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7429-2144","authenticated-orcid":false,"given":"Firooz B.","family":"Saghezchi","sequence":"first","affiliation":[{"name":"Instituto de Telecomunica\u00e7\u00f5es, University of Aveiro, Campus Universit\u00e1rio de Santiago, 3810-193 Aveiro, Portugal"}]},{"given":"Georgios","family":"Mantas","sequence":"additional","affiliation":[{"name":"Instituto de Telecomunica\u00e7\u00f5es, University of Aveiro, Campus Universit\u00e1rio de Santiago, 3810-193 Aveiro, Portugal"},{"name":"Faculty of Engineering and Science, University of Greenwich, Chatham Maritime ME4 4TB, UK"}]},{"given":"Manuel A.","family":"Violas","sequence":"additional","affiliation":[{"name":"Department of Electronics, Telecommunications and Informatics, University of Aveiro, Campus Universit\u00e1rio de Santiago, 3810-193 Aveiro, Portugal"}]},{"given":"A. Manuel","family":"de Oliveira Duarte","sequence":"additional","affiliation":[{"name":"Department of Electronics, Telecommunications and Informatics, University of Aveiro, Campus Universit\u00e1rio de Santiago, 3810-193 Aveiro, Portugal"}]},{"given":"Jonathan","family":"Rodriguez","sequence":"additional","affiliation":[{"name":"Instituto de Telecomunica\u00e7\u00f5es, University of Aveiro, Campus Universit\u00e1rio de Santiago, 3810-193 Aveiro, Portugal"},{"name":"Faculty of Computing, Engineering and Science, University of South Wales, Pontypridd CF37 1DL, UK"}]}],"member":"1968","published-online":{"date-parts":[[2022,2,16]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.mfglet.2014.12.001","article-title":"A Cyber-Physical Systems architecture for Industry 4.0-based manufacturing systems","volume":"3","author":"Lee","year":"2015","journal-title":"Manuf. Lett."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"1175","DOI":"10.1016\/j.promfg.2017.09.191","article-title":"What does Industry 4.0 mean to Supply Chain?","volume":"13","author":"Tjahjono","year":"2017","journal-title":"Procedia Manuf."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"288","DOI":"10.1109\/JIOT.2017.2737630","article-title":"A Lightweight Authentication Mechanism for M2M Communications in Industrial IoT Environment","volume":"6","author":"Esfahani","year":"2017","journal-title":"IEEE Internet Things J."},{"key":"ref_4","unstructured":"Perez, R.L., Adamsky, F., Soua, R., and Engel, T. (2018, January 1\u20133). Machine Learning for Reliable Network Attack Detection in SCADA Systems. Proceedings of the 2018 17th IEEE International Conference on Trust, Security And Privacy in Computing And Communications\/12th IEEE International Conference On Big Data Science And Engineering (TrustCom\/BigDataSE), New York, NY, USA."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"149","DOI":"10.1007\/978-3-030-05195-2_15","article-title":"Machine Learning to Automate Network Segregation for Enhanced Security in Industry 4.0","volume":"Volume 263","author":"Saghezchi","year":"2019","journal-title":"Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"2046","DOI":"10.1109\/SURV.2013.031413.00127","article-title":"A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks","volume":"15","author":"Zargar","year":"2013","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_7","unstructured":"(2022, January 19). NetMate Meter Download|SourceForge.net. Available online: https:\/\/sourceforge.net\/projects\/netmate-meter\/."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"108647","DOI":"10.1109\/ACCESS.2019.2933304","article-title":"Learning Multilevel Auto-Encoders for DDoS Attack Detection in Smart Grid Network","volume":"7","author":"Ali","year":"2019","journal-title":"IEEE Access"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Saghezchi, F.B., Mantas, G., Ribeiro, J., Al-Rawi, M., Mumtaz, S., and Rodriguez, J. (2017, January 26\u201330). Towards a secure network architecture for smart grids in 5G era. Proceedings of the 2017 13th International Wireless Communications and Mobile Computing Conference, IWCMC, Valencia, Spain.","DOI":"10.1109\/IWCMC.2017.7986273"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"86","DOI":"10.1109\/TDSC.2018.2875008","article-title":"Distributed Attack Detection in a Water Treatment Plant: Method and Case Study","volume":"18","author":"Adepu","year":"2021","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Junejo, K.N., and Goh, J. (2016). Behaviour-Based Attack Detection and Classification in Cyber Physical Systems Using Machine Learning. Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, Association for Computing Machinery.","DOI":"10.1145\/2899015.2899016"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"1963","DOI":"10.1109\/TCST.2012.2211873","article-title":"Cyber Security of Water SCADA Systems\u2014Part I: Analysis and Experimentation of Stealthy Deception Attacks","volume":"21","author":"Amin","year":"2013","journal-title":"IEEE Trans. Control. Syst. Technol."},{"key":"ref_13","first-page":"15","article-title":"Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems","volume":"30","author":"Maglaras","year":"2016","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Alhaidari, F.A., and AL-Dahasi, E.M. (2019, January 3\u20134). New Approach to Determine DDoS Attack Patterns on SCADA System Using Machine Learning. Proceedings of the 2019 International Conference on Computer and Information Sciences (ICCIS), Sakaka, Saudi Arabia.","DOI":"10.1109\/ICCISci.2019.8716432"},{"key":"ref_15","unstructured":"(2022, January 15). IBM X-Force Research: Security Attacks on Industrial Control Systems\u2014Security Intelligence. Available online: https:\/\/securityintelligence.com\/media\/security-attacks-on-industrial-control-systems\/."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., and Hahn, A. (2015). Guide to Industrial Control Systems (ICS) Security.","DOI":"10.6028\/NIST.SP.800-82r2"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Zamani, R., Moghaddam, M.P., and Haghifam, M.-R. (2022). Dynamic Characteristics Preserving Data Compressing Algorithm for Transactive Energy Management Frameworks. IEEE Trans. Ind. Inform., 1.","DOI":"10.1109\/TII.2022.3144463"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Zamani, R., Moghaddam, M.P., and Haghifam, M.-R. (2021). Evaluating the Impact of Connectivity on Transactive Energy in Smart Grid. IEEE Trans. Smart Grid, 1.","DOI":"10.1109\/TSG.2021.3136776"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"2483","DOI":"10.1109\/TII.2019.2905295","article-title":"A Survey on Model-Based Distributed Control and Filtering for Industrial Cyber-Physical Systems","volume":"15","author":"Ding","year":"2019","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_20","unstructured":"ISO (2022, January 17). IEC 62264-1:2013\u2014Enterprise-control system integration\u2014Part 1: Models and Terminology. Available online: https:\/\/www.iso.org\/standard\/57308.html."},{"key":"ref_21","unstructured":"IEEE (1994). IEEE Std C37.1-1994\u2014IEEE Standard Definition, Specification and Analysis of Systems Used for Supervisory Control, Data Acquisition, and Automatic Control, IEEE."},{"key":"ref_22","unstructured":"Zhu, B., and Sastry, S. (2010, January 12). SCADA-Specific Intrusion Detection\/Prevention Systems: A Survey and Taxonomy. Proceedings of the 1st Workshop on SECURE Control Systems (SCS), Stockholm, Sweden."},{"key":"ref_23","first-page":"16","article-title":"The Industry 4.0 revolution and the future of Manufacturing Execution Systems (MES)","volume":"3","year":"2015","journal-title":"J. Innov. Manag."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Bartodziej, C.J. (2017). The Concept Industry 4.0 BT\u2014The Concept Industry 4.0: An Empirical Analysis of Technologies and Applications in Production Logistics, Springer Fachmedien Wiesbaden.","DOI":"10.1007\/978-3-658-16502-4"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Linda, O., Vollmer, T., and Manic, M. (2009, January 14\u201319). Neural Network based Intrusion Detection System for critical infrastructures. Proceedings of the 2009 International Joint Conference on Neural Networks, Atlanta, GA, USA.","DOI":"10.1109\/IJCNN.2009.5178592"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"23154","DOI":"10.1109\/ACCESS.2020.2969626","article-title":"HIDROID: Prototyping a Behavioral Host-Based Intrusion Detection and Prevention System for Android","volume":"8","author":"Ribeiro","year":"2020","journal-title":"IEEE Access"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Scarfone, K.A., and Mell, P.M. (2007). SP 800-94. Guide to Intrusion Detection and Prevention Systems (IDPS).","DOI":"10.6028\/NIST.SP.800-94"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1016\/j.jnca.2012.09.004","article-title":"Intrusion detection system: A comprehensive review","volume":"36","author":"Liao","year":"2013","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Borges, P., Sousa, B., Ferreira, L., Saghezchi, F.B., Mantas, G., Ribeiro, J., Rodriguez, J., Cordeiro, L., and Simoes, P. (2017, January 8\u201312). Towards a Hybrid Intrusion Detection System for Android-based PPDR terminals. Proceedings of the IM 2017\u20142017 IFIP\/IEEE International Symposium on Integrated Network and Service Management, Lisbon, Portugal.","DOI":"10.23919\/INM.2017.7987434"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.cose.2008.08.003","article-title":"Anomaly-based network intrusion detection: Techniques, systems and challenges","volume":"28","year":"2009","journal-title":"Comput. Secur."},{"key":"ref_31","unstructured":"Stiller, B., and De Turck, F. (2010). Intrusion Detection in SCADA Networks BT\u2014Mechanisms for Autonomous Management of Networks and Services, Springer."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"343","DOI":"10.1109\/SURV.2010.032210.00054","article-title":"An Overview of IP Flow-Based Intrusion Detection","volume":"12","author":"Sperotto","year":"2010","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3203245","article-title":"A Survey of Physics-Based Attack Detection in Cyber-Physical Systems","volume":"51","author":"Giraldo","year":"2018","journal-title":"ACM Comput. Surv."},{"key":"ref_34","first-page":"48","article-title":"Distributed Attack Detection and Secure Estimation of Networked Cyber-Physical Systems Against False Data Injection Attacks and Jamming Attacks","volume":"4","author":"Guan","year":"2018","journal-title":"IEEE Trans. Signal Inf. Process. Netw."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1109\/TCNS.2016.2613445","article-title":"Event-Triggered Control Systems Under Denial-of-Service Attacks","volume":"4","author":"Dolk","year":"2017","journal-title":"IEEE Trans. Control. Netw. Syst."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"2715","DOI":"10.1109\/TAC.2013.2266831","article-title":"Attack Detection and Identification in Cyber-Physical Systems","volume":"58","author":"Pasqualetti","year":"2013","journal-title":"IEEE Trans. Autom. Control."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"4962","DOI":"10.1109\/TSG.2021.3102213","article-title":"Fast Islanding Detection of Nested Grids Including Multiple Resources Based on Phase Criteria","volume":"12","author":"Zamani","year":"2021","journal-title":"IEEE Trans. Smart Grid"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Jonker, M., Sperotto, A., and Pras, A. (2020, January 20\u201324). DDoS Mitigation: A Measurement-Based Approach. Proceedings of the NOMS 2020\u20142020 IEEE\/IFIP Network Operations and Management Symposium, Budapest, Hungary.","DOI":"10.1109\/NOMS47738.2020.9110320"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Steinberger, J., Sperotto, A., Baier, H., and Pras, A. (2020, January 20\u201324). Distributed DDoS Defense: A collaborative Approach at Internet Scale. Proceedings of the NOMS 2020\u20142020 IEEE\/IFIP Network Operations and Management Symposium, Budapest, Hungary.","DOI":"10.1109\/NOMS47738.2020.9110300"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Jiang, J., and Yasakethu, L. (2013, January 10\u201312). Anomaly Detection via One Class SVM for Protection of SCADA Systems. Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, Beijing, China.","DOI":"10.1109\/CyberC.2013.22"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"11994","DOI":"10.1016\/j.eswa.2009.05.029","article-title":"Intrusion detection by machine learning: A review","volume":"36","author":"Tsai","year":"2009","journal-title":"Expert Syst. Appl."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"164","DOI":"10.1007\/s11036-019-01220-y","article-title":"An Autonomous Host-Based Intrusion Detection System for Android Mobile Devices","volume":"25","author":"Ribeiro","year":"2020","journal-title":"Mob. Netw. Appl."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Amouri, A., Alaparthy, V.T., and Morgera, S.D. (2020). A Machine Learning Based Intrusion Detection System for Mobile Internet of Things. Sensors, 20.","DOI":"10.3390\/s20020461"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Sarker, I.H., Abushark, Y.B., Alsolami, F., and Khan, A.I. (2020). IntruDTree: A Machine Learning Based Cyber Security Intrusion Detection Model. Symmetry, 12.","DOI":"10.20944\/preprints202004.0481.v1"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Maglaras, L.A., and Jiang, J. (2014, January 27\u201329). Intrusion detection in SCADA systems using machine learning techniques. Proceedings of the 2014 Science and Information Conference, London, UK.","DOI":"10.1109\/SAI.2014.6918252"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Schuster, F., Paul, A., Rietz, R., and Koenig, H. (2015, January 8\u201310). Potentials of Using One-Class SVM for Detecting Protocol-Specific Anomalies in Industrial Networks. Proceedings of the 2015 IEEE Symposium Series on Computational Intelligence, Cape Town, South Africa.","DOI":"10.1109\/SSCI.2015.22"},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Do, V.L., Fillatre, L., and Nikiforov, I. (2014, January 8\u201310). A statistical method for detecting cyber\/physical attacks on SCADA systems. Proceedings of the 2014 IEEE Conference on Control Applications (CCA), Antibes\/Nice, France.","DOI":"10.1109\/CCA.2014.6981373"},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Palmer, C., and Shenoi, S. (2009). Detecting Anomalies in Process Control Networks. Critical Infrastructure Protection III, Springer.","DOI":"10.1007\/978-3-642-04798-5"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Valdes, A., and Cheung, S. (2009, January 11\u201312). Communication pattern anomaly detection in process control systems. Proceedings of the 2009 IEEE Conference on Technologies for Homeland Security, Waltham, MA, USA.","DOI":"10.1109\/THS.2009.5168010"},{"key":"ref_50","unstructured":"(2022, January 19). T-Shark: Terminal-Based Wireshark. Available online: https:\/\/www.wireshark.org\/docs\/wsug_html_chunked\/AppToolstshark.html."},{"key":"ref_51","unstructured":"(2022, January 19). GitHub\u2014Wanduow\/Libprotoident: Network Traffic Classification Library that Requires Minimal Application Payload. Available online: https:\/\/github.com\/wanduow\/libprotoident."},{"key":"ref_52","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1109\/79.543975","article-title":"The expectation-maximization algorithm","volume":"13","author":"Moon","year":"1996","journal-title":"IEEE Signal Process. Mag."}],"container-title":["Electronics"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2079-9292\/11\/4\/602\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:20:27Z","timestamp":1760134827000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2079-9292\/11\/4\/602"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,2,16]]},"references-count":52,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2022,2]]}},"alternative-id":["electronics11040602"],"URL":"https:\/\/doi.org\/10.3390\/electronics11040602","relation":{},"ISSN":["2079-9292"],"issn-type":[{"value":"2079-9292","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,2,16]]}}}