Abstract: A method for monitoring and controlling, industrial or building automation to detect anomalies in a control network, wherein a technology of an intrusion detection system (IDS) is configured to analyze a time sequence and time intervals of correct messages in the network traffic and to use the messages to train an anomaly detection system. Detecting a time sequence and a rhythm of correct messages allows for the detection of malfunctions or manipulations of devices and attacks that are performed using regular monitoring or control stations that have been taken over by attackers or that are defect, and that cannot be detected using content-based methods or by a considerable increase of data traffic. An additional security barrier is thus provided that can continue monitoring and protecting a technical unit from possible acts of sabotage, even if the control network of the technical unit has already been corrupted.

Abstract: A method for monitoring and controlling, industrial or building automation to detect anomalies in a control network, wherein a technology of an intrusion detection system (IDS) is configured to analyze a time sequence and time intervals of correct messages in the network traffic and to use the messages to train an anomaly detection system. Detecting a time sequence and a rhythm of correct messages allows for the detection of malfunctions or manipulations of devices and attacks that are performed using regular monitoring or control stations that have been taken over by attackers or that are defect, and that cannot be detected using content-based methods or by a considerable increase of data traffic. An additional security barrier is thus provided that can continue monitoring and protecting a technical unit from possible acts of sabotage, even if the control network of the technical unit has already been corrupted.