Bachelor and Master Theses

Background

Modern industrial production lines rely on networked control systems where PLCs, sensors, actuators, and industrial modules exchange operational data continuously. Monitoring this communication is important for understanding normal system behavior and detecting abnormal or potentially malicious activity.

At MITC, a Festo production line is available as a practical industrial testbed. The production line consists of several modules that communicate with each other, including PLC-to-PLC communication. By capturing and analyzing the network packets exchanged between these modules, it is possible to create a dataset that represents real industrial network traffic.

This thesis focuses on collecting packet-level communication data from the Festo production line and applying intrusion detection methods to analyze whether abnormal traffic can be detected.

Problem Statement

Industrial control systems are vulnerable to cyberattacks that may manipulate communication between PLCs or disrupt production processes. However, developing and evaluating intrusion detection systems requires realistic datasets from industrial environments. Public datasets are often limited, outdated, or not representative of a specific production setup.

The main problem addressed in this thesis is how to collect, structure, label, and analyze network traffic from a real industrial production line in order to evaluate intrusion detection techniques.

Aim

The aim of this thesis is to collect network traffic from the Festo production line at MITC and evaluate an intrusion detection system approach on the collected dataset.

Objectives

The thesis will address the following objectives:

1. Study the network architecture of the Festo production line and identify communication points between different modules.
2. Replace or configure suitable network switches to enable packet capture from selected modules.
3. Collect network traffic exchanged between modules, especially PLC-to-PLC communication.
4. Store and document the captured traffic in a structured dataset format.
5. Define normal traffic behavior and, if possible, include labelled abnormal or attack traffic.
6. Apply one or more intrusion detection algorithms to the dataset.
7. Evaluate the IDS performance using suitable metrics such as accuracy, precision, recall, F1-score, and false positive rate.

Research Questions

RQ1: What types of network traffic are exchanged between different modules of the Festo production line?

RQ2: How can packet-level traffic from the production line be collected and structured into a usable dataset?

RQ3: Can an intrusion detection algorithm distinguish between normal and abnormal traffic in the collected dataset?

RQ4: What are the main limitations of applying IDS techniques to traffic collected from a small-scale industrial production line?

Methodology

The thesis will start with a study of the Festo production line architecture and its communication setup. The student will identify suitable points for packet capture and configure the network environment accordingly. This may involve replacing existing switches with managed switches or using port mirroring to capture traffic.

Network packets will be collected using tools such as Wireshark or tcpdump. The captured data will be stored in PCAP format and later processed to extract relevant features such as packet size, protocol type, source and destination addresses, timing information, and communication patterns.

If attack injection is feasible within the thesis period, selected abnormal scenarios will be introduced in a controlled manner. Examples may include traffic replay, packet flooding, unauthorized communication attempts, or malformed packets. These events will be labelled in the dataset. If attack injection is not feasible, the thesis will focus on normal traffic collection and anomaly detection based on deviations from learned normal behavior.

The student will then apply one or more IDS algorithms to the dataset. Suitable approaches may include rule-based detection, classical machine learning methods such as Random Forest or Support Vector Machine, or unsupervised anomaly detection methods such as Isolation Forest or Autoencoder-based detection.

The performance of the IDS will be evaluated using standard metrics and discussed in relation to the characteristics of the collected industrial traffic.

Expected Results

The expected results of the thesis are:

• A documented network traffic dataset from the Festo production line.
• A description of the communication patterns between production line modules.
• A labelled dataset including normal and, if feasible, attack traffic.
• An evaluation of one or more IDS algorithms on the collected dataset.
• A discussion of practical challenges in collecting and analysing industrial network traffic.

Scope and Limitations

The thesis will focus on packet capture, dataset preparation, and IDS evaluation. The goal is not to design a new IDS algorithm from scratch. The attack scenarios will be limited to safe and controlled experiments that do not damage the production line or interfere with other infrastructure.

The amount of collected data and the diversity of attack scenarios may be limited by the availability of the testbed, safety restrictions, and the thesis time frame.

Required Background

The student should have basic knowledge of computer networks, TCP/IP, packet capture tools, and Python programming. Knowledge of machine learning and cybersecurity is beneficial but not mandatory.

Tools and Technologies

Possible tools include:

• Wireshark or tcpdump for packet capture
• Python for data processing and analysis
• Basic Python libraries for data analysis and visualization (e.g., pandas and matplotlib)
• Familiarity with machine learning tools is beneficial but not required
• Managed Ethernet switches with port mirroring capabilities
• The Festo production line at MITC as the experimental testbed

• Computer Networks
• Network Security or Cybersecurity
• Programming Fundamentals