Classification and Characterization of Encoded Traffic in SCADA Network using Hybrid Deep Learning Scheme

A hybrid deep learning model using CNN and LSTM effectively classifies and characterizes SCADA network traffic, addressing vulnerabilities and enhancing security by improving detection accuracy and reducing computational costs.

KR102992040B1Active Publication Date: 2026-07-15국립금오공과대학교산학협력단

Patent Information

Authority / Receiving Office
KR · KR
Patent Type
Patents
Current Assignee / Owner
국립금오공과대학교산학협력단
Filing Date
2025-01-17
Publication Date
2026-07-15

AI Technical Summary

Technical Problem

Existing security approaches for SCADA networks are inadequate in protecting against sophisticated attacks due to insufficient consideration of network communication and traffic protocols, with vulnerabilities arising from increased complexity and interconnections, and current intrusion detection methods lack time-efficiency and robustness.

Method used

A hybrid deep learning method combining CNN and LSTM models for real-time classification and characterization of encoded traffic in SCADA networks, utilizing batch normalization and dropout layers to enhance detection accuracy and reduce computational costs.

Benefits of technology

The hybrid approach achieves higher accuracy and time-efficiency in detecting anomalies and classifying encoded traffic, improving network security in SCADA systems by leveraging long-term dependencies and reducing overfitting.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure R1020250007251_ABST
    Figure R1020250007251_ABST
Patent Text Reader

Abstract

The Domain Name System (DNS) has evolved into an essential component of network communication and is a critical component of critical industrial systems (CIS) and supervisory control and data acquisition (SCADA) network connectivity. DNS over HTTPS (DoH), which encapsulates DNS within HTTPS, cannot completely block network access exploitation. The present invention proposes a hybrid deep learning model for early classification of encoded network traffic into one of two classes: DoH or Non-DoH. Such traffic may be malicious, normal, or a zero-day attack. The proposed method integrates the useful information extraction capabilities of a Convolutional Neural Network (CNN) with the ease of learning long-term dependencies of Long Short-Term Memory (LSTM). Simulation results showed that the proposed approach accurately classifies encoded network traffic as DoH or Non-DoH and characterizes the traffic as normal, zero-day, or malicious. The proposed robust hybrid deep learning model demonstrated high accuracy and precision of 99.28%, a recall of 99.75%, and an AUC of 0.9975, while training and testing times were minimized to 745 seconds and 0.000324 seconds, respectively. Furthermore, outperforming other modern algorithms and existing technologies, the proposed technology effectively detected all types of attacks. This invention investigated the impact of the SMOTE technique as a tool for data balancing. To further verify the reliability of the proposed method, two different cybersecurity datasets (NSL-KDD and CICDS2017) were evaluated along with the Industrial Control System SCADA (ICS-SCADA) dataset. Model performance was validated using the Matthews correlation coefficient (MCC), and the applicability of the proposed model to critical industrial systems such as SCADA was confirmed.
Need to check novelty before this filing date? Find Prior Art

Description

Technology Field

[0001] The present invention relates to a method for classifying and characterizing traffic in a SCADA network, and more specifically, to a system and method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network. Background Technology

[0003] Existing information security approaches fail to provide comprehensive protection for critical industrial systems such as SCADA. This is due to existing exploitation mechanisms, methods of attack, and the continuous emergence of new attacks. While researchers and security experts study various intrusion detection techniques, they often ignore the system and context in which the intrusion occurred. Therefore, since information security alone is insufficient to address overall security issues in critical systems like SCADA networks, it is necessary to consider network communication and traffic protocols.

[0004] SCADA networks provide procedures for the monitoring, control, and real-time information generation of distributed industrial facilities. CIS smart factories utilize SCADA systems to automate industrial processes, such as manufacturing and power generation, and enable the provision of real-time services. Nevertheless, SCADA networks are not sufficiently protected and remain vulnerable to various attacks that can have a catastrophic impact on time-sensitive operations.

[0005] The primary targets of these attacks are network communication and transmission protocols, as well as devices and connections such as application servers, sensors, and actuators. To protect SCADA network transmissions, communication and transmission protocols must be secured, and additional DNS protection is required. As the complexity of SCADA systems increases and vulnerability to the Internet grows, a systematic approach may not be applied to the security of network and communication protocols. This can lead to security threats, bypassing of security measures, data leakage, and compatibility issues. Therefore, hybrid deep learning protection capable of real-time protection is necessary to secure SCADA network communication systems.

[0006] The emergence of B5G and IIoT has enabled the connection of more devices, which has increased the utilization of Internet and network communication protocols and, consequently, raised vulnerabilities and potential for attack. The security of such interconnections is particularly critical in the context of SCADA networks. DNS acts like a phonebook for users, converting domain names into Internet Protocol (IP) addresses. While there may be questions regarding DNS readiness for B5G and IIoT, it is certain that DNS is essential.

[0007] DNS encoding encompasses the transmission of data between a server and a client using the DNS protocol. Data is contained within standard DNS queries, and the server may or may not provide some encrypted data during the DNS feedback conversation. In SCADA network communications, DNS encoding is difficult to detect and prevent because data packets undergo multiple recursive hops before reaching the name server destination. Furthermore, SCADA networks are vulnerable because firewalls cannot accurately inspect the frequency and content of DNS packets. The goal of protecting communication protocols is to prevent DNS data manipulation, hijacking, eavesdropping, and the enhancement of communication security. However, the focus of DoH is on protecting communications and reducing vulnerabilities such as MiTM attacks.

[0008] The introduction of IPv6 has made it possible to address a wide variety of devices that were impossible with the nearly exhausted IPv4. While DNS functionality may go unnoticed, network failures can hinder users from accessing SCADA resources over the Internet. DNS failures are often caused by adversarial attacks, and this trend continues to increase. This situation suggests the need for efficient hybrid deep learning-based protection mechanisms to keep up with evolving attack trends. The National Institute of Standards and Technology (NIST) has published a document outlining guidelines for securely deploying DNS to avoid security risks associated with it. The Internet Engineering Task Force (IETF) introduced DNS over HTTPS (DoH) to improve DNS security and privacy. However, this approach is insufficient to mitigate the increasingly sophisticated vulnerabilities and attacks in critical systems such as SCADA networks.

[0009] Attempts to protect SCADA network security have implemented firewalls and network intrusion detection systems, but they have limitations in addressing the challenges of attacks and vulnerabilities. Only some of this research has focused on communication protocols, particularly DNS.

[0010] This invention focuses on the DNS protocol, considering its applicability to network traffic communication using HTTP / HTTPS®. This is because the majority of network traffic generated by SCADA intrusions utilizes DNS. To mitigate various DNS attacks, a real-time, preemptive method capable of intelligently detecting and classifying the characteristics of SCADA network communication traffic in real time is crucial. Given the time-sensitive operation of SCADA systems, reliability, low computational cost, and high detection accuracy determine the performance of efficient intrusion detection techniques. The lack of comprehensive technology to meet these requirements has remained a problem.

[0012] The theoretical background and related research are as follows.

[0013] A. What is SCADA?

[0014] A SCADA system is an industrial automation network that controls and monitors industrial operations by using software and hardware to collect, analyze, and provide data generated from sensors. These technologies are crucial for understanding and executing processes that enable industrial environments to optimize operations through data-driven decision-making.

[0015] The software and hardware components of a SCADA system communicate in a synchronized state. SCADA software analyzes and interprets hardware data configured for management and anomaly detection. The hardware consists of relays, sensors, and switches, and its primary role is to collect critical operational data. This data is transmitted to Programmable Logic Controllers (PLCs) or Remote Terminal Units (RTUs), converted into industry-standard protocols, and then processed and used for operational efficiency. The data is delivered to Human-Machine Interfaces (HMIs) to visually represent processes through metrics, statistical reports, spreadsheets, warning signals, and patterns, which are then analyzed to make data-driven decisions.

[0016] Before the widespread adoption of automation technology in smart factories, industrial processes were controlled and managed manually. As factories and processes became larger and more complex, organizations needed to control and monitor larger-scale equipment and operations from longer distances. The introduction of PLCs and RTUs in the industrial sector laid the foundation for the development of SCADA systems.

[0018] The basic functions of a SCADA system are as follows:

[0019] 1) High-performance data acquisition: SCADA systems must be equipped with mission-essential rapid data collection capabilities capable of recording data at high speeds through a database.

[0020] 2) Functionality: A good SCADA system provides a robust framework for process automation, triggers tasks to complete operations, and allows users to participate in predefined procedures.

[0021] 3) Universal Connectivity: High-quality SCADA systems enable IoT-ready operations by allowing all data within the system to be connected from anywhere. This requires supporting the actual implementation of Message Queuing Telemetry (MQTT), Simple Network Management Protocol (SNMP), Internet of Things (IoT), databases, and web services, which enables the aggregation of all data using communication techniques.

[0023] B. Characteristics and Attack Patterns of SCADA Networks

[0024] SCADA networks increase in stability over time, and network applications do not regularly join or leave. While existing networks provide various protocols such as HTTP, instant messaging, and VoIP, SCADA networks provide services for monitoring and controlling industrial processes and automation. Due to polling mechanisms primarily used to collect data, most SCADA traffic is expected to be generated regularly. As a result, traffic patterns do not depend on human activity as in existing IoT networks. Extensive research on existing networks has revealed that SCADA networks are significantly different from general networks.

[0025] The IEC-60870-5-104 (IEC-104) protocol is widely used in SCADA networks to manage sensitive facilities, such as power plants. As the importance of SCADA security grows, researchers are studying the characteristics and modeling of SCADA traffic to develop defense mechanisms based on the regularity of polling mechanisms used in SCADA systems, and are particularly investigating the characteristics of traffic generated by non-polling mechanisms, such as spontaneous events.

[0026] The authors of C.-Y. Lin and S. Nadjm-Tehrani, “Understanding IEC-60870-5-104 traffic patterns in SCADA networks,” in Proc. ACM CPSS, 2018, proposed a method based on probabilistic suffix trees (PSTs) to identify the underlying time patterns of spontaneous events, thereby providing insights into how traffic flow between SCADA components changes over time. This demonstrates the existence of data patterns distinct from standard existing network traffic patterns.

[0028] C. Related Research

[0029] While there is a series of studies on intrusion detection using machine learning and deep learning (ML / DL) techniques focused on IoT, research extended to SCADA and smart factories is limited. However, research utilizing ML and DL insights into SCADA network intrusion detection is necessary to determine the scope of operations in the target domain. Ensemble learning approaches combine multiple classifiers to generate predictions that improve performance regarding attacks and protocols in IoT networks. Although this method yielded improved results, the approach is somewhat cumbersome due to a lack of processing speed.

[0030] Research needs to detect malicious DNS activity in DoH environments utilizing HTTP traffic. While these ML attempts have investigated various mechanisms for anomaly detection and classification of DNS over HTTPS, they lack detailed investigation into robust approaches for high-dimensional datasets. Similarly, a study (M. MontazeriShatoori, L. Davidson, G. Kaur, and AH Lashkari, “Detection of DoH tunnels using time-series classification of encrypted traffic,” in Proc. IEEE CyberSciTech, 2020.) described a two-step strategy using a classifier to recognize and classify DNS over hypertext traffic. According to the authors, a key feature of this study is its ability to detect and classify DoH traffic using a small amount of input data. Consequently, this model lacks robustness and is unsuitable for smart manufacturing activities.

[0031] In another study (M. Roopak, GY Tian, ​​and J. Chambers, “An intrusion detection system against DDoS attacks in IoT networks,” in Proc. IEEE CCWC, 2020), a hybrid strategy using a universal optimization methodology was presented to detect distributed denial-of-service (DDoS) attacks in IoT. This method examined a prototype version of the CICIDS2017 dataset. The authors plan to test the model on distributed IDS because, while efficient, it lacks computational speed and is not robust enough for smart factories.

[0032] Deep learning frameworks, such as CNNs, LSTM networks, or other combinations, have had a significant impact on computer vision as well as intrusion detection, enabling the understanding of high dimensions in heterogeneous IIoT datasets and performing feature extraction, classification, and data integration. There are two fundamental aspects: hierarchical feature representation and understanding long-term dependencies in large-scale sequence data.

[0033] There have been attempts to design a SCADA IDS. The paper by L. Karanam, KK Pattanaik, and R. Aldmour (“Intrusion detection mechanism for large scale networks using CNN-LSTM,” in Proc. IEEE DeSE, 2020.) evaluated the famous NSL-KDD dataset and proposed a strategy to identify attacks using LSTM and CNN. The model's performance was good, but the classification speed could have been faster.

[0034] (M. Teixeira, T. Salman, M. Zolanvari, R. Jain, N. Meskin, and M. Samaka, “SCADA system testbed for cybersecurity research using machine learning approach,” Future Internet, vol. 10, no. 8, p. 76, Aug 2018. [Online]. Available: http: / / dx.doi.org / 10.3390 / fi10080076) published a study analyzing the impact of attacks by developing a SCADA system testbed. Their approach investigated KNN, Random Forest, Naive Bayes, and Decision Tree Classifiers.

[0035] Another paper (MA Teixeira, M. Zolanvari, KM Khan, R. Jain, and N. Meskin, “Flow-based intrusion detection algorithm for supervisory control and data acquisition systems: A real-time approach,” IET Cyber-Physical Systems: Theory & Applications, vol. 6, no. 3, pp. 178-191, 2021.) conducted a study on flow-based intrusion detection for SCADA systems using deep artificial neural networks. The proposed approach evaluated both online and offline attacks. The strategy demonstrated excellent performance, but there is a need to evaluate more types of attacks.

[0036] The study developed a power grid IDS technique combining recursive feature elimination with extreme gradient boosting (RFEXGBoost) with a focus on feature selection. When evaluated on a public dataset collected from a small power grid test site, it achieved significant detection rates, accuracy, recall, and precision.

[0037] The study (Y. Ouyang, B. Li, Q. Kong, H. Song, and T. Li, “FS-IDS: A novel fewshot learning based intrusion detection system for SCADA networks,” in Proc. IEEE ICC, 2021.) demonstrated ambitious performance in identifying attacks using a small number of examples. However, these recent studies lack the time efficiency essential for smart factory operations.

[0038] Accordingly, the present invention provides a time-efficient hybrid approach to leverage the impact of cyber security vulnerability and attack detection. This approach intelligently detects and characterizes network traffic of a SCADA system.

[0040] D. Summary of Research Gaps in Related Studies

[0041] Table 2 is a summary of related research based on the encoded CIRA-CIC-DOHBRW-2020 traffic dataset, and Table 3 is a summary of related research based on the CNN-LSTM approach.

[0042] (Table 2) Summary of relevant research based on the encoded CIRA-CIC-DOHBRW-2020 traffic dataset

[0043]

[0045] (Table 3) Summary of related research based on the CNN-LSTM approach

[0046]

[0048] This table demonstrates that most published studies are difficult to reproduce due to insufficient detail and lack of transparency in methodology. To advance the still immature use of AI for SCADA vulnerability research, this work requires careful efforts to ensure the reproducibility of results. Additionally, Table 3 summarizes relevant research based on combinations of CNNs and LSTMs, highlighting the limitations of existing studies. Two limitations are evident. The first is the limited SCADA datasets, to the extent that most authors used available datasets such as NSL-KDD or KDD99. Second, regarding SCADA datasets, performance evaluations by most authors are limited to one or two datasets. In this work, repeated evaluations and the use of MCC metrics were employed across four public datasets to demonstrate the reliability of the proposed approach. Furthermore, explainable AI principles were adopted to ensure the model's reproducibility.

[0049] The table below is a table of abbreviations. It explains the abbreviations used in this specification.

[0050] Prior art literature

[0052] (Patent Document 0001) KR 1020240059900 A The problem to be solved

[0053] The present invention aims to provide a method for classifying and characterizing encoded traffic using a hybrid deep learning method in a time-efficient SCADA network to utilize the impact of cyber security vulnerability and attack detection in a SCADA system in order to solve the above problems. means of solving the problem

[0055] In a method for classifying and characterizing encoded traffic using a hybrid deep learning approach in a SCADA network,

[0056] (S1) Step S1, which receives traffic data at the input layer;

[0057] (S2) Step S2, which performs batch normalization on the traffic received in Step S1;

[0058] (S3) Step S3, which performs convolution (12, 1*3 conv) with 12 kernels on batch-normalized data; - Batch-normalized data is passed to Steps S4 and S5 simultaneously -

[0059] (S4) Step S4 performs asymmetric convolution (12 1*3 conv, 12 1*3 conv, 12 1*3 conv) on the data received from Step S3, combines the convolved data, and then performs max pooling; - The result data from Step S4 is passed to Step S6 -

[0060] (S5) Step S5 performs symmetric convolution (12 1*3 conv, 12 1*3 conv) and max pooling on the data received from Step S3; - The result data from Step S5 is passed to Step S6 -

[0061] (S6) Step S6, which combines the data received from Steps S4 and S5.

[0062] (S7) Step S7, which performs convolution (1*1 Conv) with 12 kernels on the data combined in Step S6;

[0063] (S8) Step S8, which integrates the result data from Step S3 and the result data from Step S7 and performs average pooling;

[0064] (S9) Step S9, which analyzes the temporal features of traffic data using the LSTM (Long Short-Term Memory) technique on the result data of Step S8;

[0065] Classification and characterization method of encoded traffic using a hybrid deep learning method in a SCADA network characterized by including

[0067] The above convolution is characterized by being calculated by the following formula.

[0068]

[0069] - a, b are the coordinates of the output matrix

[0070] - xj is the convolution kernel weight

[0071] - yj is the network traffic value of the input dataset

[0073] The above convolution operation is characterized by further including a scalar bias input value to control the result.

[0074]

[0075] - q: Scalar bias input controlling the convolution result

[0076] - Za,b: Result data controlled by the scalar bias input

[0078] The above convolution is characterized by further including a ReLU (The rectified linear unit) operation calculated by the following formula to resolve the overfitting problem.

[0079]

[0080] ReLU generates 0 for values ​​less than 0 and passes values ​​greater than or equal to 0 as is.

[0081] - P: Output feature

[0082] - h : ReLU function

[0084] The above max pooling is characterized by selecting the largest value to perform calculations in order to emphasize the most distinct pattern, and

[0085] The above average pooling is characterized by calculating an average value to maintain smooth features.

[0087] The above convolution is characterized by extracting spatial features from traffic data and learning the main patterns of traffic by applying multiple kernels, and

[0088] The above LSTM is characterized by effectively detecting anomalies by analyzing temporal patterns and performing the role of predicting current and future traffic flows based on past traffic patterns. Effects of the invention

[0090] The method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network according to the present invention has higher accuracy than a conventional single model and can classify encoded traffic more effectively.

[0091] In addition, the method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network according to the present invention improves network security in an industrial control system (ICS) environment and improves performance compared to existing machine learning and deep learning models.

[0092] In addition, the method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network according to the present invention can more effectively learn correlations between network packets by utilizing CNN, and can effectively detect anomalies occurring in the SCADA network by applying LSTM. That is, if CNN first extracts features and LSTM learns temporal patterns based on them, it has the effect of detecting anomalies occurring in the SCADA network. Brief explanation of the drawing

[0094] Figure 1 is an IIoT flowchart using a SCADA network hybrid DL model. Figure 2 schematically illustrates the system model. Fig. 3. Configuration of the power system SCADA network used to generate the SCADA dataset. Figure 3 is a configuration diagram of a power system SCADA network used to generate SCADA data sets. Figure 4 illustrates the proposed hybrid model framework. It shows that the proposed approach is constructed with a standard convolution layer for generating completely isolated variables and an LSTM layer for SCADA network traffic classification and characterization. Figure 5 is a correlation matrix showing high correlation characteristics. Figure 6 is the PCC result verifying the selection of functional feature importance. Figure 7 is a data set distribution diagram. Figure 8 illustrates the confusion matrix of the proposed CNN-LSTM scheme for encoded traffic classification and provides the error matrix between the predicted result and the actual result. Figure 9 shows the confusion matrix for anomaly detection. Figure 10 is a confusion matrix of benign / malignant anomaly detection without data balancing. Figure 11 is an accuracy graph showing the performance of the proposed model on the ICS-SCADA dataset. Figure 12 is a graph showing the performance of the proposed model on the ICS-SCADA dataset. Figure 13 is a confusion matrix showing the performance of the proposed model on ICS-SCADA binary and three-class datasets. Figure 14 is a confusion matrix showing the performance of the proposed model on the NSL-KDD and CICIDS2017 datasets. Specific details for implementing the invention

[0095] Specific structural or functional descriptions of embodiments according to the concept of the present invention disclosed herein are provided merely for the purpose of explaining embodiments according to the concept of the present invention, and embodiments according to the concept of the present invention may be implemented in various forms and are not limited to the embodiments described herein.

[0096] Embodiments according to the concept of the present invention may be subject to various modifications and may take various forms; therefore, embodiments are illustrated in the drawings and described in detail in this specification. However, this is not intended to limit the embodiments according to the concept of the present invention to specific disclosed forms, and includes all modifications, equivalents, or substitutions that fall within the spirit and scope of the present invention.

[0098] Hereinafter, preferred embodiments of the present invention will be described with reference to the attached drawings.

[0100] 1. Overview

[0101] To solve the above problem, intelligent hybrid deep learning technology is required for the rapid detection and characterization of SCADA network traffic.

[0102] The novelty of the proposed model, designed to address model performance degradation caused by increased feature dimensions, lies in utilizing independent feature engineering techniques to lower computational costs and improve detection accuracy. This model is applicable to all systems with vulnerability issues and is suitable for real-time systems such as SCADA. It also prevents ambiguity by bypassing configured IPs and ports.

[0103] In the proposed method, there is no need to label inputs as attacks during the testing phase. Therefore, the objective of the present invention is to intelligently predict whether network traffic is non-DoH, legitimate DoH, or malicious DoH, characterize it to eliminate non-DoH and malicious DoH traffic, and allow only legitimate DoH traffic to enhance system security.

[0104] The present invention uses intelligent hybrid deep learning to accurately detect and characterize SCADA network communication traffic. In addition, this efficient machine learning technique must include alternative indicators such as the Matthews correlation coefficient (MCC) to test the reliability of the proposed approach with imbalanced data in real-world scenarios.

[0106] The main contributions of the present invention are as follows:

[0107] - For efficient real-time detection / classification, the present invention proposes an intelligent and time-efficient hybrid method that enhances network security. The proposed IDS classification model for SCADA network communication mimics real-time traffic monitoring.

[0108] - The present invention explains the effect of a combination of CNN and LSTM on learning long-term dependencies and demonstrates significant improvements in classification.

[0109] - The present invention demonstrates that the speed, stability, and robustness of CNNs have been improved by utilizing batch normalization.

[0110] - The present invention also highlights the advantage of solving the overfitting problem that primarily affects deep learning models by implementing a dropout layer.

[0111] In addition, the performance of the proposed architecture with other models for precision, throughput, computation time, recall, and F1 score is compared.

[0112] The reliability of the proposed model was verified using the Matthews correlation coefficient, and an evaluation of the Industrial Control System (ICS-SCADA) dataset was also included.

[0114] 2. Methodology

[0115] A. Description of Power System SCADA Network

[0116] SCADA networks provide an ideal method for remotely controlling and monitoring industrial resources. They are widely used in various industrial applications, such as factory automation, water treatment, oil and gas pipeline control and monitoring, power systems, and efficiency enhancement. SCADA collects data from various production units and processes it appropriately. Programmable logic controllers (PLCs) located remotely continuously monitor unit components and transmit the information to a central system. This increases efficiency by maintaining operational factors within a manageable range.

[0118] Figure 3 is a power system SCADA network configuration diagram used to generate the dataset.

[0119] This network consists of various components, the first of which are generators G1 and G2. R1 through R4 are Intelligent Electronic Devices (IEDs) that control the circuit breakers (on or off). The circuit breakers are BR1 through BR4. There are also two lines; Line 1 connects circuit breaker BR1 to BR2, and Line 2 connects circuit breaker BR3 to BR4. Each IED is programmed to control a single circuit breaker, with R1 controlling BR1 and R2 controlling BR2, respectively. Because IEDs lack internal verification, they utilize distance protection technology that trips the circuit breaker if an anomaly is detected, regardless of whether it is valid or tampered with. The components and configuration of a power system SCADA network define uniqueness in terms of generated data, vulnerabilities, and attack methods. Therefore, SCADA traffic patterns and characteristics contrast with general internet traffic. Consequently, a robust approach is required to classify and characterize encoded traffic. As a result, a practical and time-consuming IDS is necessary.

[0120] The data contains 29 types of measurements from various Phase Measurement Units (PMUs). A PMU is a device that measures electrical fluctuations in a power grid while synchronizing with an expected time source. This network consists of four PMUs, each measuring 29 features, and the dataset contains a total of 116 columns of PMU measurements. The index of each column is in the format 'R#-SignalReference1' and indicates the measurement type specified by the PMU. The dataset contains 128 features. For details on the features, refer to the dataset description.

[0122] B. Attack Traffic and Types

[0123] The continuous increase in attack scenarios combined with new, complex network and software configurations has made it necessary to include real-time network traffic in datasets. This phenomenon has also led to the absence of complete network-based datasets.

[0124] To fully evaluate an IDS approach, two or more datasets are essential to avoid overfitting to a specific dataset, limit the impact of erroneous artifacts from that dataset, and analyze the technique from a more comprehensive perspective. IDS datasets contain various attack scenarios. This attribute identifies whether the dataset contains zero-day, legitimate, and malicious network traffic, and returns true if the attribute is present.

[0125] Additional information on specific attack types and criteria is as follows:

[0126] 1) Zero-day traffic: Focuses on zero-day vulnerabilities. Zero-day vulnerabilities are identified attacks in network traffic that have not yet been resolved.

[0127] 2) Normal traffic: This is normal network traffic without intrusions or attacks.

[0128] 3) Malicious Traffic: In this scenario, the intruder exploits network traffic to bombard the target system with various attack types, such as DoS, DDoS, MiTM, and intrusion. This overwhelms the target by exploiting system vulnerabilities.

[0130] C. Systems Methodology

[0131] To address the discussed problem, the present invention proposes the use of intelligent CNN-LSTM for time-efficient vulnerability and attack detection in smart factory SCADA networks. Refer to Fig. 2 for the system model architecture.

[0133] 1) LSTM: LSTM is well known for its long-term data-dependent learning capabilities. A key feature of using LSTM is the elimination of feature engineering. An LSTM network consists of aggregation units, with three main elements: input ports, forget ports, and output ports. These are used to upgrade, improve, and remove the data contained within the unit. To generate the current state, the input gate controls the input data using a sigmoid function.

[0134]

[0135] Here, bi and wi represent the offset and weight matrix of the input gate. Additionally, the input gate generates the data vector of the current state using the tanh function. The proposed network uses the results of the input gate and the forget gate to generate the hidden state Determine as follows:

[0136]

[0137]

[0138] The Gate of Oblivion is a sigmoid gate Unnecessary data is removed from the input layer output ft and the previous cell output ft-1 using [the appropriate method]. Finally, the data is multiplied and combined. The output ft of the forget gate appears as follows:

[0139]

[0140] Here, bf and wf are the offset and weight matrices of the forget gate. Finally, the output gate selects useful features based on the current cell state, the result of the base cell, and the new data. This output gate function ot is represented as follows:

[0141]

[0142] Resulting LSTM layer: f outcome It appears as follows:

[0143]

[0145] 2) CNN: CNN is a neural network widely used primarily in computer vision for image recognition, capable of efficiently extracting useful data from large-scale samples. For the present invention, reference is made to an extended CNN in the following section.

[0147] D. Hybrid Framework

[0148] This section proposes a hybridization of the CNN-LSTM model that challenges the computation time and accuracy limitations of existing IIoT (SCADA) intrusion detection. Although a series of studies have demonstrated that growth in network size and execution time leads to superior performance, limitations on execution time and the number of variables in IIoT (SCADA) IDS remain a significant issue.

[0149] Therefore, to address these limitations, the present invention proposes a method that achieves competent learning performance with minimal execution time by utilizing optimal parameter pooling through interconnections while considering multivariate convolution.

[0151] Figure 4 shows that the proposed approach is constructed with a standard convolution layer for generating completely separated variables and an LSTM layer for SCADA network traffic classification and characterization.

[0152] 1) The input layer size This is pre-processed min-max data normalization. A batch normalization layer is used to prevent overfitting while maintaining the model training process to increase the convergence of the input dataset. The input data of the present invention is normalized stepwise for every 30 minipack sizes.

[0153] This standard setup procedure consists of two steps: normalization, scaling, and equalization. This procedure maintains the model training process while significantly reducing the number of iterations required for deep learning training. Batch-normalized data passes through a (1x3) convolution layer with 12 kernels.

[0155] In a convolution layer, the 1D convolution operation between the kernel and the input map is calculated as the sum of dot products at specific spatial coordinates (x,y):

[0156]

[0157] Here, xj represents the convolution kernel weights, and yj represents the network traffic values ​​of the input dataset. The scalar bias input q controls the convolution result and is calculated as a cost as follows:

[0158]

[0159] The output feature p is 16 is the number of mechanisms used. Feature maps are generated as the result of convolution layers with a non-linear activation function h. The ReLU (The rectified linear unit) activation function is used to minimize the overfitting problem. ReLU generates 0 for values ​​less than 0 and passes values ​​greater than or equal to 0 as is. The process of ReLU is as follows:

[0160]

[0161] Three different stream interconnection strategies are used to compute the ReLU layer feature map results. The integration layer combines the processing units of the first and second streams, and the final feature map is integrated using the previous unit results and a new connection. For details, refer to Fig. 4.

[0162] Furthermore, this technique is called substructuring and improves learning capability with minimal execution time. The convolution result feature map processed from the first stream of the asymmetric convolution kernel helps extract sub-parameters and improve model precision. Then, a spatial construction layer combines the outputs of the asymmetric convolution layer. Concurrent CNN frameworks are used to reduce computational complexity by utilizing asymmetric procedures and large architectures. This framework is intended to achieve rapid convergence of the training task. However, residual interconnection avoids the vanishing gradient problem and improves accuracy.

[0164] The network architecture consists of three procedures with varying convolution strengths for feature extraction.

[0165] 1) The first step combines two convolutions (1x3) and (1x1) in succession and passes them to a max pooling layer. 2) The second step consists of three convolution layers, with the last two layers configured simultaneously. 3) The third step uses a single max pooling to minimize feature dimensions and obtain heterogeneous features. Each step is combined and passed to average pooling, with the size set to two (2) to reduce execution time.

[0166] The output of the average pooling layer is input into the LSTM layer and then passed to the dense layer. The resulting LSTM structure is passed to the dense layer. Following the dense layer, data evaluation is performed by softmax and fully connected layers for the classification and characterization of encoded SCADA network traffic. Given the method of effectively capturing long-term correlation structures through LSTMs, the proposed approach uses an LSTM layer after the average pooling layer.

[0167] The LSTM consists of memory cells called neurons. The cell is composed of input, forget, and output gates, each providing various functions to evaluate input variables. For example, depending on the cell state, the forget gate decides whether to remove irrelevant information. To begin, the forget gate uses a sigmoid gate Q to remove redundant information from the result of the addition layer of ft and the previous cell result ft-1. Finally, the collected information is multiplied and combined. Refer to Figure 4 for the representation of the proposed model framework, and refer to Table 4 for the overall network architecture of the proposed model, including its features and specifications.

[0168] (Table 4) Network architecture of the proposed CNN+LSTM model

[0169]

[0171] The classification and characterization of network traffic are performed using similar network architectures and parameters. This is intended to verify the feasibility of the proposed model for real-world scenarios of network traffic classification and detection. The ideal feature parameter settings used for the two layers (classification and detection) of the proposed model are shown in Table 5.

[0172] (Table 5) Ideal feature parameters of the proposed CNN+LSTM model

[0173]

[0175] The proposed model achieved optimal performance with the following training architecture: (Extraction of most useful data features by the Adam optimizer with cross-entropy loss function, mini-batch size of 30, 80 iterations, initial learning rate of 0.001, ReLU activation function, k-folds for cross-validation twice.)

[0177] E. Dataset and Data Preprocessing

[0178] This study evaluated four public datasets provided by the Canadian Cyber ​​Security Institute: CIRA-CIC-DoHBrw-2020, NSL-KDD, and CICIDS2017. These datasets generate real-world network traffic activity, and recent and prevalent attacks include eavesdropping, brute-force SSH attacks, Denial of Service (DoS), web attacks, User-to-Remote (U2R), Man-in-the-Middle (MiTM), brute-force FTP attacks, Remote-to-Local (R2L) attacks, Heartbleed, DDoS, botnets, and intrusions. They were created for cybersecurity intrusion detection systems.

[0179] The development of IDS in the Industrial Internet of Things, particularly in specialized scenarios such as SCADA, has been significantly challenging due to the lack of system-specific datasets. Consequently, a testbed targeting this specific Industrial Control System (ICS) has been developed. This advancement was made to address the shortage of ICS datasets by providing datasets such as the ICS-SCADA dataset. This dataset was generated using a SCADA system testbed and is provided for SCADA cybersecurity research. Refer to Table 6 for the characteristics of the dataset.

[0180] (Table 6) Description of the characteristics of the ICS-SCADA dataset

[0181]

[0182] Data preprocessing is essential to obtain high-quality data before inputting it into the proposed model. Data preprocessing includes data cleaning and normalization, which were performed to ensure data integrity. Since the dataset was generated using standard web browsing behaviors for legitimate DoH traffic and Domain Name Service channeling procedures for malicious DoH traffic, it contains high-dimensional features.

[0184] 1) Data cleaning and normalization

[0185] The original dataset contains 28 features, some of which are non-contributing. Data cleaning removed irrelevant features to maintain a balance of 14 out of the 28 features. Empty values, NaN values, and infinity (∞) values ​​were also cleaned. Fields containing empty spaces and infinity (∞) values ​​in the columns were filled using the mean. This was done to ensure that the model receives only valid data. The Pearson Correlation Coefficient (PCC) was applied to the dataset because it contains strongly correlated features (see the correlation matrix in Fig. 5). This approach was necessary to reduce overfitting. For continuous variables with correlation scores between -1 and 1, variables with high correlation values ​​at a threshold of 0.7 were selected using PCC (see Equation 10). This helps improve model performance by selecting only relevant features. The selection of correlated variables based on the 0.7 threshold is shown in Fig. 6.

[0186]

[0187] - Q is the PCC, xi is the variable content of the dataset, is the average value of the x variable

[0188] - yi is the sample variable, is the average value of the y variable

[0190] The min-max scaler was the industry standard for measuring all data features to values ​​between [0, 1] or [-1, 1]. This allows for stable feature scaling despite outliers. Rescaling along negative values ​​of data features raised the variance to unit.

[0191] The SMOTE technique is used to balance data because the data contains an imbalanced distribution of class samples (where the total of one class is higher than that of another, see Fig. 7). In imbalanced datasets, the majority class samples are always biased, resulting in an abnormal dataset and consequently lower model performance in the minority class. However, the achievement in the minority class is significant.

[0192] This strategy is effective because it generates new valid data similar to existing minority class samples. However, this technique should be used cautiously because there is a possibility of sample ambiguity arising from class overlap without considering the majority class. The SMOTE technique is defined as a linear combination of two or more similar samples of the minority class (a) and (aR):

[0193]

[0194] Here, 0 < θ < 1; a R It is selected from among randomly selected neighbors in the prime class.

[0196] F. Experimental Environment

[0197] The proposed system was trained and tested on Google Colab using various Keras and Scikit-learn libraries. Of the total 499,672 data samples, 70% were used for training and the remaining 30% for testing. Additionally, 20% of the training set was allocated to validate the scheme during training (see Fig. 2). The Keras modelcheckpoint callback function was used to optimize the model by tracking and stopping model training when validation accuracy no longer improves. This method can be used on minicomputers and may not require high-end execution computers equipped with GPUs. All experiments were performed on an NVIDIA GeForce GTX 1050 with 8GB VRAM and a Windows 10 64-bit operating system.

[0198]

[0199]

[0200]

[0201]

[0202]

[0203]

[0204]

[0205]

[0206]

[0207]

[0208]

[0209]

[0210]

[0211]

[0212]

[0213]

[0215] G. Summary of the present invention

[0216] The hybrid framework proposed in this invention is a deep learning-based approach for classifying and characterizing encoded traffic of a SCADA (Supervisory Control and Data Acquisition) network.

[0218] A. Summary of Key Features

[0219] 1) Use mixed deep learning techniques

[0220] - CNN (Convolutional Neural Network) extracts spatial features from traffic data, and LSTM (Long-Term Short-Term Memory Network) performs the role of analyzing temporal patterns.

[0221] By combining CNN and LSTM, traffic patterns occurring in SCADA networks can be analyzed and encoded data can be effectively classified.

[0223] 2) Network traffic processing of mixed deep learning techniques

[0224] - Collect raw traffic data -> Preprocess collected traffic data -> Detect important patterns in CNN -> Improve prediction performance by considering the sequential flow of traffic in LSTM

[0226] 3) Advantages and Applications of the Hybrid Approach

[0227] - It has higher accuracy than existing single models and classifies encoded traffic more effectively.

[0228] The hybrid approach is applied for real-time anomaly detection and security enhancement in SCADA network environments. It plays a crucial role in improving network security in Industrial Control System (ICS) environments and offers superior performance compared to existing machine learning and deep learning models.

[0230] B. Network Architecture Structure of the CNN+LSTM Model

[0231] Based on Table 4, the architecture of the model of the present invention is described as follows.

[0232] 1) Input layer

[0233] 2) Batch Normalization Hierarchy

[0234] 3) First convolutional layer

[0235] 4) First Max Pooling Layer

[0236] 5) Second convolutional layer

[0237] 6) First aggregation hierarchy

[0238] 7) Second Max Pooling Layer

[0239] 8) Second aggregation hierarchy

[0240] 9) Average pooling hierarchy

[0241] 10) LSTM layer

[0242] 11) Flatten hierarchy

[0244] C. Method for Classification and Characterization of Encoded Traffic Using Hybrid Deep Learning in SCADA Networks

[0246] The classification and characterization method of encoded traffic using a hybrid deep learning approach in a SCADA network is configured as follows.

[0247] (S1) Step S1, which receives traffic data at the input layer;

[0248] (S2) Step S2, which performs batch normalization on the traffic received in Step S1;

[0249] (S3) Step S3, which performs convolution (12, 1*3 conv) with 12 kernels on batch-normalized data; - Batch-normalized data is passed to Steps S4 and S5 simultaneously -

[0250] (S4) Step S4 performs asymmetric convolution (12 1*3 conv, 12 1*3 conv, 12 1*3 conv) on the data received from Step S3, combines the convolved data, and then performs max pooling; - The result data from Step S4 is passed to Step S6 -

[0251] (S5) Step S5 performs symmetric convolution (12 1*3 conv, 12 1*3 conv) and max pooling on the data received from Step S3; - The result data from Step S5 is passed to Step S6 -

[0252] (S6) Step S6, which combines the data received from Steps S4 and S5.

[0253] (S7) Step S7, which performs convolution (1*1 Conv) with 12 kernels on the data combined in Step S6;

[0254] (S8) Step S8, which integrates the result data from Step S3 and the result data from Step S7 and performs average pooling;

[0255] (S9) Step S9, which analyzes the temporal features of the traffic data using the LSTM (Long Short-Term Memory) technique on the result data of Step S8;

[0257] (A-1) The above convolution is characterized by being calculated by the following formula.

[0258]

[0259] - a, b are the coordinates of the output matrix

[0260] - xj is the convolution kernel weight

[0261] - yj is the network traffic value of the input dataset

[0263] (A-2) The above convolution operation is characterized by further including a scalar bias input value by controlling the result.

[0264]

[0265] - q: Scalar bias input controlling the convolution result

[0266] - Za,b : Controlled result data for feature data a, b

[0268] (B) The above convolution is characterized by further including a ReLU (The rectified linear unit) operation to resolve the overfitting problem, and the ReLU function is calculated by the following formula.

[0269] ReLU generates 0 for values ​​less than 0 and passes values ​​greater than or equal to 0 as is.

[0271]

[0272] - P: Output feature

[0273] - h : ReLU function

[0275] (C1) The above max pooling is characterized by selecting the largest value to perform calculations in order to emphasize the most distinct pattern, and

[0276] (C2) The above average pooling is characterized by calculating an average value to maintain smooth features.

[0278] (D1) The above convolution is characterized by extracting spatial features from traffic data and learning the main patterns of traffic by applying multiple kernels.

[0279] (D2) The above LSTM analyzes temporal patterns and predicts current and future traffic flows based on past traffic patterns, thereby effectively detecting anomalies.

[0281] IV. Performance Evaluation

[0282] A. Parameter Indicators

[0283] This section demonstrates the performance of the proposed scheme in classifying network traffic (DoH or NonDoH) and detecting anomalies (normal or malicious) in network traffic. When measuring computational complexity in machine learning, direct (machine / environment-dependent) and indirect (FLOP: floating-point operation) metrics are used. Performance evaluation metrics are represented by equations (12), (13), (14), AUC, and (16). The proposed hybrid model for efficient classification and characterization (detection) performance was compared with studies, and the results of the confusion matrix measurement are shown in Table 7 and compared with computation time.

[0285] (Table 7) Confusion Matrix Measurement Results

[0286]

[0288] AUC is a metric that summarizes performance across all classification parameters. It ranges from 0 to 1 and is intended to evaluate the classification accuracy of a model regardless of the classification criteria used. An AUC value for a model with 100% incorrect classifications approaches 0.0, while an AUC value for a model with 100% correct classifications approaches 1.0.

[0289]

[0290]

[0291]

[0292]

[0293] Here, FN, TP, TN, and FP represent False Negative, True Positive, True Negative, and False Positive, respectively. Another evaluation metric considered in this invention is MCC. This is intended to evaluate the reliability of the accuracy of the classification. It is useful when a metric that is not affected by imbalanced datasets is needed. A disadvantage of relying on the Fl-score is that it can lead to overly optimistic results, especially in imbalanced datasets. To address this, a complete study and explanation of MCC as a viable alternative has been provided. MCC has a value between -1 and +1, representing a completely incorrect classification and a completely correct classification case, respectively. MCC is mathematically defined as in (16).

[0294]

[0295] B. Evaluation of Proposed Model Performance

[0296] The proposed model demonstrates excellent performance in classification and detection. The proposed scheme can classify encoded network traffic into DoH or NonDoH based on high precision, recall, and Fl-score values. However, there is a need to improve the classification capability of encoded traffic. Traffic classification accuracy requires improvement when compared to characterization accuracy. Figure 8 shows the confusion matrix of the proposed CNN-LSTM scheme for encoded traffic classification and provides the error matrix between the predicted and actual results. As can be seen from the results, the proposed CNN-LSTM scheme shows promise in detecting and classifying encoded traffic with minimal misclassification. It is worth noting that encoded DNS traffic features more sophisticated, high-volume application layer attacks. Next, Figure 9 shows the confusion matrix illustrating the performance of the proposed model in characterizing normal and malicious network traffic with 98.88% and 99.68%, respectively. However, to address the potential for sample ambiguity and bias in misleading results caused by data balancing using the SMOTE technique, the proposed model evaluated the dataset without balancing. Referring to Section Fig. 10, high precision of 95.67% for normal detection and 99.45% for malicious detection is demonstrated. Model performance on both balanced and unbalanced datasets shows that the integration of CNN and LSTM networks significantly improves the model's ability to recognize complex features in spatial and sequential domains. The hybrid architecture excels at capturing complex patterns and provides high-accuracy performance as well as a deep understanding of behavior and misclassification cases. By verifying the effectiveness of the hybrid CNN-LSTM classification model in processing complex data patterns, this invention demonstrates that it is a promising approach for various classification tasks across diverse domains. The insights gained from this invention pave the way for future improvements to the hybrid model and its application in real-world scenarios.

[0298] C. Reliability Test of Proposed Model Performance

[0299] The reliability of the proposed hybrid DL model was verified by evaluating the ICS-SCADA, NSL-KDD, and CICIDS2017 datasets. The proposed model demonstrated significant performance in terms of improved detection accuracy and reduced computation time. Tables 8 and 9 illustrate the significance of model performance for training and test simulations.

[0300] (Table 8)

[0301]

[0302] (Table 9)

[0303]

[0305] Figures 11 and 12 show the accuracy and loss performance of the proposed model on the ICS-SCADA dataset. These graphs visually represent the model training performance over epochs, indicating the importance of achieving high accuracy.

[0306] Figure 13 is a confusion matrix showing the performance of the proposed model on ICS-SCADA binary and three-class datasets. This demonstrates that the proposed model has significant performance in detecting attacks, normals, and zero-day attacks. This model demonstrates its applicability to intrusion detection in IIoT (SCADA) communication networks.

[0307] In addition, Figure 14 shows that the proposed model outperforms existing studies in accuracy and execution time. This further validates the suitability of the proposed model on multi-class datasets.

[0309] D. Comparative Analysis of Proposed Models on the Latest Dataset

[0310] Table 10 shows the performance of the proposed model compared to the latest model.

[0311] (Table 10)

[0312]

[0313] This is a report on parameter metrics, accuracy, precision, recall, AUC, and training and test times based on dataset usage related to the latest cybersecurity and SCADA datasets. Compared to a study on the CICIDS2017 dataset, the detection accuracy was 99.03%, the training time was 85,255.63 seconds, and the test time was 15,313.1036 seconds. Using the same dataset, the proposed model demonstrated an improved detection accuracy of 99.73%, a reduction in training time of 589.40 seconds, and a test time of 0.000297 seconds. In the evaluation of the NSL-KDD dataset for various attack types, the proposed model demonstrated excellent performance, recording a detection accuracy of 97.51% and minimum training and test times of 500.51 seconds and 0.000136 seconds, respectively. Furthermore,

[0314] As shown in the table, the proposed model outperformed all other models in terms of the combined benefit of parameter metrics. However, the study using the NSL-KDD dataset recorded a computation time of 61 seconds and low accuracy (89.23%), precision (86.86%), and recall (88.58%), and AUC values ​​were not considered. To reduce computation time, the authors attempted to achieve a faster model by converting the standardized dataset into images. However, this approach is not considered a fair comparison as it is not applicable to real-world scenarios.

[0316] According to the comparative analysis, an in-depth investigation into the performance of the proposed hybrid DL model reveals improved and enhanced performance compared to recent studies in terms of the combined benefits of parameter metrics. On the latest high-dimensional CIRA-CIC-DoHBrw-2020 cybersecurity dataset, the proposed scheme demonstrated high detection accuracy, precision, recall, and AUC in classifying and characterizing attacks in encoded SCADA network traffic communications. As described in Section IV-A, the resilience and reliability of the proposed model were investigated using MCC to address the drawbacks caused by reliance on Fl-scores and to block overfitting tendencies.

[0317] (Table 11)

[0318]

[0319] Table 11 demonstrates that the MCC performance of the proposed model was consistent across all dataset options. This metric validates the detection accuracy of the proposed model, confirming the absence of bias caused by overfitting. Furthermore, it verifies the applicability of the proposed model in real-world scenarios involving imbalanced data. As seen in the evaluation results from NSLKDD and CICIDS2017, the proposed model demonstrates the ability to precisely detect multiple attack types. Additionally, in a SCADA environment, the proposed model exhibited performance on the high-dimensional ICS-SCADA dataset with the combined benefits of high precision of 99.30%, accuracy of 99.35%, recall of 99.30%, and an AUC of 0.9972, along with minimal training and testing times of 265.17 seconds and 0.000252 seconds, respectively.

[0321] V. Conclusion

[0322] The present invention proposes a CNN-LSTM hybrid model that accurately classifies network traffic into DoH or NonDoH and indicates whether the traffic is normal, malicious, or zero-day.

[0323] The CNN is designed to extract key features from network traffic, and these features are input into an LSTM for effective classification. Through max and mean pooling, we were able to extract important features from the feature map based on filter size and stride. This helped reduce computational costs. The model's batch normalization enables faster convergence with minimal computational complexity, regardless of the amount of network data. These features enabled the rapidity of the proposed model, improving stability and minimizing execution time. A dropout layer protected the model from overfitting. Consequently, the robustness of the network was enhanced. The research results also demonstrated that the proposed hybrid model reduces computational complexity while increasing precision and accuracy. Simulation results show that the proposed approach demonstrates efficiency across the evaluated datasets, exhibiting high detection accuracy, precision, recall, minimum execution time, AUC, and MCC. The proposed hybrid model showed superior performance on large and sparse datasets compared to previous models. Reliability tests using four public datasets indicate that the proposed model can be applied to any network system in real time. Future research directions include introducing Gaussian noise into the model and investigating computational costs.

[0325] As described above, although the present invention has been described with reference to preferred embodiments with reference to the accompanying drawings, it is evident to those skilled in the art that many obvious variations are possible from this description without departing from the scope of the invention. Accordingly, the scope of the invention should be interpreted by the claims described to include examples of such many variations.

Claims

Claim 1 A method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network, comprising: (S1) a step S1 for receiving traffic data; (S2) a step S2 for performing batch normalization on the traffic received in step S1; (S3) a step S3 for performing convolution on the batch-normalized data from step S2; -the batch-normalized data is transmitted in parallel to steps S4 and S5 simultaneously- (S4) a step S4 for performing asymmetric convolution on the data received in step S3, combining the convolutioned data, and then performing max pooling; -the result data from step S4 is transmitted to step S6- (S5) a step S5 for performing symmetric convolution on the data received in step S3 and performing max pooling; -the result data from step S5 is transmitted to step S6- (S6) a step S6 for combining the data received in steps S4 and S5; (S8) a step S8 for integrating the result data from step S3 and the result data from step S6 and performing average pooling; A method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network, characterized by including: (S9) a step of analyzing temporal features of traffic data using a Long Short-Term Memory (LSTM) technique on the result data of step S8. Claim 2 A method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network, wherein, in claim 1, step S6 is characterized by performing convolution on combined data. Claim 3 A method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network, wherein, in order to resolve the overfitting problem after the convolution according to claim 1 or claim 2, it further includes a ReLU (The rectified linear unit) operation that generates 0 for values ​​less than 0 calculated by the following formula (9) on the data and passes values ​​greater than or equal to 0 as they are, wherein formula (9) is h(P) = P (if P≥0) and h(P) = 0 (if P<0) (where P: output feature, h: ReLU function). Claim 4 A method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network, wherein, in claim 1 or claim 2, the max pooling is characterized by selecting and performing calculations on the largest value to emphasize the most distinct pattern, and the average pooling is characterized by calculating an average value to maintain smooth features. Claim 5 A method for classifying and characterizing encoded traffic using a hybrid deep learning method in a SCADA network, wherein, in claim 1 or claim 2, the convolution is characterized by extracting spatial features from traffic data and learning major patterns of traffic by applying a plurality of kernels, and the LSTM is characterized by analyzing temporal patterns to predict current and future traffic flows based on past traffic patterns, thereby effectively detecting anomalies.