Entropy Analysis for Modbus Traffic over TCP/IP in Industrial Control Systems Logan Day 1 , Tirthankar Ghosh 1 , Sikha Bagui 1 , Subhash Bagui 1 1 University of West Florida ldd14@students.uwf.edu, tghosh@uwf.edu, bagui@uwf.edu, sbagui@uwf.edu Abstract Anomalies in network traffic are usually detected by measuring unexpected deviation from what constitutes a baseline. Several statistical techniques have been proposed to create baselines and measure deviation. However, simply looking at traffic volume to find anomalous deviation may result in increased false positives. Traffic feature distributions need to be created, and deviations need to be measured for these features. An effective approach to finding anomalous deviations starts with entropy analysis on these features. In this paper, we presented an initial entropy analysis on an industrial control system network using selected features with datasets obtained from an HVAC system. We started with the fundamental question: whether a preliminary entropy analysis on Modbus-over-TCP data using only a few TCP/IP features without going into the Modbus traffic itself gives us information about an anomaly in the network. We acknowledge that the initial entropy analysis provides only a starting point that would lead to several questions and investigating relevant issues resulting in an optimal system design and implementation. * 1 Introduction Industrial Control Systems (ICS) are networks of devices used in critical infrastructure and industrial environments for control of physical processes. These networks typically span a large geographic area, and some examples of such systems are water distribution systems, gas pipelines, and power transmission systems. An ICS can be a large multifaceted infrastructure like Supervisory Control and Data Acquisition (SCADA) system, which collects data and processes it in a centralized environment where it can be viewed and interacted with. There are simpler configurations of industrial control systems as well that are more readily available to any system with lesser changes to an already- * This work is partially supported by the Office of Naval Research (ONR) under grant number N00014-21-1-2025. EPiC Series in Computing Volume 82, 2022, Pages 63–71 Proceedings of 37th International Confer- ence on Computers and Their Applications B. Gupta, A. Bandi and M. Hossain (eds.), CATA2022 (EPiC Series in Computing, vol. 82), pp. 63–71