Authors
Song Son Ha, Florian Foerster, Henry Beuster, Tim Kittel, Dominik Merli, Gerd Scholl
Abstract
Machine learning (ML)-based intrusion detection systems (IDSs) are increasingly used to monitor encrypted industrial communication. However, their behavior under realistic private 5G operating conditions remains insufficiently understood. This paper investigates the impact of benign connectivity variations on ML-based IDSs for encrypted Open Platform Communications Unified Architecture (OPC UA) traffic in industrial private 5G networks. Experimental results show that legitimate connectivity events can noticeably increase false positive activity despite the absence of attacks. Furthermore, elevated IDS anomaly scores frequently coincide with periods of control-plane (CP) activity associated with these events. The findings highlight the importance of considering CP context when interpreting IDS outputs in industrial private 5G environments.