Simon D. Duque Anton,Daniel Fraunholz,Hans Dieter Schotten

DOI: https://doi.org/10.1145/3339252.3341476

2019-07-09

Abstract:Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home- and office-environments, such as working without feedback to the process and compatibility with legacy systems. Industrial systems are commonly used for several decades, updates are often difficult and expensive. Furthermore, most industrial protocols do not have inherent authentication or encryption mechanisms, allowing for easy lateral movement of an intruder once the perimeter is breached. In this work, an algorithm for motif discovery in time series, Matrix Profiles, is used to detect outliers in the timing behaviour of an industrial process. This process was monitored in an experimental environment, containing ground truth labels after attacks were performed. Furthermore, the graph representations of a different industrial data set that has been emulated are used to detect malicious activities. These activities can be derived from anomalous communication patterns, represented as edges in the graph. Finally, an integration concept for both methods is proposed.

Cryptography and Security,Information Retrieval

Simon D. Duque Anton,Sapna Sinha,Hans Dieter Schotten

DOI: https://doi.org/10.23919/softcom.2019.8903672

2019-09-01

Abstract:Attacks on industrial enterprises are increasing in number as well as in effect. Since the introduction of industrial control systems in the 1970’$s$, industrial networks have been the target of malicious actors. More recently, the political and warfare-aspects of attacks on industrial and critical infrastructure are becoming more relevant. In contrast to classic home and office IT systems, industrial IT, so-called OT systems, have an effect on the physical world. Furthermore, industrial devices have long operation times, sometimes several decades. Updates and fixes are tedious and often not possible. The threats on industry with the legacy requirements of industrial environments creates the need for efficient intrusion detection that can be integrated into existing systems. In this work, the network data containing industrial operation is analysed with machine learning- and time series-based anomaly detection algorithms in order to discover the attacks introduced to the data. Two different data sets are used, one Modbus-based gas pipeline control traffic and one OPC UA-based batch processing traffic. In order to detect attacks, two machine learning-based algorithms are used, namely SVM and Random Forest. Both perform well, with Random Forest slightly outperforming SVM. Furthermore, extracting and selecting features as well as handling missing data is addressed in this work.

Simon D. Duque Anton,Anna Pia Lohfink,Christoph Garth,Hans Dieter Schotten

DOI: https://doi.org/10.1145/3360664.3360669

2019-09-09

Abstract:Due to the fourth industrial revolution, industrial applications make use of the progress in communication and embedded devices. This allows industrial users to increase efficiency and manageability while reducing cost and effort. Furthermore, the fourth industrial revolution, creating the so-called Industry 4.0, opens a variety of novel use and business cases in the industrial environment. However, this progress comes at the cost of an enlarged attack surface of industrial companies. Operational networks that have previously been phyiscally separated from public networks are now connected in order to make use of new communication capabilites. This motivates the need for industrial intrusion detection solutions that are compatible to the long-term operation machines in industry as well as the heterogeneous and fast-changing networks. In this work, process data is analysed. The data is created and monitored on real-world hardware. After a set up phase, attacks are introduced into the systems that influence the process behaviour. A time series-based anomaly detection approach, the Matrix Profiles, are adapted to the specific needs and applied to the intrusion detection. The results indicate an applicability of these methods to detect attacks in the process behaviour. Furthermore, they are easily integrated into existing process environments. Additionally, one-class classifiers One-Class Support Vector Machines and Isolation Forest are applied to the data without a notion of timing. While Matrix Profiles perform well in terms of creating and visualising results, the one-class classifiers perform poorly.

Cryptography and Security

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

Gauthama Raman M. R.,Chuadhry Mujeeb Ahmed,Aditya Mathur

DOI: https://doi.org/10.1186/s42400-021-00095-5

2021-08-02

Abstract:Abstract Gradual increase in the number of successful attacks against Industrial Control Systems (ICS) has led to an urgent need to create defense mechanisms for accurate and timely detection of the resulting process anomalies. Towards this end, a class of anomaly detectors, created using data-centric approaches, are gaining attention. Using machine learning algorithms such approaches can automatically learn the process dynamics and control strategies deployed in an ICS. The use of these approaches leads to relatively easier and faster creation of anomaly detectors compared to the use of design-centric approaches that are based on plant physics and design. Despite the advantages, there exist significant challenges and implementation issues in the creation and deployment of detectors generated using machine learning for city-scale plants. In this work, we enumerate and discuss such challenges. Also presented is a series of lessons learned in our attempt to meet these challenges in an operational plant.

computer science, information systems, interdisciplinary applications, software engineering

Xinghua Li,Mengfan Xu,Pandi Vijayakumar,Neeraj Kumar,Ximeng Liu

DOI: https://doi.org/10.1109/tvt.2020.2995133

IF: 6.8

2020-01-01

IEEE Transactions on Vehicular Technology

Abstract:The increasingly sophisticated cyber attacks have become a serious challenge for Industrial Internet of Things (IIoT), which presents two new characteristics: low frequency and multi-stage. That is, hackers could gain authority to attack industrial equipment/infrastructure gradually in a long interval through lurking, lateral intrusion and privilege escalation. While, the existing Machine Learning (ML) based intrusion detection schemes all require the participation of expert knowledge, so it is difficult to adaptively select an attack interval and a retraining period of the detection model in IIoT, resulting in poor detection performance. To solve above problems, a bidirectional long and short-term memory network with multi-feature layer (B-MLSTM) is designed. Firstly, sequence and stage feature layers are introduced in the model training phase model which can learn the corresponding attack interval from historical data, so that the model can effectively detect attacks with different intervals. Then, a double-layer reverse unit is introduced to update the detection model. By collecting information from test data and making association analysis with historical data, the retraining period is adaptively selected to match the new attack interval. Compared with the previous works, our proposed scheme has a lower false positive rate than existing schemes by at least 46.79%, and the false negative rate is reduced by at least 79.85%, which are carried out on three classic IIoT datasets.

Muhammad Azmi Umer,Khurum Nazir Junejo,Muhammad Taha Jilani,Aditya P. Mathur

DOI: https://doi.org/10.48550/arXiv.2202.11917

2022-02-24

Cryptography and Security

Abstract:Methods from machine learning are being applied to design Industrial Control Systems resilient to cyber-attacks. Such methods focus on two major areas: the detection of intrusions at the network-level using the information acquired through network packets, and detection of anomalies at the physical process level using data that represents the physical behavior of the system. This survey focuses on four types of methods from machine learning in use for intrusion and anomaly detection, namely, supervised, semi-supervised, unsupervised, and reinforcement learning. Literature available in the public domain was carefully selected, analyzed, and placed in a 7-dimensional space for ease of comparison. The survey is targeted at researchers, students, and practitioners. Challenges associated in using the methods and research gaps are identified and recommendations are made to fill the gaps.

Junhui Cai,Qianmu Li

DOI: https://doi.org/10.1109/pic50277.2020.9350752

2020-01-01

Abstract:In order to improve production and management efficiency, traditional industrial control systems are gradually connected to the Internet, and more likely to use advanced modern information technologies, such as cloud computing, big data technology, and artificial intelligence. Industrial control system is widely used in national key infrastructure. Meanwhile, a variety of attack threats and risks follow, and once the industrial control network suffers maliciously attack, the loss caused is immeasurable. In order to improve the security and stability of the industrial Internet, this paper studies the industrial control network traffic threat identification technology based on machine learning methods, including GK-SVDD, RNN and KPCA reconstruction error algorithm, and proposes a heuristic method for selecting Gaussian kernel width parameter in GK-SVDD to accelerate real-time threat detection in industrial control environments. Experiments were conducted on two public industrial control network traffic datasets. Compared with the existing methods, these methods can obtain faster detection efficiency and better threat identification performance.

Sahar Soliman,Wed Oudah,Ahamed Aljuhani

DOI: https://doi.org/10.1016/j.aej.2023.09.023

2023-09-21

AEJ - Alexandria Engineering Journal

Abstract:The widespread deployment of the Internet of Things (IoT) into critical sectors such as industrial and manufacturing has resulted in the Industrial Internet of Things (IIoT). The IIoT consists of sensors, actuators, and smart devices that communicate with one another to optimize manufacturing and industrial processes. Although IIoT provides various benefits to both service providers and consumers, security and privacy remain a big challenge. An intrusion detection system (IDS) has been utilized to mitigate cyberattacks in such a connected network. However, many existing solutions for IDS in IIoT suffer from the lack of comprehensiveness of the types of attack the network is exposed to, high feature dimension, models built on out-of-date datasets, and a lack of focus on the problem of imbalanced datasets. To address the aforementioned issues, we propose an intelligent detection system for identifying cyberattacks in Industrial IoT networks. The proposed model uses the singular value decomposition (SVD) technique to reduce data features and improve detection results. We use the synthetic minority over-sampling (SMOTE) technique to avoid over-fitting and under-fitting issues that result in biased classification. Several machine learning and deep learning algorithms have been implemented to classify data for binary and multi-class classification. We evaluate the efficacy of the proposed intelligent model on ToN_IoT dataset. The proposed approach achieved an accuracy rate of 99.99% and a reduced error rate of 0.001% for binary classification, and an accuracy rate of 99.98% and a reduced error rate of 0.016% for multi-class classification.

Simon Duque Anton,Suneetha Kanoor,Daniel Fraunholz,Hans Dieter Schotten

DOI: https://doi.org/10.1145/3230833.3232818

2019-05-28

Abstract:In the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established communication protocols make this technology easy to integrate and use. Furthermore, productivity is increased in comparison to classic industrial control by making systems easier to manage, set up and configure. Unfortunately, most attack surfaces of home and office environments are introduced into industrial applications as well, which usually have very few security mechanisms in place. Over the last years, several technologies tackling that issue have been researched. In this work, machine learning-based anomaly detection algorithms are employed to find malicious traffic in a synthetically generated data set of Modbus/TCP communication of a fictitious industrial scenario. The applied algorithms are Support Vector Machine (SVM), Random Forest, k-nearest neighbour and k-means clustering. Due to the synthetic data set, supervised learning is possible. Support Vector Machine and k-nearest neighbour perform well with different data sets, while k-nearest neighbour and k-means clustering do not perform satisfactorily.

Cryptography and Security,Machine Learning

Simon D. Duque Anton,Mathias Strufe,Hans Dieter Schotten

DOI: https://doi.org/10.48550/arXiv.1905.05984

2019-05-15

Cryptography and Security

Abstract:The concept of Industry 4.0 brings a disruption into the processing industry. It is characterised by a high degree of intercommunication, embedded computation, resulting in a decentralised and distributed handling of data. Additionally, cloud-storage and Software-as-a-Service (SaaS) approaches enhance a centralised storage and handling of data. This often takes place in third-party networks. Furthermore, Industry 4.0 is driven by novel business cases. Lot sizes of one, customer individual production, observation of process state and progress in real-time and remote maintenance, just to name a few. All of these new business cases make use of the novel technologies. However, cyber security has not been an issue in industry. Industrial networks have been considered physically separated from public networks. Additionally, the high level of uniqueness of any industrial network was said to prevent attackers from exploiting flaws. Those assumptions are inherently broken by the concept of Industry 4.0. As a result, an abundance of attack vectors is created. In the past, attackers have used those attack vectors in spectacular fashions. Especially Small and Mediumsized Enterprises (SMEs) in Germany struggle to adapt to these challenges. Reasons are the cost required for technical solutions and security professionals. In order to enable SMEs to cope with the growing threat in the cyberspace, the research project IUNO Insec aims at providing and improving security solutions that can be used without specialised security knowledge. The project IUNO Insec is briefly introduced in this work. Furthermore, contributions in the field of intrusion detection, especially machine learning-based solutions, for industrial environments provided by the authors are presented and set into context.

Mohanad Sarhan,Siamak Layeghy,Marius Portmann

DOI: https://doi.org/10.48550/arXiv.2108.12732

2022-11-23

Abstract:Internet of Things (IoT) networks have become an increasingly attractive target of cyberattacks. Powerful Machine Learning (ML) models have recently been adopted to implement network intrusion detection systems to protect IoT networks. For the successful training of such ML models, selecting the right data features is crucial, maximising the detection accuracy and computational efficiency. This paper comprehensively analyses feature sets' importance and predictive power for detecting network attacks. Three feature selection algorithms: chi-square, information gain and correlation, have been utilised to identify and rank data features. The attributes are fed into two ML classifiers: deep feed-forward and random forest, to measure their attack detection performance. The experimental evaluation considered three datasets: UNSW-NB15, CSE-CIC-IDS2018, and ToN-IoT in their proprietary flow format. In addition, the respective variants in NetFlow format were also considered, i.e., NF-UNSW-NB15, NF-CSE-CIC-IDS2018, and NF-ToN-IoT. The experimental evaluation explored the marginal benefit of adding individual features. Our results show that the accuracy initially increases rapidly with adding features but converges quickly to the maximum. This demonstrates a significant potential to reduce the computational and storage cost of intrusion detection systems while maintaining near-optimal detection accuracy. This has particular relevance in IoT systems, with typically limited computational and storage resources.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Simon Duque Anton,Daniel Fraunholz,Stephan Teuber,Hans Dieter Schotten

DOI: https://doi.org/10.1109/CTTE.2017.8260938

2019-05-28

Abstract:Due to the fourth industrial revolution, and the resulting increase in interconnectivity, industrial networks are more and more opened to publicly available networks. Apart from the huge benefit in manageability and flexibility, the openness also results in a larger attack surface for malicious adversaries. In comparison to office environments, industrial networks have very high volumes of data. In addition to that, every delay will most likely lead to loss of revenue. Hence, intrusion detection systems for industrial applications have different requirements than office-based intrusion detection systems. On the other hand, industrial networks are able to provide a lot of contextual information due to manufacturing execution systems and enterprise resource planning. Additionally, industrial networks tend to be more uniform, making it easier to determine outliers. In this work, an abstract simulation of industrial network behaviour is created. Malicious actions are introduced into a set of sequences of valid behaviour. Finally, a context-based and context-less intrusion detection system is used to find the attacks. The results are compared and commented. It can be seen that context information can help in identifying malicious actions more reliable than intrusion detection with only one source of information, e.g. the network.

Cryptography and Security

Tarek Gaber,Joseph B. Awotunde,Sakinat O. Folorunso,Sunday A. Ajagbe,Esraa Eldesouky

DOI: https://doi.org/10.1155/2023/3939895

2023-05-01

Wireless Communications and Mobile Computing

Abstract:The emergence of the Internet of Things (IoT) has witnessed immense growth globally with the use of various devices found in home, transportation, healthcare, and industry. The deployment and implementation of the IoT paradigm in industrial settings lead to the architectural changes of Industrial Automation and Control Systems (IACS) plus the countless connectivity of industrial systems. This resulted in what is referred to as the Industrial Internet of Things (IIoT), which removes the barrier of connecting IACS to isolated conventional ICT platforms. In recent times, the IoT has started hacking our personal lives and not only our world, thus creating a platform for impending IoT cyberattacks. The widespread use of the IoT has created a rich platform for possible IoT cyberattacks. Machine learning (ML) algorithms have been driven solutions to secure wireless communication in IIoT-based systems, and their use in solving various cybersecurity challenges. Therefore, this paper proposes a novel intrusion detection model based on the Particle Swarm Optimization (PSO) and Bat algorithm (BA) for feature selection, and the Random Forest (RF) classifier for the classification of malicious behaviors in IIoT-based network traffic. An IIoT-based cybersecurity dataset, WUSTL-IIOT-2021 Dataset, was used to evaluate the performance of the proposed model using accuracy, recall, precision, and F1-score. The results of the two feature selection were compared to identify the most promising one. The results were compared with other recent state-of-the-art ML and multiobjective algorithms, and the results showed better performance. The RF along with BA classifier had proved to be the best classifier.

computer science, information systems,telecommunications,engineering, electrical & electronic

Muhammad U. Ilyas,Soltan Abed Alharbi

DOI: https://doi.org/10.1007/s00607-021-01050-5

2022-01-04

Computing

Abstract:All organizations, be they businesses, governments, infrastructure or utility providers, depend on the availability and functioning of their computers, computer networks and data centers for all or part of their operations. Network intrusion detection systems are the first line of defense that protect computing infrastructure from external attacks. In this study we develop five different Machine Learning classifiers for a number of attacks. We used the CSE-CIC-IDS2018 dataset, developed in a collaborative effort between the Communications Security Establishment and the Canadian Institute for Cybersecurity. It is an extensive network traffic trace dataset that captures multiple attacks and has become available relatively recently. The previous major dataset used for the development of network intrusion detection systems is the KDD Cup’99 dataset, now going on 22 years, which predates mobile computing, Web 2.0/3.0, social media, streaming video and widespread use of SSL. These significant Internet trends of the last two decades demand a reevaluation and redevelopment of intrusion detectors. Prior studies that designed Machine Learning classifiers using the CSE-CIC-IDS2018 dataset use a large and rich set of features, of which at least one is not dataset-invariant. Almost none have explored the appropriateness of using all available features with datasets containing only a few hundred attack class samples. The classifiers developed in this study rely on a justifiable number of features and their performance is reviewed for stability and generalization by reporting not just average performance over 10 fold cross-validation but also the degree of variation from one fold to the next.

computer science, theory & methods

Hussain Nizam,Samra Zafar,Zefeng Lv,Fan Wang,Xiaopeng Hu

DOI: https://doi.org/10.1109/jsen.2022.3211874

IF: 4.3

2022-12-03

IEEE Sensors Journal

Abstract:The data produced by millions of connected devices and smart sensors in the Industrial Internet of Things (IIoT) is highly dynamic, large-scale, heterogeneous, and time-stamped. These time-stamped data are the core of IIoT automation and have the potential to affect industrial processes intensely. It poses significant challenges to effectively detect anomalies from time-series data and deliver actionable insights in real time to drive improvements to industrial processes. In most practical applications, where data are used to make automated decisions, real-time anomaly detection is critical. With this focus, in this article, we advise a hybrid end-to-end deep anomaly detection (DAD) framework to accurately detect anomalies and extremely rare events on sensitive, Internet of Things (IoT) streaming data in real time or near real time. The proposed framework is based on a convolutional neural network (CNN) and a two-stage long short-term memory (LSTM)-based Autoencoder (AE). We exploit a two-stage LSTM AE in parallel to detect anomalies and extremely rare events hidden in massive sensor data by identifying short- and long-term variations in actual sensor values from the predicted values. We design and train a hybrid model using the Keras/TensorFlow framework as the backend. The experimental results on one simulation and two real datasets demonstrate that the proposed framework achieved better performance and outperforms other state-of-the-art competitive models. Moreover, to prove that the proposed model can be designed for the network edge, we train, optimize, and quantize the model to run-on resource-constrained (i.e., edge) devices. Further evaluation indicates that the training and inference time for each sample is short enough to carry out anomaly detection on edge.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Simon D. Duque Antón,Hans Dieter Schotten

DOI: https://doi.org/10.48550/arXiv.1905.11701

2019-05-28

Cryptography and Security

Abstract:Besides the advantages derived from the ever present communication properties, it increases the attack surface of a network as well. As industrial protocols and systems were not designed with security in mind, spectacular attacks on industrial systems occurred over the last years. Most industrial communication protocols do not provide means to ensure authentication or encryption. This means attackers with access to a network can read and write information. Originally not meant to be connected to public networks, the use cases of Industry 4.0 require interconnectivity, often through insecure public networks. This lead to an increasing interest in information security products for industrial applications. In this work, the concept for holistic intrusion detection methods in an industrial context is presented. It is based on different works considering several aspects of industrial environments and their capabilities to identify intrusions as an anomaly in network or process data. These capabilities are based on preceding experiments on real and synthetic data. In order to justify the concept, an overview of potential and actual attack vectors and attacks on industrial systems is provided. It is shown that different aspects of industrial facilities, e.g. office IT, shop floor OT, firewalled connections to customers and partners are analysed as well as the different layers of the automation pyramid require different methods to detect attacks. Additionally, the singular steps of an attack on industrial applications are characterised. Finally, a resulting concept for integration of these methods is proposed, providing the means to detect the different stages of an attack by different means.

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Maede Zolanvari,Marcio A. Teixeira,Lav Gupta,Khaled M. Khan,Raj Jain

DOI: https://doi.org/10.48550/arXiv.1911.05771

2019-11-14

Abstract:It is critical to secure the Industrial Internet of Things (IIoT) devices because of potentially devastating consequences in case of an attack. Machine learning and big data analytics are the two powerful leverages for analyzing and securing the Internet of Things (IoT) technology. By extension, these techniques can help improve the security of the IIoT systems as well. In this paper, we first present common IIoT protocols and their associated vulnerabilities. Then, we run a cyber-vulnerability assessment and discuss the utilization of machine learning in countering these susceptibilities. Following that, a literature review of the available intrusion detection solutions using machine learning models is presented. Finally, we discuss our case study, which includes details of a real-world testbed that we have built to conduct cyber-attacks and to design an intrusion detection system (IDS). We deploy backdoor, command injection, and Structured Query Language (SQL) injection attacks against the system and demonstrate how a machine learning based anomaly detection system can perform well in detecting these attacks. We have evaluated the performance through representative metrics to have a fair point of view on the effectiveness of the methods.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Ying-xu LAI,Jiao JIAO

DOI: https://doi.org/10.11936/bjutxb2014040009

2015-01-01

Abstract:To improve the detecting accuracy of malicious traffic in industrial control systems ( ICS) , an innovative approach based on structural time series model is proposed. Industrial Ethernet traffic can be decomposed into four components. Each component is established by a state space model respectively, which brings out high fitting precision. Therefore compared with X-12, the average positive rate of this method increases by 38%. In the meanwhile, this method provides a way to decrease false positive rate and time complexity.