Shangqing Cui,Dongqin Feng

DOI: https://doi.org/10.1109/icpeca56706.2023.10076096

2023-01-01

Abstract:With the application of Internet technologies in the industrial field, industrial control systems (ICS) have the possibility of suffering malicious network attacks. Because ICS is widely used in critical infrastructure, designing attack detection algorithms for it can effectively reduce losses. Many papers have built physical models for cyber-attacks against ICS and the corresponding detection algorithms have been proposed. However, the detection performance can be further improved. This paper establishes the simulation attack on the Tennessee Eastman (TE) process and proposes an improved support vector machine (SVM) method to detect integrity attacks. This algorithm uses contribution plots and recursive feature elimination to select features. Compared with the principal component analysis (PCA) feature extraction, the detection accuracy is improved. After adding system dynamics to the algorithm, the time to detect attacks is advanced.

Gauthama Raman M. R.,Chuadhry Mujeeb Ahmed,Aditya Mathur

DOI: https://doi.org/10.1186/s42400-021-00095-5

2021-08-02

Abstract:Abstract Gradual increase in the number of successful attacks against Industrial Control Systems (ICS) has led to an urgent need to create defense mechanisms for accurate and timely detection of the resulting process anomalies. Towards this end, a class of anomaly detectors, created using data-centric approaches, are gaining attention. Using machine learning algorithms such approaches can automatically learn the process dynamics and control strategies deployed in an ICS. The use of these approaches leads to relatively easier and faster creation of anomaly detectors compared to the use of design-centric approaches that are based on plant physics and design. Despite the advantages, there exist significant challenges and implementation issues in the creation and deployment of detectors generated using machine learning for city-scale plants. In this work, we enumerate and discuss such challenges. Also presented is a series of lessons learned in our attempt to meet these challenges in an operational plant.

computer science, information systems, interdisciplinary applications, software engineering

Abiodun Ayodeji,Yong-kuo Liu,Nan Chao,Li-qun Yang

DOI: https://doi.org/10.1016/j.net.2020.05.012

IF: 2.817

2020-01-01

Nuclear Engineering and Technology

Abstract:Most of the machine learning-based intrusion detection tools developed for Industrial Control Systems (ICS) are trained on network packet captures, and they rely on monitoring network layer traffic alone for intrusion detection. This approach produces weak intrusion detection systems, as ICS cyber-attacks have a real and significant impact on the process variables. A limited number of researchers consider integrating process measurements. However, in complex systems, process variable changes could result from different combinations of abnormal occurrences. This paper examines recent advances in intrusion detection algorithms, their limitations, challenges and the status of their application in critical infrastructures. We also introduce the discussion on the similarities and conflicts observed in the development of machine learning tools and techniques for fault diagnosis and cybersecurity in the protection of complex systems and the need to establish a clear difference between them. As a case study, we discuss special characteristics in nuclear power control systems and the factors that constraint the direct integration of security algorithms. Moreover, we discuss data reliability issues and present references and direct URL to recent open-source data repositories to aid researchers in developing data-driven ICS intrusion detection systems.

Andrea Pinto,Luis-Carlos Herrera,Yezid Donoso,Jairo A. Gutierrez

DOI: https://doi.org/10.1007/s44196-024-00644-z

IF: 2.259

2024-09-11

International Journal of Computational Intelligence Systems

Abstract:Traditional security detection methods face challenges in identifying zero-day attacks in critical infrastructures (CIs) integrated with the industrial internet of things (IIoT). These attacks exploit unknown vulnerabilities and are difficult to detect due to their connection to physical systems. The integration of legacy ICS networks with modern computing and networking technologies has significantly expanded the attack surface, making these systems more susceptible to cyber-attacks. Despite existing security measures, attackers continually find ways to breach these operating networks. Anomaly detection systems are critical in protecting these CIs from current cyber threats. This study investigates the effectiveness of unsupervised anomaly detection models in detecting operational anomalies that could lead to cyber-attacks, thereby disrupting and negatively impacting quality of life. We preprocess the data with a focus on cybersecurity and chose the SWAT dataset because it accurately represents the types of attack vectors that critical infrastructures commonly encounter. We evaluated the performance of isolation forest (IF), local outlier factor (LOF), one-class SVM (OCSVM), and Autoencoder algorithms—trained exclusively on normal data—in enhancing cybersecurity within IIoT environments. Our comprehensive analysis includes an assessment of each model's detection capabilities. The findings highlight the VAE-LSTM model's potential to identify cyber-attacks within seconds in a high-frequency dataset, suggesting near real-time detection capability. The final model combines the reconstruction ability of the variational autoencoder (VAE) with regularization using the Kullback–Leibler divergence, reflecting the non-Gaussian nature of industrial system data. Our model successfully detected 23 out of 26 attack scenarios in the SWAT dataset, demonstrating its effectiveness in improving the security of IIoT-based CIs.

computer science, artificial intelligence, interdisciplinary applications

Riccardo Colelli,Filippo Magri,Stefano Panzieri,Federica Pascucci

DOI: https://doi.org/10.48550/arXiv.2110.12963

2021-10-25

Cryptography and Security

Abstract:Over the past decade, industrial control systems have experienced a massive integration with information technologies. Industrial networks have undergone numerous technical transformations to protect operational and production processes, leading today to a new industrial revolution. Information Technology tools are not able to guarantee confidentiality, integrity and availability in the industrial domain, therefore it is of paramount importance to understand the interaction of the physical components with the networks. For this reason, usually, the industrial control systems are an example of Cyber-Physical Systems (CPS). This paper aims to provide a tool for the detection of cyber attacks in cyber-physical systems. This method is based on Machine Learning to increase the security of the system. Through the analysis of the values assumed by Machine Learning it is possible to evaluate the classification performance of the three models. The model obtained using the training set, allows to classify a sample of anomalous behavior and a sample that is related to normal behavior. The attack identification is implemented in water tank system, and the identification approach using Machine Learning aims to avoid dangerous states, such as the overflow of a tank. The results are promising, demonstrating its effectiveness.

A. Termanini,D. Al-Abri,H. Bourdoucen,A. Al Maashri

DOI: https://doi.org/10.1007/s10207-024-00916-x

2024-11-10

International Journal of Information Security

Abstract:Industrial control systems (ICS) are vital parts of the physical infrastructure for many industrial assets, such as oil and gas fields, water stations, and power generation plants. Inadequate protection of such critical assets may lead to disruption of vital services and substantial monetary losses. Therefore, the safety of these assets is prioritized as national security. Operational technology networks have a unique nature and different requirements than conventional enterprise networks as they seek tailored security solutions to detect and prevent cyberattacks on such attractive targets. Motivated by a necessary need from industry and academia, this paper aims to present a broad survey of the research works related to developing Intrusion Detection Systems in ICS networks focusing on using recent machine learning techniques. A proposed review methodology is presented and applied to the relevant selected literature. The paper offers a comparative analysis to provide better insights into this domain, where it identifies several unresolved challenges that present intriguing research prospects for the industry and academic community.

computer science, information systems, theory & methods, software engineering

Jake Cho,Seonghyeon Gong

DOI: https://doi.org/10.3390/electronics13010158

IF: 2.9

2023-12-30

Electronics

Abstract:Industrial control systems (ICS) are critical networks directly linked to the value of core national and societal assets, yet they are increasingly becoming primary targets for numerous cyberattacks today. The ICS network, a fusion of operational technology (OT) and information technology (IT) networks, possesses a broad attack vector, and attacks targeting ICS often take the form of advanced persistent threats (APTs) exploiting zero-day vulnerabilities. However, most existing ICS security techniques have been adaptations of security technologies for IT networks, and security measures tailored to the characteristics of ICS data are currently insufficient. To mitigate cyber threats to ICS networks, this paper proposes an anomaly detection technique based on dynamic data abstraction. The proposed method abstracts ICS data collected in real time using a dynamic data abstraction technique based on noise reduction. The abstracted data are then used to optimize both the update rate and the detection accuracy of the anomaly detection model through model adaptation and incremental learning processes. The proposed approach updates the model by quickly reflecting data on new attack patterns and their distributions, effectively shortening the dwell time in response to APTs utilizing zero-day vulnerabilities. We demonstrate the attack response performance and detection accuracy of the proposed dynamic data abstraction-based anomaly detection technique through experiments using the SWaT dataset generated from a testbed of an actual ICS process. The experiments show that the proposed model achieves high accuracy with a small number of abstracted data while rapidly learning new attack pattern data in real-time without compromising accuracy. The proposed technique can effectively respond to cyberattacks targeting ICS by quickly learning and reflecting trends in attack patterns that exploit zero-day vulnerabilities.

engineering, electrical & electronic,computer science, information systems,physics, applied

Abigail M. Y. Koay,Ryan K. L Ko,Hinne Hettema,Kenneth Radke

DOI: https://doi.org/10.1007/s10844-022-00753-1

2022-10-13

Journal of Intelligent Information Systems

Abstract:The advent of Industry 4.0 has led to a rapid increase in cyber attacks on industrial systems and processes, particularly on Industrial Control Systems (ICS). These systems are increasingly becoming prime targets for cyber criminals and nation-states looking to extort large ransoms or cause disruptions due to their ability to cause devastating impact whenever they cease working or malfunction. Although myriads of cyber attack detection systems have been proposed and developed, these detection systems still face many challenges that are typically not found in traditional detection systems. Motivated by the need to better understand these challenges to improve current approaches, this paper aims to (1) understand the current vulnerability landscape in ICS, (2) survey current advancements of Machine Learning (ML) based methods with respect to the usage of ML base classifiers (3) provide insights to benefits and limitations of recent advancement with respect to two performance vectors; detection accuracy and attack variety. Based on our findings, we present key open challenges which will represent exciting research opportunities for the research community.

computer science, information systems, artificial intelligence

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Sepideh Bahadoripour,Ethan MacDonald,Hadis Karimipour

2023-04-04

Abstract:The growing number of cyber-attacks against Industrial Control Systems (ICS) in recent years has elevated security concerns due to the potential catastrophic impact. Considering the complex nature of ICS, detecting a cyber-attack in them is extremely challenging and requires advanced methods that can harness multiple data modalities. This research utilizes network and sensor modality data from ICS processed with a deep multi-modal cyber-attack detection model for ICS. Results using the Secure Water Treatment (SWaT) system show that the proposed model can outperform existing single modality models and recent works in the literature by achieving 0.99 precision, 0.98 recall, and 0.98 f-measure, which shows the effectiveness of using both modalities in a combined model for detecting cyber-attacks.

Cryptography and Security,Machine Learning

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Maged Abdelaty,Roberto Doriguzzi-Corin,Domenico Siracusa

DOI: https://doi.org/10.1109/TETC.2021.3073017

2020-09-14

Abstract:Deep Learning is emerging as an effective technique to detect sophisticated cyber-attacks targeting Industrial Control Systems (ICSs). The conventional approach to detection in literature is to learn the "normal" behaviour of the system, to be then able to label noteworthy deviations from it as anomalies. However, during operations, ICSs inevitably and continuously evolve their behaviour, due to e.g., replacement of devices, workflow modifications, or other reasons. As a consequence, the accuracy of the anomaly detection process may be dramatically affected with a considerable amount of false alarms being generated. This paper presents DAICS, a novel deep learning framework with a modular design to fit in large ICSs. The key component of the framework is a 2-branch neural network that learns the changes in the ICS behaviour with a small number of data samples and a few gradient updates. This is supported by an automatic tuning mechanism of the detection threshold that takes into account the changes in the prediction error under normal operating conditions. In this regard, no specialised human intervention is needed to update the other parameters of the system. DAICS has been evaluated using publicly available datasets and shows an increased detection rate and accuracy compared to state of the art approaches, as well as higher robustness to additive noise.

Cryptography and Security

Chunjie Zhou,Shuang Huang,Naixue Xiong,Shuang-Hua Yang,Huiyun Li,Yuanqing Qin,Xuan Li

DOI: https://doi.org/10.1109/TSMC.2015.2415763

2015-01-01

Abstract:Industrial process automation is undergoing an increased use of information communication technologies due to high flexibility interoperability and easy administration. But it also induces new security risks to existing and future systems. Intrusion detection is a key technology for security protection. However, traditional intrusion detection systems for the IT domain are not entirely suitable for industrial process automation. In this paper, multiple models are constructed by comprehensively analyzing the multidomain knowledge of field control layers in industrial process automation, with consideration of two aspects: physics and information. And then, a novel multimodel-based anomaly intrusion detection system with embedded intelligence and resilient coordination for the field control system in industrial process automation is designed. In the system, an anomaly detection based on multimodel is proposed, and the corresponding intelligent detection algorithms are designed. Furthermore, to overcome the disadvantages of anomaly detection, a classifier based on an intelligent hidden Markov model, is designed to differentiate the actual attacks from faults. Finally, based on a combination simulation platform using optimized performance network engineering tool, the detection accuracy and the real-time performance of the proposed intrusion detection system are analyzed in detail. Experimental results clearly demonstrate that the proposed system has good performance in terms of high precision and good real-time capability.

Jianfeng Zou,Xueqi Jin,Lei Zhang,Yueqiang Wang,Bo Li

DOI: https://doi.org/10.1109/cse/euc.2019.00063

2019-01-01

Abstract:Industrial Control Security (ICS) plays an important role in protecting Industrial assets and processed from being tampered by attackers. Recent years witness the fast development of ICS technology. However there are still few real case study to verify the effectiveness of ICS approaches when dealing with ICS threats. In this paper, we provide a real case study in industrial environments. The case study demonstrates the attacking process of virus spread and worm propagation in industrial environments. The case study also shows how the anomaly detection techniques could be used to identify the bad behaviors of virus and help security administrators to enhance the security of industrial environments.

Qian Wang,He Chen,Yonghui Li,Branka Vucetic

DOI: https://doi.org/10.1109/iciai.2019.8850828

2019-01-01

Abstract:The convergence of operation technology (OT) and information and communication technology (ICT) in industrial control networks presents new challenges for anomaly detection algorithms. Machine learning has achieved great success over the past few years, which has also been considered as one of the popular solutions for anomaly detection in industrial control networks. In this paper, we survey the recent work on anomaly detection for industrial control networks exploiting machine learning techniques. We first summarize major differences between OT and ICT and analyze the corresponding advantages and disadvantages for anomaly detection. Based on the features of the industrial control networks, existing work are classified into data-based learning and industrial network-specified learning methods. We analyze the pros and cons of these two learning methods. We finally point out the promising future work within this research area.

Abdulrahman Al-Abassi,Hadis Karimipour,Ali Dehghantanha,Reza M. Parizi

DOI: https://doi.org/10.48550/arXiv.2005.00936

IF: 4.729

2020-05-02

Signal Processing

Abstract:The integration of communication networks and the Internet of Things (IoT) in Industrial Control Systems (ICSs) increases their vulnerability towards cyber-attacks, causing devastating outcomes. Traditional Intrusion Detection Systems (IDSs), which are mainly developed to support Information Technology (IT) systems, count vastly on predefined models and are trained mostly on specific cyber-attacks. Besides, most IDSs do not consider the imbalanced nature of ICS datasets, thereby suffering from low accuracy and high false positive on real datasets. In this paper, we propose a deep representation learning model to construct new balanced representations of the imbalanced dataset. The new representations are fed into an ensemble deep learning attack detection model specifically designed for an ICS environment. The proposed attack detection model leverages Deep Neural Network (DNN) and Decision Tree (DT) classifiers to detect cyber-attacks from the new representations. The performance of the proposed model is evaluated based on 10-fold cross-validation on two real ICS datasets. The results show that the proposed method outperforms conventional classifiers, including Random Forest (RF), DNN, and AdaBoost, as well as recent existing models in the literature. The proposed approach is a generalized technique, which can be implemented in existing ICS infrastructures with minimum changes.

Bakht Sher Ali,Inam Ullah,Tamara Al Shloul,Izhar Ahmed Khan,Ijaz Khan,Yazeed Yasin Ghadi,Akmalbek Abdusalomov,Rashid Nasimov,Khmaies Ouahada,Habib Hamam

DOI: https://doi.org/10.1007/s11227-023-05764-5

2024-01-01

Abstract:The growing volume of data, especially in cases of imbalanced datasets, has posed significant challenges in the classification process, particularly when it comes to identifying cyberattacks on industrial control systems (ICS) networks, which have been a source of concern due to the significant destructive impact of viruses such as Slammer, worms, Stuxnet, Duqu, Seismic Net, and Flame on critical infrastructures in various countries. The key challenge is constructing the intrusion detection system (IDS) framework to deal with imbalanced datasets. Many researchers work especially on binary classification, but multi-classification is a more challenging and still active research area. To deal with the multi-class imbalanced classification problem, we outline an instance-based intrusion detection technique named ICS-IDS, for intrusion detection in ICS systems specific to SCADA networks. The developed technique consists of two core components, the data preparation component, and the detection component. The data preparation component uses the normalization, Fisher Discriminant Analysis, and k-neighbor’s method to scale the data, reduce the dimensionality, and resample the dataset, respectively. To learn the latent representations and discern harmful vectors from attacked data, the detection/recognition component leverages an efficient instance-based learner. The proposed ICS-IDS model outperforms existing attractive methods in detecting sophisticated attack vectors in ICS data, achieving 99% accuracy and 99% detection rates (DR) on an industrial network dataset. This proves the methodology's practicality for implementing security in real-world ICS networks.

Xinrui Dong,Yingxu Lai

DOI: https://doi.org/10.1109/ISADS56919.2023.10092008

2023-01-01

Abstract:The integration of industrialization and informatization has exposed industrial control systems (ICSs) to increasingly serious security challenges. Currently, the mainstream method to protect the security of ICSs is intrusion detection system (IDS) based on deep-learning. However, these methods depend on a massive amount of high-quality data. Owing to the characteristics and protocol limitations, ICSs data usually experience low-quality and data imbalance problems, which significantly affects the accuracy of IDS.In this study, an IDS for ICS that combines data expansion algorithm and CNN was proposed. A novel normalized neighborhood weighted convex combined random sample (NNW-CCRS) oversampling algorithm was designed, which automatically attenuates the effects of noise and expanding imbalanced data to produce balanced ICS datasets. By reducing the impact of imbalanced ICS data on IDSs, our system effectively protects the security of ICS. Secure Water Treatment dataset (SWaT) was used for experimental validation. The experimental results confirmed that the accuracy of the proposed system improved by approximately 20%, compared to the ICS without data expansion.

Eric Gyamfi,Anca Delia Jurcut

DOI: https://doi.org/10.1109/jiot.2022.3172393

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:The Industrial Internet of Things (IIoT) should be equipped with computational resources to detect network intrusions, types of attacks, and update their models automatically in real time. The most challenging aspect of machine learning (ML)-based network intrusion detection system (NIDS) design to secure IIoT is the continuous need for up-to-date definitions of attack data records. Moreover, the approaches employed by cyber attackers are in a dynamic state with changing trends and techniques. Hence, conventional signature-based NIDS are not suitable since they cannot update obsolete detection models. Anomaly-based NIDS that contains an online learning technique is adopted in our proposed method. Since IIoTs face resource-constrained problems, such as low memory, low computing capacity, and limited energy supply, it is very challenging to implement the exiting general-purpose anomaly-based NIDS. This article proposes a lightweight NIDS based on an online incremental support vector data description (OI-SVDD) anomaly detection system on the IIoT devices and an adaptive sequential extreme learning machine (AS-ELM) on the multiaccess edge computing (MEC) server. Additionally, we utilize the MEC server, which provides computational resources to execute the AS-ELM model at the network’s edge. To avoid data saturation in the proposed model, we apply data filtering using the rate of convergence (ROC). We evaluated the proposed NIDS through experiments using two data sets, such as UNSW-NB15 (public data set) and our self-generated data set. Our results show that the proposed OI-SVDD and AS-ELM perform effectively and detect network intrusion in a realistic IIoT environment.

Hanan Hindy,David Brosset,Ethan Bayne,Amar Seeam,Xavier Bellekens

DOI: https://doi.org/10.1007/978-3-030-12786-2_1

2019-03-06

Abstract:Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work focuses on notifying the operator when an anomaly occurs with a probability of the event occurring. This additional information helps in accelerating the mitigation process. The model is trained and tested using a real-world dataset.

Cryptography and Security,Machine Learning