Ying-xu LAI,Jiao JIAO

DOI: https://doi.org/10.11936/bjutxb2014040009

2015-01-01

Abstract:To improve the detecting accuracy of malicious traffic in industrial control systems ( ICS) , an innovative approach based on structural time series model is proposed. Industrial Ethernet traffic can be decomposed into four components. Each component is established by a state space model respectively, which brings out high fitting precision. Therefore compared with X-12, the average positive rate of this method increases by 38%. In the meanwhile, this method provides a way to decrease false positive rate and time complexity.

Yingxu Lai,Zenghui Liu,Zhanwei Song,Yusheng Wang,Yiwei Gao

DOI: https://doi.org/10.1016/j.simpat.2016.01.013

IF: 4.199

2016-01-01

Simulation Modelling Practice and Theory

Abstract:With the ever growing demand of location-independent access to Autonomous Decentralized Systems (ADS), anomaly detection scheme for industrial Ethernet, which highly is satisfied with demanding real-time and reliable industrial applications, becomes one of the most pressing subjects in ADS. In this paper, we present an innovative approach to build a traffic model based on structural time series model for a chemical industry system. A basic structural model that decomposes time series into four items is established by the stationary analysis of industrial traffic. Parameters in the model are identified by the state space model, which is conducted from the training sequence using standard Kalman filter recursions and the EM algorithm. Furthermore, the performance of state space model is evaluated by the experimental results that confirm significant improvement in detection accuracy and the validity of abnormal data localization.

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Jiahui Ni,Wenqing Yin,Yong Jiang,Jingling Zhao,Yiming Hu

DOI: https://doi.org/10.1007/978-3-030-44041-1_16

2020-01-01

Abstract:With the increasing demand for security in industrial control systems, many researchers are studying industrial control systems for anomaly detection. Most of them use machine learning method to analyze and predict the traffic, but it is not enough to study the periodic characteristics of the industrial control system. This paper analyzes and studies the characteristics of the protocol field by extracting the unique protocol Modbus in the industrial control system. In this paper, the periodic characteristics of industrial control data are mined from the aspects of symbol sequence. We simulate traffic and test the proposed method which shows that it can effectively detect the periodicity of different sequences in the industrial control system and provide an auxiliary method for anomaly detection.

Qinpei Zhao,Yinjia Zhang,Yang Shi,Jiangfeng Li

DOI: https://doi.org/10.1007/978-3-030-19861-9_2

2019-01-01

Abstract:The traffic among the hosts and behaviors of the anomalous hosts in the network is usually complex. In network traffic, there is a key problem that is how to identify the security incidents. The corresponding question that who have contributed to the incidents is arisen then. A method, which detects both anomalies and events at the same time is quite helpful. A data from network traffic can be composed of the hosts and different attributes (traffic flow like amount of upload package and download package) in time series. Based on the structure of the network traffic data, we propose an anomaly and event detection method based on the network attributes in time series. The method analyzes both the host’s behavior and the temporal features of the network traffic.

Yue Wang,Hao Peng,Gang Wang,Xianghong Tang,Xuejian Wang,Chunyang Liu

DOI: https://doi.org/10.1016/j.engappai.2023.106144

IF: 8

2023-03-24

Engineering Applications of Artificial Intelligence

Abstract:Massive amounts of industrial data, which are often gathered by industrial control systems (ICS), have been generated by the fast growth of industrial intelligence. One of the hottest topics in ICS is how to extract the most useful information from industrial "Big Data" and provide a more comprehensive service for monitoring the condition of industrial production processes. As the industrial environment gets increasingly complicated, production tasks change often and malicious attacks are on the rise. It remains a grand challenge to perform fine-grained anomaly detection in high-dimensional, noisy industrial data. In response to this problem, we propose a spatio-temporal graph neural network-based anomaly detection framework for fine-grained state monitoring of ICSs. First, based on prior knowledge, we propose a method for feature dimensionality reduction and dynamic graph modeling. After that, the variational mode decomposition (VMD) module is then utilized to remove noise from industrial data. Finally, we propose a spatio-temporal feature extraction module for fine-grained anomaly detection. Numerical experiments are conducted on a real-world ICS dataset called HAI. The results demonstrate that the proposed framework can effectively deal with high-dimensional, high-noise, and imbalanced industrial data. The framework's concepts are interconnected and extensible to various industrial scenarios, including metallurgy, smart shop floors, etc. In terms of recall, precision, and F1 -Score, a comparison between the proposed framework and eight representative methods reveals the merits of the proposed framework.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Huazan Liu,Zhenzhou Ji,Chong Li,Kaikai Li

DOI: https://doi.org/10.1109/ICCEA58433.2023.10135289

2023-01-01

Abstract:As the development of the Internet of Things, industrial control network security issues have become more prominent. Anomaly detection technology is an important detection technology for ensuring the network security of industrial control systems, which can issue alarms and block responses before the system is compromised. However, most models currently suffer from problems such as low detection rate, high false positive rate, and inability to locate the anomalies. To address these issues, this paper proposes a multidimensional feature and spectral residual-based industrial control time series anomaly detection method (SRMCAD) to improve the accuracy of anomaly detection while reducing the false positive rate. First, this paper applies the spectral residual method to multidimensional time series anomaly detection in the industrial control domain, and uses the residual data obtained by spectral residual processing instead of the original data as input to the model. Secondly, to address the problem of imprecise device attack localization and high false positive rate in existing industrial control anomaly detection models, this paper designs and implements an industrial control anomaly detection model based on an encoding-decoding architecture, incorporating the idea of system state modeling and using the Mahalanobis distance as the loss function. Experimental results show that SRMCAD has significant advantages over current advanced methods.

Chen Markman,Avishai Wool,Alvaro A. Cardenas

DOI: https://doi.org/10.48550/arXiv.1808.05068

2018-08-15

Cryptography and Security

Abstract:In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Previous work showed that in many cases, it is possible to create an automata-based model of the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traffic. When testing the validity of previous models, we noticed that overall, the models have difficulty in dealing with communication patterns that change over time. In this paper we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general DFA model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.

Li Zhang,Zhuo Lv,Xuesong Zhang,Cen Chen,Nuannuan Li,Yidong Li,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-36938-5_24

2019-01-01

Abstract:Industrial Control Systems (ICS) are the critical infrastructures of power grids. It is very important to monitor and control industrial equipment through the networks. Most ICSs currently used in smart grid contain IT key equipment and communication technologies to implement the communication and logic control functions. However, unlike traditional IT network traffic, these power-related industrial control systems have variety of proprietary protocols. Obviously, in typical complex systems the manually intensive processing of data is costly and sub-optimal. In this paper, we propose an novel traffic anomaly detection model for power ICS based on Multi-Head attention (MHA) method, in which the collected raw traffic was converted into the form of matrix. The MHA and Convolutional Neural Network (CNN) model were used to classify traffic data. We replace the traditional feature extraction and rule making process with an acceptable computational cost. The effectiveness of our approach is demonstrated by experiments on two real world power ICS testbeds: a power generation simulation platform based on a distributed control system (DCS) and a substation slave station. Comparing with some classical machine learning algorithms and Convolutional Neural Networks, the experimental results show that our MHA model outperforms the CNN-based and classical machine learning detection models with an accuracy rate of 99.86%.

Tao Yang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.eswa.2023.120668

IF: 8.5

2023-01-01

Expert Systems with Applications

Abstract:Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system's security and reliability. However, existing research on network traffic anomaly detection for ICPS has several limitations. First, most traffic anomaly detection models focus on centralized detection. Thus, all traffic packets have to be uploaded to the control center for detection, which leads to a heavy traffic load. However, real-time and reliable communication is crucial to ICPSs. The heavy traffic load may cause communication delays or packets lost by corruption. Second, Seasonal AutoRegressive Integrated Moving Average (SARIMA) is popular in ICPS network traffic anomaly detection. However, most SARIMA-based detection models can only detect anomalous traffic once. Thus, they are unable to detect anomalies continuously and are not suitable for actual ICPS. Third, the features extracted from network traffic affect the classification performance. However, most existing feature extraction models cannot sufficiently extract traffic features, leading to poor detection performance. To address the limitations above, this paper proposes a cloud-edge coordinated network traffic anomaly detection approach. The proposed approach consists of a set of anomalous traffic alarm models deployed in the edge areas and an anomalous traffic analysis model deployed in the cloud. The former is implemented based on Improved Online SARIMA (IOSARIMA) algorithm that can detect anomalous traffic continuously and upload it to the cloud for further analysis, filtering massive normal traffic packets and making traffic load smaller. The anomalous traffic analysis model consists of a feature extraction algorithm and a Convolutional Neural Network (CNN) classifier, which can sufficiently extract traffic features and identify the attack types precisely. The proposed anomaly detection approach is extensively evaluated on a realistic ICPS testbed, including 3 edges (i.e., power generation, power transmission and power distribution) and a cloud consisting of an engineering workstation and a Supervisory Control And Data Acquisition (SCADA) workstation. The experimental results confirm the smaller traffic load and better detection performance, compared with the existing detection models.

Zhan-wei SONG,Rui-kang ZHOU,Ying-xu LAI,Ke-feng FAN,Xiang-zhen YAO,Lin LI,Wei LI

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.01.041

2018-01-01

Abstract:At present,the ICS network security has become a key problem in the field of information security.Detecting attacks,such as behavior data tampering attack and control program tampering attack,is a difficult problem of ICS network security.Therefore,this paper proposed an anomaly detection method based on behavior model.This method extracts the behavior data sequence from the industrial control network traffic.Then it constructs the normal behavior model according to the control process and the controlled process of ICS.At last,it determines whether an exception occurs by comparing and analyzing the behavior data extracted in real time and the behavior data predicted by the model.The experimental analysis shows that it can effectively detect behavior data tampering attack,control program tampering attack and so on.

Mingxin Tang,Wei Chen,Wen Yang

DOI: https://doi.org/10.1080/09540091.2022.2092594

2022-01-01

Connection Science

Abstract:Anomaly detection of multi-dimensional time-series data is a key research area, and the analysis of control, switching, and other state signals (i.e., industrial state quantity time series) is of particular importance to the operational sciences. When only the limited values of industrial state quantities are taken in the discrete set, there is no continuous change trend, making it difficult to achieve good results when applying analogue anomaly detection methods directly. In this study, assuming a correlation between the time series of state and analogue quantities in industrial systems, a model for anomaly detection in state quantity time-series data is built through a correlation supported by long short-term memory, and the model is verified using real physical process data. These results demonstrate that the proposed method is superior to extant industrial time-series models. Thus far, no studies focusing on the anomaly detection of two-state quantity time-series outliers have been performed. We believe that the research problem addressed herein and the proposed method contribute an interesting design methodology for the anomaly detection of time-series data in IIoT.

GUO Lin,ZHANG Dafang,LI Wenwei,XIE Kun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.19.048

2006-01-01

Abstract:Diagnosing anomalies are difficult problem because one must extract and interpret anomalous patterns from large amounts of high-dimensional,noisy data.In this paper the network traffic is validated to possess a non-stationary characteristic and a general method was proposed to diagnose anomalies.This method is based on a separation of the non-stationary traffic into disjoint components corresponding to normal and anomalous network conditions.This separation can be performed effectively by both marginal distribution and qq-plot analysis of parameters of anomalous component.We evaluate the method's ability to diagnose both existing and synthetically injected traffic anomalies in real traffic.Experiment shows the method can: ①accurately detect when traffic anomaly is occurring;②does so with a very low false alarm rate.

Wen Si,Jiang-Hai Li,Xiao-Jin Huang

DOI: https://doi.org/10.1007/978-981-15-1876-8_51

2020-01-01

Abstract:Anomaly detection is significant in the cyber security of industrial control systems. Unsupervised learning neural networks approach is applicable for the anomaly detection of industrial control systems. The large amount of network packets produced from systems every time are suitable source for training data acquisition. However, the packets contains many layers following different protocols. Thus, extracting effective features from packets will make sense. First the structure of a network packet is analyzed, and one packet is divided into two parts, the header part which includes layers following IT network protocols and the data part which includes layers following ICS protocols. Then IT network features are extracted from the header part. Third, the data part is processed by conversation correspondence and physical meaning reverting, so that industrial control features are extracted from this part. Finally, how to apply the extracted features in neural network approaches for ICS anomaly detection is discussed.

Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

Fan-Bo MENG,Nan JIANG,Bo LIU,Ran LI,Fei XIA

DOI: https://doi.org/10.12783/dtetr/ssme-ist2016/4030

2016-01-01

DEStech Transactions on Engineering and Technology Research

Abstract:With the advance of new network technologies, new types of applications are quickly arising. Network traffic exponentially is rising. Accordingly, this results in new challenges for network traffic anomaly detections. This paper proposes a new quick detection approach to network traffic anomalies. Firstly, network traffic is regarded as a time series of signals and is constructed into a matrix. Secondly, the principal component decomposition is performed for the matrix. The network traffic is divided into principal and non-principal components. Thirdly, the empirical mode decomposition is carried out for these two components. In this case, a quick anomaly detection algorithm is presented. Simulation results show that our approach is feasible and promising.

Zonglin Li,Guangmin Hu,Ruqiang Zhou

DOI: https://doi.org/10.1142/9789812799524_0363

2008-01-01

Abstract:Traffic modeling as one of the ways to describe the normal behavior of network traffic is used to detect anomaly. Due to the self-similar model and multi-fractal model are inherently unable to capture the nature of traffic data in all time scales, we propose a novel anomaly detection method based on IDC model analysis to describe the characteristic of traffic data more accurately. By studying the influences of anomalous traffic on the estimation of IDC model through wavelet transform modulus maxima, a cumulative deviation is defined to estimate abnormal behavior. The simulation results show that our method is more sensitive to small anomalous traffic than detection methods based on H parameter analysis, and can accurately detect the anomalies which would not cause the Hurst parameter change evidently. Therefore, it is suite for the early stage detection of anomaly traffic.

Long Xu,Wei Xiong,Minghao Zhou,Lei Chen

DOI: https://doi.org/10.3390/sym14010124

2022-01-01

Symmetry

Abstract:Dynamic traffic monitoring is a critical part of industrial communication network cybersecurity, which can be used to analyze traffic behavior and identify anomalies. In this paper, industrial networks are modeled by a dynamic fluid-flow model of TCP behavior. The model can be described as a class of systems with unmeasurable states. In the system, anomalies and normal variants are represented by the queuing dynamics of additional traffic flow (ATF) and can be considered as a disturbance. The novel contributions are described as follows: (1) a novel continuous terminal sliding-mode observer (TSMO) is proposed for such systems to estimate the disturbance for traffic monitoring; (2) in TSMO, a novel output injection strategy is proposed using the finite-time stability theory to speed up convergence of the internal dynamics; and (3) a full-order sliding-mode-based mechanism is developed to generate a smooth output injection signal for real-time estimations, which is directly used for anomaly detection. To verify the effectiveness of the proposed approach, the real traffic profiles from the Center for Applied Internet Data Analysis (CAIDA) DDoS attack datasets are used.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.