Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Ruochen Zhou,Zhiyun Wang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9347104

2020-01-01

Abstract:Programmable logic controller (PLC) is one of the critical infrastructure in industrial control system, which is therefore vulnerable to a variety of cyber-attacks. To mitigate this issue, we design an anomaly detection system, a novel non-invasive intrusion detection method for PLC. Our system utilizes the magnetic side-channel information around the power supply module of PLC and analyzes the running status rely on the fact that different programs will result in various magnetic characteristic. We design a classification algorithm which can extract representational features from the raw signal, as well as avoid the interference of environmental noise. To validate the idea, we design 3 types of attacks and implement on the prototype of thermal power plant in laboratory. The evaluation shows our system is feasible to detect attacks and achieve an overall detection accuracy above 90%.

Ying-xu LAI,Jiao JIAO

DOI: https://doi.org/10.11936/bjutxb2014040009

2015-01-01

Abstract:To improve the detecting accuracy of malicious traffic in industrial control systems ( ICS) , an innovative approach based on structural time series model is proposed. Industrial Ethernet traffic can be decomposed into four components. Each component is established by a state space model respectively, which brings out high fitting precision. Therefore compared with X-12, the average positive rate of this method increases by 38%. In the meanwhile, this method provides a way to decrease false positive rate and time complexity.

Jianfeng Zou,Xueqi Jin,Lei Zhang,Yueqiang Wang,Bo Li

DOI: https://doi.org/10.1109/cse/euc.2019.00063

2019-01-01

Abstract:Industrial Control Security (ICS) plays an important role in protecting Industrial assets and processed from being tampered by attackers. Recent years witness the fast development of ICS technology. However there are still few real case study to verify the effectiveness of ICS approaches when dealing with ICS threats. In this paper, we provide a real case study in industrial environments. The case study demonstrates the attacking process of virus spread and worm propagation in industrial environments. The case study also shows how the anomaly detection techniques could be used to identify the bad behaviors of virus and help security administrators to enhance the security of industrial environments.

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Chunjie Zhou,Shuang Huang,Naixue Xiong,Shuang-Hua Yang,Huiyun Li,Yuanqing Qin,Xuan Li

DOI: https://doi.org/10.1109/TSMC.2015.2415763

2015-01-01

Abstract:Industrial process automation is undergoing an increased use of information communication technologies due to high flexibility interoperability and easy administration. But it also induces new security risks to existing and future systems. Intrusion detection is a key technology for security protection. However, traditional intrusion detection systems for the IT domain are not entirely suitable for industrial process automation. In this paper, multiple models are constructed by comprehensively analyzing the multidomain knowledge of field control layers in industrial process automation, with consideration of two aspects: physics and information. And then, a novel multimodel-based anomaly intrusion detection system with embedded intelligence and resilient coordination for the field control system in industrial process automation is designed. In the system, an anomaly detection based on multimodel is proposed, and the corresponding intelligent detection algorithms are designed. Furthermore, to overcome the disadvantages of anomaly detection, a classifier based on an intelligent hidden Markov model, is designed to differentiate the actual attacks from faults. Finally, based on a combination simulation platform using optimized performance network engineering tool, the detection accuracy and the real-time performance of the proposed intrusion detection system are analyzed in detail. Experimental results clearly demonstrate that the proposed system has good performance in terms of high precision and good real-time capability.

Huazan Liu,Zhenzhou Ji,Chong Li,Kaikai Li

DOI: https://doi.org/10.1109/ICCEA58433.2023.10135289

2023-01-01

Abstract:As the development of the Internet of Things, industrial control network security issues have become more prominent. Anomaly detection technology is an important detection technology for ensuring the network security of industrial control systems, which can issue alarms and block responses before the system is compromised. However, most models currently suffer from problems such as low detection rate, high false positive rate, and inability to locate the anomalies. To address these issues, this paper proposes a multidimensional feature and spectral residual-based industrial control time series anomaly detection method (SRMCAD) to improve the accuracy of anomaly detection while reducing the false positive rate. First, this paper applies the spectral residual method to multidimensional time series anomaly detection in the industrial control domain, and uses the residual data obtained by spectral residual processing instead of the original data as input to the model. Secondly, to address the problem of imprecise device attack localization and high false positive rate in existing industrial control anomaly detection models, this paper designs and implements an industrial control anomaly detection model based on an encoding-decoding architecture, incorporating the idea of system state modeling and using the Mahalanobis distance as the loss function. Experimental results show that SRMCAD has significant advantages over current advanced methods.

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

PENG Yong,XIANG Chong,ZHANG Miao,CHEN Dongqing,GAO Haihui,XIE Feng,DAI Zhonghua

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2016.23.013

2016-01-01

Abstract:Industrial control systems (ICSs) are cyberphysical systems (CPSs) which supervise and control physical processes in critical infrastructure industries such as electric power,water treatment,oil & natural gas exploration,transportation,and chemical industry.Based on the observation of ICS'stable and persistent communication data flow control patterns,a concept and a methodology of ICS scenario fingerprinting were proposed which analyze industrial control protocol interactive behavior to represent ICS system-level normal behavior characteristics.ICS scenario fingerprint can identify unique ICS installation,while being used as a more generalized method to establish ICS systems'behavior benchmark and further being used to identify ICS systems'abnormal behavior.Experiments were made to validate the proposed viewpoint,which use real equipment for ICS cyber domain and use simulation for ICS physical domain.Experimental results demonstrate that ICS scenario fingerprinting technique provides ICS security research with a promising method.

Basem AL-Madani,Ahmad Shawahna,Mohammad Qureshi

DOI: https://doi.org/10.48550/arXiv.1911.05692

2019-11-02

Abstract:Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Systems and Control

Jake Cho,Seonghyeon Gong

DOI: https://doi.org/10.3390/electronics13010158

IF: 2.9

2023-12-30

Electronics

Abstract:Industrial control systems (ICS) are critical networks directly linked to the value of core national and societal assets, yet they are increasingly becoming primary targets for numerous cyberattacks today. The ICS network, a fusion of operational technology (OT) and information technology (IT) networks, possesses a broad attack vector, and attacks targeting ICS often take the form of advanced persistent threats (APTs) exploiting zero-day vulnerabilities. However, most existing ICS security techniques have been adaptations of security technologies for IT networks, and security measures tailored to the characteristics of ICS data are currently insufficient. To mitigate cyber threats to ICS networks, this paper proposes an anomaly detection technique based on dynamic data abstraction. The proposed method abstracts ICS data collected in real time using a dynamic data abstraction technique based on noise reduction. The abstracted data are then used to optimize both the update rate and the detection accuracy of the anomaly detection model through model adaptation and incremental learning processes. The proposed approach updates the model by quickly reflecting data on new attack patterns and their distributions, effectively shortening the dwell time in response to APTs utilizing zero-day vulnerabilities. We demonstrate the attack response performance and detection accuracy of the proposed dynamic data abstraction-based anomaly detection technique through experiments using the SWaT dataset generated from a testbed of an actual ICS process. The experiments show that the proposed model achieves high accuracy with a small number of abstracted data while rapidly learning new attack pattern data in real-time without compromising accuracy. The proposed technique can effectively respond to cyberattacks targeting ICS by quickly learning and reflecting trends in attack patterns that exploit zero-day vulnerabilities.

engineering, electrical & electronic,computer science, information systems,physics, applied

Lai Yingxu,Jiao,Liu Jing

DOI: https://doi.org/10.1109/isads.2015.28

2015-01-01

Abstract:With the growing demand of location-independent access to Industrial Control Systems (ICS), anomaly detection scheme for industrial Ethernet which highly satisfied with demanding real-time and reliable industrial applications becomes one of the problems in ICS. In this paper, we present an innovative approach to build a traffic model based on structural time series model. Basic structural model which decomposes time series into four factors is established by the stationary analysis of industrial traffic. Parameters in the model are identified by state space model which is conducted from the training sequence using standard Kalman filter recursions and EM algorithm. Furthermore, performance of state space model is evaluated by the experimental comparative results that confirm significant improvement in detection accuracy and the validity of abnormal data localization.

Vegard Berge,Chunlei Li

2024-10-26

Abstract:Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.

Cryptography and Security

Li Zhang,Zhuo Lv,Xuesong Zhang,Cen Chen,Nuannuan Li,Yidong Li,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-36938-5_24

2019-01-01

Abstract:Industrial Control Systems (ICS) are the critical infrastructures of power grids. It is very important to monitor and control industrial equipment through the networks. Most ICSs currently used in smart grid contain IT key equipment and communication technologies to implement the communication and logic control functions. However, unlike traditional IT network traffic, these power-related industrial control systems have variety of proprietary protocols. Obviously, in typical complex systems the manually intensive processing of data is costly and sub-optimal. In this paper, we propose an novel traffic anomaly detection model for power ICS based on Multi-Head attention (MHA) method, in which the collected raw traffic was converted into the form of matrix. The MHA and Convolutional Neural Network (CNN) model were used to classify traffic data. We replace the traditional feature extraction and rule making process with an acceptable computational cost. The effectiveness of our approach is demonstrated by experiments on two real world power ICS testbeds: a power generation simulation platform based on a distributed control system (DCS) and a substation slave station. Comparing with some classical machine learning algorithms and Convolutional Neural Networks, the experimental results show that our MHA model outperforms the CNN-based and classical machine learning detection models with an accuracy rate of 99.86%.

Dingyi Fang,Xiaojiang Chen,Zhangyong Tang,Feng Chen

DOI: https://doi.org/10.1109/ICICIC.2009.106

2009-01-01

Abstract:Neural network can be used in anomaly detection. In order to improve the traditional IDS (intrusion detection system) performance, we often had to change the network structure and detection algorithm. And because intrusion techniques are most variable and unpredictable, we cannot always use the fixed detection techniques to catch exactly all possible intrusions. It is therefore important to investigate novel detection methods and IDS models. In this paper, a model of intrusion detection system based on BP neural network is proposed through analyzing features of program behavior. Some details and issues on the design and implementation of the model are discussed and experiments are also given.

Bin Liu,Jingzhao Chen,Yong Hu

DOI: https://doi.org/10.1016/j.compind.2022.103609

IF: 10

2022-05-01

Computers in Industry

Abstract:Integrity and availability attacks can cause serious damage to modern industrial cyber-physical systems (ICPS). It is critical to detect and identify these attacks promptly and accurately. This paper investigates the anomaly detection for ICPS in the process industry. Three typical attacks, the Stuxnet-like, denial-of-service, and false data injection, are taken as specific defense targets. We propose to detect anomalies by quantifying the dynamic variations of generalized model implied by operating data, and present a mode division as the novel detection framework. The subspace technique and a quantization method for the amplitude-frequency characteristic deviation are employed to design the detector, which can be deployed independently in the active ICPS and does not cause any loss of control performance. An attack-defense experimental platform is developed to evaluate the detector under the attack scenarios of interest. The results show that the detector can detect any of the three attacks in a maximum of 28 s after the attack onset, and that these attacks can be distinguished by combining the state estimation residuals and system errors.

computer science, interdisciplinary applications

Sun Haoyang,Dan Wang,Lihua Fu,Wenbing Zhao,Yuan Liu

DOI: https://doi.org/10.1109/compsac.2015.278

2015-01-01

Abstract:Anomaly-based detection systems usually establish models describing the normal behavior of themonitored system and rely on these models to identifyanomalous activity that may be associated to intrusions.Traditional system call sequence-based model suffer from alarge number of false positives and unable to represent program branching and loop structure. We develop an approachby using automationtechnique to build the normal behavior model of a software system which can be used to detect the anomaly.Our methodcan improve the integrity and accuracy of behavior model and decrease complexity of building model. Meanwhile, it could solve the infeasible path problem of automation and it is effectivewhile cutting down the false positives experienced by anomaly detection.

Xinchen Zhang,Zhihan Jiang,Yulong Ding,Edith C.H. Ngai,Shuang-Hua Yang

DOI: https://doi.org/10.1016/j.jfranklin.2024.107000

IF: 4.246

2024-09-01

Journal of the Franklin Institute

Abstract:As the Industrial Internet-of-Things (IIoT) evolves, a growing number of industrial control systems (ICSs) are connecting to the Internet, making them more vulnerable to malicious attacks. This paper addresses the detection of false data injection (FDI) attacks, a prevalent threat to open ICSs. We introduce an innovative anomaly detection technique using isomorphic analysis to safeguard ICSs against FDI attacks. Isomorphic analysis involves comparing transmitted signals with their expected values, which are derived from mathematical models or isomorphic components. For a comprehensive defense mechanism, we incorporate three specific detectors: the control signal detector, the actuating signal detector, and the sensor reading detector. Designed to detect FDI attacks across various parts of the ICS, these detectors ensure the integrity of all transmitted signals throughout the physical control system. While the control signal detector adopts a threshold method, the other two rely on statistical approaches. If an attack is detected, the detectors can correct tampered signals before they reach downstream components, enhancing the system’s overall resilience and fault tolerance. The effectiveness of these detectors is supported by rigorous mathematical proofs. Moreover, our experimental findings further reveal the superiority of the isomorphic strategy over prior work in terms of detection rate, detection time delay, and system resilience.

automation & control systems,engineering, electrical & electronic, multidisciplinary,mathematics, interdisciplinary applications

Jun Yang,Chunjie Zhou,Shuanghua Yang,Haizhou Xu,Bowen Hu

DOI: https://doi.org/10.1109/tie.2017.2772190

IF: 7.7

2018-01-01

IEEE Transactions on Industrial Electronics

Abstract:A developing trend of traditional industrial systems is the integration of the cyber and physical domain to improve flexibility and the efficiency of supervision, management, and control. But, the deep integration of these industrial cyber-physical systems (ICPSs), increases the potential for security threats. Attack detection, which forms initial protective barrier, plays an important role in overall security protection. However, most traditional methods focused on cyber information and ignored any limitations that might arise from the characteristics of the physical domain. In this paper, an anomaly detection approach based on zone partition is designed for ICPSs. In detail, initially an automated zone partition method, ensuring crucial system states can be observed in more than one zone, is designed. Then, methods of building zone function model, which do not require any prior knowledge of the physical system are presented before analyzing the anomaly based on zone information. Finally, an experimental rig is constructed to verify the effectiveness of the proposed approach. The results demonstrate that the approach presents a high-accuracy solution, which also performs effectively in real time.

Shen Wang,An Huang,Zhongchuan Fu

DOI: https://doi.org/10.1007/978-981-10-6571-2_237

2018-01-01

Abstract:While the Industrial control system(ICS) is making great progress for the society, it is facing a huge security risk at the same time. There are some methods like upgrading system and updating patches to protect the ICS, but they are inevitable lagging behind anyway. Byte-level is useful for network intrusion detection and does not need knowledge of the device to be detected. Based on the network data in the industrial control system, we propose an adaptive DBSCAN clustering method for extracting the control instructions in the data packet, and then learning these instructions with the n-gram model. According to received instructions, we are able to predict the next possible instruction. Whether the system is being attacked can be recommended by comparing the instruction that we forecast with the real instruction. Experiments show that the behavior prediction has high accuracy.