Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Lai Yingxu,Jiao,Liu Jing

DOI: https://doi.org/10.1109/isads.2015.28

2015-01-01

Abstract:With the growing demand of location-independent access to Industrial Control Systems (ICS), anomaly detection scheme for industrial Ethernet which highly satisfied with demanding real-time and reliable industrial applications becomes one of the problems in ICS. In this paper, we present an innovative approach to build a traffic model based on structural time series model. Basic structural model which decomposes time series into four factors is established by the stationary analysis of industrial traffic. Parameters in the model are identified by state space model which is conducted from the training sequence using standard Kalman filter recursions and EM algorithm. Furthermore, performance of state space model is evaluated by the experimental comparative results that confirm significant improvement in detection accuracy and the validity of abnormal data localization.

Ying-xu LAI,Jiao JIAO

DOI: https://doi.org/10.11936/bjutxb2014040009

2015-01-01

Abstract:To improve the detecting accuracy of malicious traffic in industrial control systems ( ICS) , an innovative approach based on structural time series model is proposed. Industrial Ethernet traffic can be decomposed into four components. Each component is established by a state space model respectively, which brings out high fitting precision. Therefore compared with X-12, the average positive rate of this method increases by 38%. In the meanwhile, this method provides a way to decrease false positive rate and time complexity.

Li Zhang,Zhuo Lv,Xuesong Zhang,Cen Chen,Nuannuan Li,Yidong Li,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-36938-5_24

2019-01-01

Abstract:Industrial Control Systems (ICS) are the critical infrastructures of power grids. It is very important to monitor and control industrial equipment through the networks. Most ICSs currently used in smart grid contain IT key equipment and communication technologies to implement the communication and logic control functions. However, unlike traditional IT network traffic, these power-related industrial control systems have variety of proprietary protocols. Obviously, in typical complex systems the manually intensive processing of data is costly and sub-optimal. In this paper, we propose an novel traffic anomaly detection model for power ICS based on Multi-Head attention (MHA) method, in which the collected raw traffic was converted into the form of matrix. The MHA and Convolutional Neural Network (CNN) model were used to classify traffic data. We replace the traditional feature extraction and rule making process with an acceptable computational cost. The effectiveness of our approach is demonstrated by experiments on two real world power ICS testbeds: a power generation simulation platform based on a distributed control system (DCS) and a substation slave station. Comparing with some classical machine learning algorithms and Convolutional Neural Networks, the experimental results show that our MHA model outperforms the CNN-based and classical machine learning detection models with an accuracy rate of 99.86%.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Yingxu Lai,Zenghui Liu,Zhanwei Song,Yusheng Wang,Yiwei Gao

DOI: https://doi.org/10.1016/j.simpat.2016.01.013

IF: 4.199

2016-01-01

Simulation Modelling Practice and Theory

Abstract:With the ever growing demand of location-independent access to Autonomous Decentralized Systems (ADS), anomaly detection scheme for industrial Ethernet, which highly is satisfied with demanding real-time and reliable industrial applications, becomes one of the most pressing subjects in ADS. In this paper, we present an innovative approach to build a traffic model based on structural time series model for a chemical industry system. A basic structural model that decomposes time series into four items is established by the stationary analysis of industrial traffic. Parameters in the model are identified by the state space model, which is conducted from the training sequence using standard Kalman filter recursions and the EM algorithm. Furthermore, the performance of state space model is evaluated by the experimental results that confirm significant improvement in detection accuracy and the validity of abnormal data localization.

Ming Wan,Jiangyuan Yao,Yuan Jing,Xi Jin

DOI: https://doi.org/10.3970/cmc.2018.02195

2018-01-01

Abstract:As the main communication mediums in industrial control networks, industrial communication protocols are always vulnerable to extreme exploitations, and it is very difficult to take protective measures due to their serious privacy. Based on the SDN (Software Defined Network) technology, this paper proposes a novel event-based anomaly detection approach to identify misbehaviors using non-public industrial communication protocols, and this approach can be installed in SDN switches as a security software appliance in SDN-based control systems. Furthermore, aiming at the unknown protocol specification and message format, this approach first restructures the industrial communication sessions and merges the payloads from industrial communication packets. After that, the feature selection and event sequence extraction can be carried out by using the N-gram model and K-means algorithm. Based on the obtained event sequences, this approach finally trains an event-based HMM (Hidden Markov Model) to identify aberrant industrial communication behaviors. Experimental results clearly show that the proposed approach has obvious advantages of classification accuracy and detection efficiency.

Yingjie Zhou,Guangmin Hu,Weisong He

DOI: https://doi.org/10.1109/icccas.2009.5250514

2009-01-01

Abstract:Comprehensive collection and accurate description of traffic information are core problems in network traffic anomaly detection. Aiming at the lack of traffic anomaly detection in analyzing multi-time series, we propose a network traffic anomaly detection method based on graph mining. Our method accurately and completely describes the relationships among multi-time series which are used in traffic anomaly detection by time-series graph; by means of the support count of the patterns, our method mines all the frequent patterns,which is conducive to detecting many kinds of abnormal traffic effectively; through mining the relationships among all itemsets, our method introduces weight coefficients of the itemsets, which is able to solve relationship quantification issues of multi-time series in traffic anomaly detection. The simulation results show that the proposed method can effectively detect the network traffic anomaly and achieve a higher accuracy than the CWT-based (Continuous Wavelet Transform-based) method in term of DDos attacks detection.

Limengwei Liu,Modi Hu,Chaoqun Kang,Xiaoyong Li

DOI: https://doi.org/10.3390/info11020105

2020-01-01

Information

Abstract:The development and integration of information technology and industrial control networks have expanded the magnitude of new data; detecting anomalies or discovering other valid information from them is of vital importance to the stable operation of industrial control systems. This paper proposes an incremental unsupervised anomaly detection method that can quickly analyze and process large-scale real-time data. Our evaluation on the Secure Water Treatment dataset shows that the method is converging to its offline counterpart for infinitely growing data streams.

Haiyan Lan,Xiaodong Zhu,Jianguo Sun,Sizhao Li

DOI: https://doi.org/10.1109/dsa.2019.00067

2020-01-01

Abstract:Industrial Control Systems (ICS) are widely used in critical infrastructure in industries such as power, rail transit, and water conservancy. As the connection between the corporate network and the Internet continues to increase, the industrial control system has gradually become the target of hackers, which constantly threaten the personal safety of citizens. The Man-inthe-Middle (MITM) attack is one of the most famous attacks in the field of computer security. Once being used in the factory control network, it will not only cause data leakage, but also control the core industrial component PLC and cause serious security accidents. This paper proposes a method for classifying network traffic data in industrial control system to detect MITM attacks. In the simulation experiment, the method can identify normal and abnonnal data packets that have been tampered by the MITM, and the classification accuracy is up to 99.74%.

Bin Wang,Jianye Zhang,Cheng Luo,Ling Yang,Jia Chen,Haibo Ma

DOI: https://doi.org/10.1109/itoec53115.2022.9734439

2022-03-04

Abstract:With the continuous and in-depth development of smart grid construction, the degree of automation of the power system is rapidly increasing, and the number of grid sensors, the scale of information network and the number of decision-making units have greatly increased. The network security of the power industry control system is facing severe challenges. This paper studies the in-depth analysis technology of real-time interactive protocols of power industrial control systems, captures data packets and analyzes the data packets layer by layer to obtain application layer field data streams, and realizes in-depth analysis of power industrial control system protocols such as IEC104 protocol and IEC61850 protocol. Research on anomaly detection technology of power industrial control system real-time interaction process based on feature matching, and realize the detection of abnormal behaviors of terminals, networks, and host devices through syntactic and semantic analysis and business command analysis, as well as the detection of regular network attack behaviors such as malicious code and virus Trojan horses.

Wen Si,Jiang-Hai Li,Xiao-Jin Huang

DOI: https://doi.org/10.1007/978-981-15-1876-8_51

2020-01-01

Abstract:Anomaly detection is significant in the cyber security of industrial control systems. Unsupervised learning neural networks approach is applicable for the anomaly detection of industrial control systems. The large amount of network packets produced from systems every time are suitable source for training data acquisition. However, the packets contains many layers following different protocols. Thus, extracting effective features from packets will make sense. First the structure of a network packet is analyzed, and one packet is divided into two parts, the header part which includes layers following IT network protocols and the data part which includes layers following ICS protocols. Then IT network features are extracted from the header part. Third, the data part is processed by conversation correspondence and physical meaning reverting, so that industrial control features are extracted from this part. Finally, how to apply the extracted features in neural network approaches for ICS anomaly detection is discussed.

Wenming Mei,Wei Liu,Jianfei Chen,Ke Li

DOI: https://doi.org/10.1145/3650400.3650508

2023-01-01

Abstract:With the development of industry, industrial control systems are widely used in critical infrastructures. As one of the most significant components, the industrial terminals include Programmable Logic Controller, Distributed Control Systems, Remote Terminal Unit, and etc. Attacks against industrial terminals can cause catastrophic damage since they are directly related to business in the field. Unfortunately, traditional protection methods, such as intrusion detection systems and antivirus software, are not applicable to industrial terminals which are resource-constrained. In this paper, we propose an anomaly detection method for industrial controllers based on physical signals. The basic idea is to detect abnormal execution in a industrial terminal through analyzing its physical signals, including system power consumption and CPU usage. To effectively analyze the physical signals, a Transformer-based neural network is trained on the time series dataset to predict the next normal physical signals. The abnormal execution is detected by comparing the predicted signals and actual ones. We evaluate the proposed method on a real world dataset collected from a smart grid terminal, and the results show that the detection accuracy is over 97%.

Tirthankar Ghosh,Sikha Bagui,Subhash Bagui,Martin Kadzis,Jackson Bare

DOI: https://doi.org/10.3390/jcp3040041

2023-12-01

Journal of Cybersecurity and Privacy

Abstract:This article presents a statistical approach using entropy and classification-based analysis to detect anomalies in industrial control systems traffic. Several statistical techniques have been proposed to create baselines and measure deviation to detect intrusion in enterprise networks with a centralized intrusion detection approach in mind. Looking at traffic volume alone to find anomalous deviation may not be enough—it may result in increased false positives. The near real-time communication requirements, coupled with the lack of centralized infrastructure in operations technology and limited resources of the sensor motes, require an efficient anomaly detection system characterized by these limitations. This paper presents extended results from our previous work by presenting a detailed cluster-based entropy analysis on selected network traffic features. It further extends the analysis using a classification-based approach. Our detailed entropy analysis corroborates with our earlier findings that, although some degree of anomaly may be detected using univariate and bivariate entropy analysis for Denial of Service (DOS) and Man-in-the-Middle (MITM) attacks, not much information may be obtained for the initial reconnaissance, thus preventing early stages of attack detection in the Cyber Kill Chain. Our classification-based analysis shows that, overall, the classification results of the DOS attacks were much higher than the MITM attacks using two Modbus features in addition to the three TCP/IP features. In terms of classifiers, J48 and random forest had the best classification results and can be considered comparable. For the DOS attack, no resampling with the 60–40 (training/testing split) had the best results (average accuracy of 97.87%), but for the MITM attack, the 80–20 non-attack vs. attack data with the 75–25 split (average accuracy of 82.81%) had the best results.

computer science, information systems, interdisciplinary applications, software engineering

Ming Wan,Yan Song,Yuan Jing,Junlu Wang

DOI: https://doi.org/10.1155/2018/5103270

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Function control, which is an essential link in industrial automation, is undergoing a growing integration with ICTs (Information Communication Technologies) because of the flexible manufacturing and convenient interoperability in CPSs (Cyber-Physical Systems). However, it has also brought the increasing dangers of cyberattacks caused by malicious or intentional industrial process control exploitations. In order to effectively detect these cyber intrusions and anomalies, this paper proposes a function-aware anomaly detection approach based on WNN (Wavelet Neural Network), which perceives the abnormal function control changes in industrial control communication. By appropriately extracting the time-related function control characteristics from industrial communication packets, this approach builds an optimized wavelet neural network to model the normal function control behaviors and calculates the detection threshold to differentiate the aberrant industrial process control activities. Additionally, a real-world control system, whose communication protocol is Modbus/TCP, is simulated to furnish the analyzed function control data. According to the experimental results, we fully demonstrate this approach has the fine detection accuracy and adequate real-time capability.

Dingde Jiang,Yang Han,Xingwei Wang,Zhengzheng Xu

2010-01-01

Abstract:Traffic anomalies are abnormal changes in network traffic. There are many causes of resulting in traffic anomaly changes, including network fault, abuse, network attack and so on. This paper proposes a novel method for detecting traffic anomalies in a network. Firstly, all Origin-Destination (OD) flows in the network are grouped with accordance with common destination nodes. We then make time-frequency analysis for each group and extract their high frequency component. Based on the extracted high frequency signal, correlation coefficients of each OD flow against the other in a group are computed. Consequently, we can make the exact anomaly detection. Simulation results show that our approach is effective and promising.

Tian Jianwei,Yu Zongchao,Liu Li,Wu Weidong,Zhu Hongyu,Liu Xuan

DOI: https://doi.org/10.1051/e3sconf/202126002005

2021-01-01

E3S Web of Conferences

Abstract:Smart Substation becomes more vulnerable to cyber attacks due to the high integration of information technologies, so it is essential to detect intrusion behaviour by abnormal traffic analysis in smart substations. Although there have been many detection methods for abnormal traffic, the existing ones all focus on the format check of a single field of the industrial transmission protocol, and ignore the deep coupling relationships among multiple protocol fields, which lead to more or less false detections and missed detections. To overcome this problem and further improve the detection accuracy, in this paper, we propose an abnormal traffic detection method based on the coupling field extraction and the density-based spatial clustering of applications with noise (DBSCAN). By using correlation analysis to extract the coupling fields of the protocol fields and using DBSCAN to remove the noise in the coupling fields, the deep coupling relationship between the coupling fields can be mined by the piecewise linear function fitting method, and used to detect abnormal traffic. The simulation results on 10,000 frames traffic prove that the proposed detection method can effectively identify the abnormal traffic.

Long Xu,Wei Xiong,Minghao Zhou,Lei Chen

DOI: https://doi.org/10.3390/sym14010124

2022-01-01

Symmetry

Abstract:Dynamic traffic monitoring is a critical part of industrial communication network cybersecurity, which can be used to analyze traffic behavior and identify anomalies. In this paper, industrial networks are modeled by a dynamic fluid-flow model of TCP behavior. The model can be described as a class of systems with unmeasurable states. In the system, anomalies and normal variants are represented by the queuing dynamics of additional traffic flow (ATF) and can be considered as a disturbance. The novel contributions are described as follows: (1) a novel continuous terminal sliding-mode observer (TSMO) is proposed for such systems to estimate the disturbance for traffic monitoring; (2) in TSMO, a novel output injection strategy is proposed using the finite-time stability theory to speed up convergence of the internal dynamics; and (3) a full-order sliding-mode-based mechanism is developed to generate a smooth output injection signal for real-time estimations, which is directly used for anomaly detection. To verify the effectiveness of the proposed approach, the real traffic profiles from the Center for Applied Internet Data Analysis (CAIDA) DDoS attack datasets are used.

Qian Wang,He Chen,Yonghui Li,Branka Vucetic

DOI: https://doi.org/10.1109/iciai.2019.8850828

2019-01-01

Abstract:The convergence of operation technology (OT) and information and communication technology (ICT) in industrial control networks presents new challenges for anomaly detection algorithms. Machine learning has achieved great success over the past few years, which has also been considered as one of the popular solutions for anomaly detection in industrial control networks. In this paper, we survey the recent work on anomaly detection for industrial control networks exploiting machine learning techniques. We first summarize major differences between OT and ICT and analyze the corresponding advantages and disadvantages for anomaly detection. Based on the features of the industrial control networks, existing work are classified into data-based learning and industrial network-specified learning methods. We analyze the pros and cons of these two learning methods. We finally point out the promising future work within this research area.

Zishuai Cheng,Baojiang Cui,Junsong Fu

DOI: https://doi.org/10.3390/app13053244

2023-01-01

Abstract:Anomaly detection has been proven to be an efficient way to detect malicious behaviour and cyberattacks in industrial cyber–physical systems (ICPSs). However, most detection models are not entirely adapted to the real world as they require intensive computational resources and labelled data and lack interpretability. This study investigated the traffic behaviour of a real coal mine system and proposed improved features to describe its operation pattern. Based on these features, this work combined the basic deterministic finite automaton (DFA) and normal distribution (ND) models to build an unsupervised anomaly detection model, which uses a hierarchical structure to pursue interpretability. To demonstrate its capability, this model was evaluated on real traffic and seven simulated attack types and further compared with nine state-of-the-art works. The evaluation and comparison results show that the proposed method achieved a 99% F1-score and is efficient in detecting sophisticated attacks. Furthermore, it achieved an average 17% increase in precision and a 12% increase in F1-Score compared to previous works. These results confirm the advantages of the proposed method. The work further suggests that future works should investigate operation pattern features rather than pursuing complex algorithms.