Mengyao Fu,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9327246

2020-01-01

Abstract:In recent years, the network security problem of industrial control systems is very severe. It is particularly important to detect abnormal situations in the industrial control system network correctly and timely to avoid disasters in the physical world. This paper proposes a compound fuzzy clustering algorithm, taking TE process as the research object, to analyze its working mechanism and distinguish security threats it may encounter. Considering the coupling relationship between the production process unit in the industrial control system, fuzzy clustering is used for each process unit, which performs detection and comprehensive decision-making to obtain the final anomaly detection result. Experimental results show that the proposed compound fuzzy clustering algorithm can realize anomaly detection in industrial control systems.

Shangqing Cui,Dongqin Feng

DOI: https://doi.org/10.1109/icpeca56706.2023.10076096

2023-01-01

Abstract:With the application of Internet technologies in the industrial field, industrial control systems (ICS) have the possibility of suffering malicious network attacks. Because ICS is widely used in critical infrastructure, designing attack detection algorithms for it can effectively reduce losses. Many papers have built physical models for cyber-attacks against ICS and the corresponding detection algorithms have been proposed. However, the detection performance can be further improved. This paper establishes the simulation attack on the Tennessee Eastman (TE) process and proposes an improved support vector machine (SVM) method to detect integrity attacks. This algorithm uses contribution plots and recursive feature elimination to select features. Compared with the principal component analysis (PCA) feature extraction, the detection accuracy is improved. After adding system dynamics to the algorithm, the time to detect attacks is advanced.

Ying Liu,Dongqin Feng

DOI: https://doi.org/10.1109/iccasit48058.2019.8973161

2019-01-01

Abstract:Computer network technology has been increasingly infiltrated into the industrial control system and made the security problems more complex and changeable. Network security situation awareness technology can perceive the real-time threats that the network faced, and provide reliable basis for decision-making. This paper mainly focuses on the situation assessment and introduces finite state machine and fuzzy logic theory. Finite state machine can intuitively show the internal state transition of the industrial control system and detect the malicious packet attack's type and severity. Fuzzy logic balances the semantic fuzziness and event uncertainty in the process of situation assessment, fuses the output data of the state machine and obtains the threat level which is helpful for decision analysis. Proved, the method proposed in this paper can give a reasonable and accurate security assessment of industrial control system.

Jianxin Xu,Dongqin Feng

DOI: https://doi.org/10.1155/2017/2430835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:This paper discusses two aspects of major risks related to the cyber security of an industrial control system (ICS), including the exploitation of the vulnerabilities of legitimate communication parties and the features abused by unauthorized parties. We propose a novel framework for exposing the above two types of risks. A state fusion finite state machine (SF-FSM) model is defined to describe multiple request-response packet pair sequence signatures of various applications using the same protocol. An inverted index of keywords in an industrial protocol is also proposed to accomplish fast state sequence matching. Then we put forward the concept of scenario reconstruction, using state sequence matching based on SF-FSM, to present the known vulnerabilities corresponding to applications of a specific type and version by identifying the packet interaction characteristics from the data flow in the supervisory control layer network. We also implement an anomaly detection approach to identifying illegal access using state sequence matching based on SF-FSM. An anomaly is asserted if none of the state sequence signatures in the SF-FSM is matched with a packet flow. Ultimately, an example based on industrial protocols is demonstrated by a prototype system to validate the methods of scenario reconstruction and anomaly detection.

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

PENG Yong,XIANG Chong,ZHANG Miao,CHEN Dongqing,GAO Haihui,XIE Feng,DAI Zhonghua

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2016.23.013

2016-01-01

Abstract:Industrial control systems (ICSs) are cyberphysical systems (CPSs) which supervise and control physical processes in critical infrastructure industries such as electric power,water treatment,oil & natural gas exploration,transportation,and chemical industry.Based on the observation of ICS'stable and persistent communication data flow control patterns,a concept and a methodology of ICS scenario fingerprinting were proposed which analyze industrial control protocol interactive behavior to represent ICS system-level normal behavior characteristics.ICS scenario fingerprint can identify unique ICS installation,while being used as a more generalized method to establish ICS systems'behavior benchmark and further being used to identify ICS systems'abnormal behavior.Experiments were made to validate the proposed viewpoint,which use real equipment for ICS cyber domain and use simulation for ICS physical domain.Experimental results demonstrate that ICS scenario fingerprinting technique provides ICS security research with a promising method.

Zhan-wei SONG,Rui-kang ZHOU,Ying-xu LAI,Ke-feng FAN,Xiang-zhen YAO,Lin LI,Wei LI

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.01.041

2018-01-01

Abstract:At present,the ICS network security has become a key problem in the field of information security.Detecting attacks,such as behavior data tampering attack and control program tampering attack,is a difficult problem of ICS network security.Therefore,this paper proposed an anomaly detection method based on behavior model.This method extracts the behavior data sequence from the industrial control network traffic.Then it constructs the normal behavior model according to the control process and the controlled process of ICS.At last,it determines whether an exception occurs by comparing and analyzing the behavior data extracted in real time and the behavior data predicted by the model.The experimental analysis shows that it can effectively detect behavior data tampering attack,control program tampering attack and so on.

Jianfeng Zou,Xueqi Jin,Lei Zhang,Yueqiang Wang,Bo Li

DOI: https://doi.org/10.1109/cse/euc.2019.00063

2019-01-01

Abstract:Industrial Control Security (ICS) plays an important role in protecting Industrial assets and processed from being tampered by attackers. Recent years witness the fast development of ICS technology. However there are still few real case study to verify the effectiveness of ICS approaches when dealing with ICS threats. In this paper, we provide a real case study in industrial environments. The case study demonstrates the attacking process of virus spread and worm propagation in industrial environments. The case study also shows how the anomaly detection techniques could be used to identify the bad behaviors of virus and help security administrators to enhance the security of industrial environments.

Jun Yang,Chunjie Zhou,Shuanghua Yang,Haizhou Xu,Bowen Hu

DOI: https://doi.org/10.1109/tie.2017.2772190

IF: 7.7

2018-01-01

IEEE Transactions on Industrial Electronics

Abstract:A developing trend of traditional industrial systems is the integration of the cyber and physical domain to improve flexibility and the efficiency of supervision, management, and control. But, the deep integration of these industrial cyber-physical systems (ICPSs), increases the potential for security threats. Attack detection, which forms initial protective barrier, plays an important role in overall security protection. However, most traditional methods focused on cyber information and ignored any limitations that might arise from the characteristics of the physical domain. In this paper, an anomaly detection approach based on zone partition is designed for ICPSs. In detail, initially an automated zone partition method, ensuring crucial system states can be observed in more than one zone, is designed. Then, methods of building zone function model, which do not require any prior knowledge of the physical system are presented before analyzing the anomaly based on zone information. Finally, an experimental rig is constructed to verify the effectiveness of the proposed approach. The results demonstrate that the approach presents a high-accuracy solution, which also performs effectively in real time.

Chunjie Zhou,Shuang Huang,Naixue Xiong,Shuang-Hua Yang,Huiyun Li,Yuanqing Qin,Xuan Li

DOI: https://doi.org/10.1109/TSMC.2015.2415763

2015-01-01

Abstract:Industrial process automation is undergoing an increased use of information communication technologies due to high flexibility interoperability and easy administration. But it also induces new security risks to existing and future systems. Intrusion detection is a key technology for security protection. However, traditional intrusion detection systems for the IT domain are not entirely suitable for industrial process automation. In this paper, multiple models are constructed by comprehensively analyzing the multidomain knowledge of field control layers in industrial process automation, with consideration of two aspects: physics and information. And then, a novel multimodel-based anomaly intrusion detection system with embedded intelligence and resilient coordination for the field control system in industrial process automation is designed. In the system, an anomaly detection based on multimodel is proposed, and the corresponding intelligent detection algorithms are designed. Furthermore, to overcome the disadvantages of anomaly detection, a classifier based on an intelligent hidden Markov model, is designed to differentiate the actual attacks from faults. Finally, based on a combination simulation platform using optimized performance network engineering tool, the detection accuracy and the real-time performance of the proposed intrusion detection system are analyzed in detail. Experimental results clearly demonstrate that the proposed system has good performance in terms of high precision and good real-time capability.

Chenghua Tang,Pengcheng Liu,Shensheng Tang,Xie and

DOI: https://doi.org/10.7544/issn1000-1239.2015.20130601

2015-01-01

Journal of Computer Research and Development

Abstract:The behaviors of network attack connection are always changeable and complex .Typical behavior mining methods ,which always do using traditional clustering ,do not fit in with constructing anomaly intrusion detection model .According to the characteristics of network attacks ,the anomaly intrusion detection model based on fuzzy clustering and features selection are proposed .Firstly ,the results that the fuzzy C‐means clustering algorithm is sensitive to the initial cluster centers is improved using hierarchical clustering algorithm ,the disadvantage that FCM is easy to fall into local optimum in the iteration is overcome using the global search ability of genetic algorithm ,and they are combined into a AGFCM algorithm .Secondly ,the feature attribute data sets of network attack connection are sorted through the information gain algorithm .The capacity of feature attributes is determined by using the Youden index to cut the data sets at the same time .Lastly ,the anomaly intrusion detection model is built by using the attribute data sets dimensionality reduction and improved FCM clustering algorithm .Experimental results show that the anomaly intrusion detection model can effectively detect the vast majority of network attack types ,which provides a feasible solution for solving the problems of false alarm rate and detection rate in anomaly intrusion detection model .

Jun Zhao,Kai Liu,Wei Wang,Ying Liu

DOI: https://doi.org/10.1016/j.ins.2013.05.018

IF: 8.1

2014-01-01

Information Sciences

Abstract:The accuracy of the acquired data is very significant for the decision-making process for the purpose of the safety and reliability of the energy system in steel industry. However, owing to the instability and vulnerability of industrial system of supervisory control and data acquisition (SCADA), the anomaly data usually exist in practice. In this study, considering the data feature of the energy system, we classify the anomalies as the trend anomaly for the pseudo-periodic data and the deviants for the generic data. As for the trend anomaly, a dynamic time warping (DTW) based method combining with adaptive fuzzy C means (AFCM) is proposed by referencing the similar industrial processes; while, as for the deviants detection, a k-nearest neighbor AFCM algorithm (KNN-AFCM) is designed here for the local anomaly detection for the generic data. To verify the effectiveness of the proposed method, the real-world energy data coming from a steel plant are employed to perform the experiments, and the results indicate that the proposed method exhibits a higher precision compared to the other methods for the anomaly detection.

Basem AL-Madani,Ahmad Shawahna,Mohammad Qureshi

DOI: https://doi.org/10.48550/arXiv.1911.05692

2019-11-02

Abstract:Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Systems and Control

Ying-xu LAI,Jiao JIAO

DOI: https://doi.org/10.11936/bjutxb2014040009

2015-01-01

Abstract:To improve the detecting accuracy of malicious traffic in industrial control systems ( ICS) , an innovative approach based on structural time series model is proposed. Industrial Ethernet traffic can be decomposed into four components. Each component is established by a state space model respectively, which brings out high fitting precision. Therefore compared with X-12, the average positive rate of this method increases by 38%. In the meanwhile, this method provides a way to decrease false positive rate and time complexity.

Chenghua Tang,Yang Xiang,Yu Wang,Junyan Qian,Baohua Qiang

DOI: https://doi.org/10.1002/sec.1547

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Anomaly detection as a kind of intrusion detection is good at detecting the unknown attacks or new attacks, and it has attracted much attention during recent years. In this paper, a new hierarchy anomaly intrusion detection model that combines the fuzzy c-means FCM based on genetic algorithm and SVM is proposed. During the process of detecting intrusion, the membership function and the fuzzy interval are applied to it, and the process is extended to soft classification from the previous hard classification. Then a fuzzy error correction sub interval is introduced, so when the detection result of a data instance belongs to this range, the data will be re-detected in order to improve the effectiveness of intrusion detection. Experimental results show that the proposed model can effectively detect the vast majority of network attack types, which provides a feasible solution for solving the problems of false alarm rate and detection rate in anomaly intrusion detection model. Copyright © 2016 John Wiley & Sons, Ltd.

Huazan Liu,Zhenzhou Ji,Chong Li,Kaikai Li

DOI: https://doi.org/10.1109/ICCEA58433.2023.10135289

2023-01-01

Abstract:As the development of the Internet of Things, industrial control network security issues have become more prominent. Anomaly detection technology is an important detection technology for ensuring the network security of industrial control systems, which can issue alarms and block responses before the system is compromised. However, most models currently suffer from problems such as low detection rate, high false positive rate, and inability to locate the anomalies. To address these issues, this paper proposes a multidimensional feature and spectral residual-based industrial control time series anomaly detection method (SRMCAD) to improve the accuracy of anomaly detection while reducing the false positive rate. First, this paper applies the spectral residual method to multidimensional time series anomaly detection in the industrial control domain, and uses the residual data obtained by spectral residual processing instead of the original data as input to the model. Secondly, to address the problem of imprecise device attack localization and high false positive rate in existing industrial control anomaly detection models, this paper designs and implements an industrial control anomaly detection model based on an encoding-decoding architecture, incorporating the idea of system state modeling and using the Mahalanobis distance as the loss function. Experimental results show that SRMCAD has significant advantages over current advanced methods.

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Xinchen Zhang,Zhihan Jiang,Yulong Ding,Edith C.H. Ngai,Shuang-Hua Yang

DOI: https://doi.org/10.1016/j.jfranklin.2024.107000

IF: 4.246

2024-09-01

Journal of the Franklin Institute

Abstract:As the Industrial Internet-of-Things (IIoT) evolves, a growing number of industrial control systems (ICSs) are connecting to the Internet, making them more vulnerable to malicious attacks. This paper addresses the detection of false data injection (FDI) attacks, a prevalent threat to open ICSs. We introduce an innovative anomaly detection technique using isomorphic analysis to safeguard ICSs against FDI attacks. Isomorphic analysis involves comparing transmitted signals with their expected values, which are derived from mathematical models or isomorphic components. For a comprehensive defense mechanism, we incorporate three specific detectors: the control signal detector, the actuating signal detector, and the sensor reading detector. Designed to detect FDI attacks across various parts of the ICS, these detectors ensure the integrity of all transmitted signals throughout the physical control system. While the control signal detector adopts a threshold method, the other two rely on statistical approaches. If an attack is detected, the detectors can correct tampered signals before they reach downstream components, enhancing the system’s overall resilience and fault tolerance. The effectiveness of these detectors is supported by rigorous mathematical proofs. Moreover, our experimental findings further reveal the superiority of the isomorphic strategy over prior work in terms of detection rate, detection time delay, and system resilience.

automation & control systems,engineering, electrical & electronic, multidisciplinary,mathematics, interdisciplinary applications

Y Feng,KG Wu,ZF Wu,J Zhong,H Li

DOI: https://doi.org/10.1142/9789812701534_0110

2005-01-01

Abstract:A clustering algorithm based on swarm intelligence is systematically proposed for anomaly intrusion detection. The basic idea of our approach is to produce the cluster by swarm intelligence-based clustering. Instead of using the linear segmentation function of the CSI model, here we propose to use a nonlinear probability conversion function and can help to solve linearly inseparable problems. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach can settle these problems effectively. The experiment result shows that out approach can detect unknown intrusions efficiently in the real network connections.

Xuelei Wang,Colin Fidge,Ghavameddin Nourbakhsh,Ernest Foo,Zahra Jadidi,Calvin Li

DOI: https://doi.org/10.1109/access.2022.3142022

IF: 3.9

2022-01-01

IEEE Access

Abstract:In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic