Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Yanjie Li,Xiaoyu Ji,Chenggang Li,Xiaofeng Xu,Wei Yan,Xu Yan,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.1109/iceiec49280.2020.9152334

2020-01-01

Abstract:In recent years, artificial intelligence has been widely used in the field of network security, which has significantly improved the effect of network security analysis and detection. However, because the power industrial control system is faced with the problem of shortage of attack data, the direct deployment of the network intrusion detection system based on artificial intelligence is faced with the problems of lack of data, low precision, and high false alarm rate. To solve this problem, we propose an anomaly traffic detection method based on cross-domain knowledge transferring. By using the TrAdaBoost algorithm, we achieve a lower error rate than using LSTM alone.

Mayra Alexandra Macas Carrasco,Chunming Wu

DOI: https://doi.org/10.1109/icmla.2019.00212

2019-01-01

Abstract:Current Cyber-Physical Systems (CPSs) are sophisticated, complex, and equipped with networked sensors and actuators. As such, they have become further exposed to cyber-attacks. Recent catastrophic events have demonstrated that standard, human-based management of anomaly detection in complex systems is not efficient enough and have underlined the significance of automated detection, intelligent and rapid response. Nevertheless, existing anomaly detection frameworks usually are not capable of dealing with the dynamic and complicated nature of the CPSs. In this study, we introduce an unsupervised framework for anomaly detection based on an Attention-based Spatio-Temporal Autoencoder. In particular, we first construct statistical correlation matrices to characterize the system status across different time steps. Next, a 2D convolutional encoder is employed to encode the patterns of the correlation matrices, whereas an Attention-based Convolutional LSTM Encoder-Decoder (ConvLSTM-ED) is used to capture the temporal dependencies. More precisely, we introduce an input attention mechanism to adaptively select the most significant input features at each time step. Finally, the 2D convolutional decoder reconstructs the correlation matrices. The differences between the reconstructed correlation matrices and the original ones are used as indicators of anomalies. Extensive experimental analysis on data collected from all six stages of Secure Water Treatment (SWaT) testbed, a scaled-down version of a real-world industrial water treatment plant, demonstrates that the proposed model outperforms the state-of-the-art baseline techniques.

Wen Si,Jiang-Hai Li,Xiao-Jin Huang

DOI: https://doi.org/10.1007/978-981-15-1876-8_51

2020-01-01

Abstract:Anomaly detection is significant in the cyber security of industrial control systems. Unsupervised learning neural networks approach is applicable for the anomaly detection of industrial control systems. The large amount of network packets produced from systems every time are suitable source for training data acquisition. However, the packets contains many layers following different protocols. Thus, extracting effective features from packets will make sense. First the structure of a network packet is analyzed, and one packet is divided into two parts, the header part which includes layers following IT network protocols and the data part which includes layers following ICS protocols. Then IT network features are extracted from the header part. Third, the data part is processed by conversation correspondence and physical meaning reverting, so that industrial control features are extracted from this part. Finally, how to apply the extracted features in neural network approaches for ICS anomaly detection is discussed.

Ruochen Zhou,Zhiyun Wang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9347104

2020-01-01

Abstract:Programmable logic controller (PLC) is one of the critical infrastructure in industrial control system, which is therefore vulnerable to a variety of cyber-attacks. To mitigate this issue, we design an anomaly detection system, a novel non-invasive intrusion detection method for PLC. Our system utilizes the magnetic side-channel information around the power supply module of PLC and analyzes the running status rely on the fact that different programs will result in various magnetic characteristic. We design a classification algorithm which can extract representational features from the raw signal, as well as avoid the interference of environmental noise. To validate the idea, we design 3 types of attacks and implement on the prototype of thermal power plant in laboratory. The evaluation shows our system is feasible to detect attacks and achieve an overall detection accuracy above 90%.

Zhining Lv,Ziheng Hu,Baifeng Ning,Yu Sun,Gangfeng Yan,Xiasheng Shi

DOI: https://doi.org/10.1109/CAC48633.2019.8996440

2019-01-01

Abstract:Power industrial terminal is a complex system with high reliability and security. Traditional methods for detecting data anomalies of power industrial terminal fail to fully mine the data characteristics. And it has shortcomings such as complex calculation, poor flexibility and low accuracy. In order to solve the problem that it is difficult to predict the operational status of power industrial terminal accurately, a prediction method based on long-term memory (LSTM) neural network is proposed. Considering the variety of data reflecting the operating status of power industrial terminal, choose the ambient temperature system related to the operating status of power industrial terminal as a experiment object. Through experiments, the algorithm has higher prediction effect for the operating status of power industrial terminal.

Lu Chen,Tao Zhang,Yuanyuan Ma,Mu Chen

DOI: https://doi.org/10.1109/iist62526.2024.00098

2024-01-01

Abstract:With the increasing complexity, automation, and intelligence of network attacks, new types of attacks are constantly emerging in the network, posing great challenges to network attack detection and timely response based on prior rules. In order to more effectively and accurately identify abnormal traffic, a network abnormal traffic detection algorithm based on improved convolutional neural networks is proposed. The algorithm first inputs the key features of traffic anomaly monitoring, converts them into color images through visualization technology, extracts higher dimensional features, and then uses neural structure search technology to find a lightweight convolutional network structure with high accuracy and less time consumption. The optimal model is used to output the type of traffic anomaly. The results indicate that the algorithm has a higher accuracy and the shortest classification time for a single image.

Tao Yang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.eswa.2023.120668

IF: 8.5

2023-01-01

Expert Systems with Applications

Abstract:Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system's security and reliability. However, existing research on network traffic anomaly detection for ICPS has several limitations. First, most traffic anomaly detection models focus on centralized detection. Thus, all traffic packets have to be uploaded to the control center for detection, which leads to a heavy traffic load. However, real-time and reliable communication is crucial to ICPSs. The heavy traffic load may cause communication delays or packets lost by corruption. Second, Seasonal AutoRegressive Integrated Moving Average (SARIMA) is popular in ICPS network traffic anomaly detection. However, most SARIMA-based detection models can only detect anomalous traffic once. Thus, they are unable to detect anomalies continuously and are not suitable for actual ICPS. Third, the features extracted from network traffic affect the classification performance. However, most existing feature extraction models cannot sufficiently extract traffic features, leading to poor detection performance. To address the limitations above, this paper proposes a cloud-edge coordinated network traffic anomaly detection approach. The proposed approach consists of a set of anomalous traffic alarm models deployed in the edge areas and an anomalous traffic analysis model deployed in the cloud. The former is implemented based on Improved Online SARIMA (IOSARIMA) algorithm that can detect anomalous traffic continuously and upload it to the cloud for further analysis, filtering massive normal traffic packets and making traffic load smaller. The anomalous traffic analysis model consists of a feature extraction algorithm and a Convolutional Neural Network (CNN) classifier, which can sufficiently extract traffic features and identify the attack types precisely. The proposed anomaly detection approach is extensively evaluated on a realistic ICPS testbed, including 3 edges (i.e., power generation, power transmission and power distribution) and a cloud consisting of an engineering workstation and a Supervisory Control And Data Acquisition (SCADA) workstation. The experimental results confirm the smaller traffic load and better detection performance, compared with the existing detection models.

Li Zhang,Zhuo Lv,Xuesong Zhang,Cen Chen,Nuannuan Li,Yidong Li,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-36938-5_24

2019-01-01

Abstract:Industrial Control Systems (ICS) are the critical infrastructures of power grids. It is very important to monitor and control industrial equipment through the networks. Most ICSs currently used in smart grid contain IT key equipment and communication technologies to implement the communication and logic control functions. However, unlike traditional IT network traffic, these power-related industrial control systems have variety of proprietary protocols. Obviously, in typical complex systems the manually intensive processing of data is costly and sub-optimal. In this paper, we propose an novel traffic anomaly detection model for power ICS based on Multi-Head attention (MHA) method, in which the collected raw traffic was converted into the form of matrix. The MHA and Convolutional Neural Network (CNN) model were used to classify traffic data. We replace the traditional feature extraction and rule making process with an acceptable computational cost. The effectiveness of our approach is demonstrated by experiments on two real world power ICS testbeds: a power generation simulation platform based on a distributed control system (DCS) and a substation slave station. Comparing with some classical machine learning algorithms and Convolutional Neural Networks, the experimental results show that our MHA model outperforms the CNN-based and classical machine learning detection models with an accuracy rate of 99.86%.

Basem AL-Madani,Ahmad Shawahna,Mohammad Qureshi

DOI: https://doi.org/10.48550/arXiv.1911.05692

2019-11-02

Abstract:Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Systems and Control

Wenli Shang,Jiawei Qiu,Haotian Shi,Shuang Wang,Lei Ding,Yanjun Xiao

DOI: https://doi.org/10.1155/2024/5459452

IF: 8.993

2024-06-04

International Journal of Intelligent Systems

Abstract:Industrial control systems (ICSs), as critical national infrastructures, are increasingly susceptible to sophisticated security threats. To address this challenge, our study introduces the CAE‐T, a deep convolutional autoencoding transformer network designed for efficient anomaly detection and real‐time fault monitoring in ICS. The CAE‐T utilizes unsupervised deep learning, employing a convolutional autoencoder for spatial feature extraction from multidimensional time‐series data, and combines this with a transformer architecture to capture long‐term temporal dependencies. The design of the model facilitates rapid training and inference, while its dual‐component approach, utilizing an optimization function based on support vector data description (SVDD), enhances detection accuracy. This integration synergistically combines spatiotemporal feature extraction, significantly improving the robustness and precision of anomaly detection in ICS environments. The CAE‐T model demonstrated notable performance enhancements across three industrial control system datasets. Notably, the CAE‐T model achieved approximately a 70.8% increase in F1 score and a 9.2% rise in AUC on the WADI dataset. On the SWaT dataset, the model showed improvements of approximately 2.8% in F1 score and 5% in AUC. The power system dataset saw more modest gains, with an approximately 0.1% uptick in F1 score and a 1% increase in AUC. These improvements validate the CAE‐T model's efficacy and robustness in anomaly detection across various scenarios.

computer science, artificial intelligence

Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Tohid Behdadnia,Geert Deconinck

DOI: https://doi.org/10.48550/arXiv.2209.08099

IF: 5.414

2022-09-16

Machine Learning

Abstract:In modern highly interconnected power grids, automatic generation control (AGC) is crucial in maintaining the stability of the power grid. The dependence of the AGC system on the information and communications technology (ICT) system makes it vulnerable to various types of cyber-attacks. Thus, information flow (IF) analysis and anomaly detection became paramount for preventing cyber attackers from driving the cyber-physical power system (CPPS) to instability. In this paper, the ICT network traffic rules in CPPSs are explored and the frequency domain features of the ICT network traffic are extracted, basically for developing a robust learning algorithm that can learn the normal traffic pattern based on the ResNeSt convolutional neural network (CNN). Furthermore, to overcome the problem of insufficient abnormal traffic labeled samples, transfer learning approach is used. In the proposed data-driven-based method the deep learning model is trained by traffic frequency features, which makes our model robust against AGC's parameters uncertainties and modeling nonlinearities.

Di Hu,Chen Zhang,Tao Yang,Gang Chen

DOI: https://doi.org/10.3390/s20216164

IF: 3.9

2020-10-29

Sensors

Abstract:Anomaly detection is of great significance in condition-based maintenance of power plant equipment. The conventional fixed threshold detection method is not able to perform early detection of equipment abnormalities. In this study, a general anomaly detection framework based on a long short-term memory-based autoencoder (LSTM-AE) network is proposed. A normal behavior model (NBM) is established to learn the normal behavior patterns of the operating variables of the equipment in space and time. Based on the similarity analysis between the NBM output distribution and the corresponding measurement distribution, the Mahalanobis distance (MD) is used to describe the overall residual (OR) of the model. The reasonable range is obtained using kernel density estimation (KDE) with a 99% confidence interval, and the OR is monitored to detect abnormalities in real-time. An induced draft fan is chosen as a case study. Results show that the established NBM has excellent accuracy and generalizability, with average root mean square errors of 0.026 and 0.035 for the training and test data, respectively, and average mean absolute percentage errors of 0.027%. Moreover, the abnormal operation case shows that the proposed framework can be effectively used for the early detection of abnormalities.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Kunihiko NABESHIMA,Tomoaki SUZUDO,Katsuo SUZUKI,Erdinç TÜRKCAN

DOI: https://doi.org/10.1080/18811248.1998.9733829

IF: 1.126

1998-02-01

Journal of Nuclear Science and Technology

Abstract:This paper addresses how to utilize artificial neural networks (ANNs) for detecting anomalies of nuclear power plants in operation. The basic principle of this methodology is to detect the anomaly with deviation between process signals measured from the actual plant and the corresponding output signals from the plant model, which is developed using three-layered auto-associative ANN; the auto-associativity has the advantage of detecting unknown plant conditions. A new learning technique adopted here compensates for the drawback of the conventional back-propagation algorithm, and is presented to make plant dynamic models on the ANN. The test results showed that this plant monitoring system is successful in detecting the symptoms of small anomalies in real-time over the wide power range including start-up, shut-down and steady state operations.

nuclear science & technology

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Yidong Li,Li Zhang,Zhuo Lv,Wei Wang

DOI: https://doi.org/10.1109/tits.2020.3018259

IF: 8.5

2021-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Safe and reliable intelligent charging stations are imperative in an intelligent transportation infrastructure. Over the past few years, a big number of smart charging stations have been deployed, and most of them are online and connected, resulting in potential risks of threats. Although there exists related work on securing intelligent vehicles, very little work focused on the security of charging devices. Unlike traditional network systems, these power-related Industrial Control Systems (ICSs) use many different proprietary protocols and diverse interactions. Traditional anomaly detection methods based on network traffic are thus not suitable for these systems. In this work, we propose an anomaly detection method in real vehicle power supply systems based on a deep architecture model. In particular, we propose a novel traffic anomaly detection model based on Multi-Head Attentions (MHA) that take into account the inherent correlations of traffic generated by ICSs. The MHA model is employed to substitute the traditional feature extraction and rule making process with an acceptable computational cost for classifying traffic data. It is an attention-based model that employs Google Transformer encoder architecture to extract recessive features of traffic for anomaly detection. The effectiveness of the model is demonstrated by experiments on two real-world power ICS testbeds including a substation with a slave charging station and a power generation simulation platform based on a distributed control system. Comprehensive experimental results indicate that the MHA model outperforms the Convolutional Neural Networks (CNN)-based and classical machine learning detection models with an accuracy rate of 99.86%.

engineering, electrical & electronic,transportation science & technology, civil

Serenje Macdonald,Mkandawire Mtende

DOI: https://doi.org/10.26634/jcom.11.4.20650

2024-01-01

Abstract:The rapid growth of network infrastructures and the increasing volume of data transmitted through them have led to a critical need for efficient and accurate anomaly detection systems in network transport. This paper proposes a novel anomaly detection system that utilizes machine learning techniques to identify abnormal patterns and deviations in network traffic. The proposed system follows a multi-layered approach, starting with the collection of network traffic data from various sources, including routers, switches, and gateways. The data is then preprocessed to extract relevant features and eliminate noise. Feature extraction is carried out using statistical, time-series, and flow-based analysis to capture the inherent characteristics of network communication. Machine learning algorithms, such as neural networks, or in this case, auto-encoders, will be trained to learn the patterns of normal network behavior and subsequently detect deviations from these patterns as anomalies. The system provides alerts and notifications to network administrators, allowing prompt investigation and response to potential security threats or network performance issues. It effectively differentiates between benign and malicious network activities, enabling network administrators to take proactive measures to secure their infrastructure and ensure uninterrupted communication.

Xuelei Wang,Colin Fidge,Ghavameddin Nourbakhsh,Ernest Foo,Zahra Jadidi,Calvin Li

DOI: https://doi.org/10.1109/access.2022.3142022

IF: 3.9

2022-01-01

IEEE Access

Abstract:In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.