Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Jianxin Xu,Dongqin Feng

DOI: https://doi.org/10.1155/2017/2430835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:This paper discusses two aspects of major risks related to the cyber security of an industrial control system (ICS), including the exploitation of the vulnerabilities of legitimate communication parties and the features abused by unauthorized parties. We propose a novel framework for exposing the above two types of risks. A state fusion finite state machine (SF-FSM) model is defined to describe multiple request-response packet pair sequence signatures of various applications using the same protocol. An inverted index of keywords in an industrial protocol is also proposed to accomplish fast state sequence matching. Then we put forward the concept of scenario reconstruction, using state sequence matching based on SF-FSM, to present the known vulnerabilities corresponding to applications of a specific type and version by identifying the packet interaction characteristics from the data flow in the supervisory control layer network. We also implement an anomaly detection approach to identifying illegal access using state sequence matching based on SF-FSM. An anomaly is asserted if none of the state sequence signatures in the SF-FSM is matched with a packet flow. Ultimately, an example based on industrial protocols is demonstrated by a prototype system to validate the methods of scenario reconstruction and anomaly detection.

Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

Shangqing Cui,Dongqin Feng

DOI: https://doi.org/10.1109/icpeca56706.2023.10076096

2023-01-01

Abstract:With the application of Internet technologies in the industrial field, industrial control systems (ICS) have the possibility of suffering malicious network attacks. Because ICS is widely used in critical infrastructure, designing attack detection algorithms for it can effectively reduce losses. Many papers have built physical models for cyber-attacks against ICS and the corresponding detection algorithms have been proposed. However, the detection performance can be further improved. This paper establishes the simulation attack on the Tennessee Eastman (TE) process and proposes an improved support vector machine (SVM) method to detect integrity attacks. This algorithm uses contribution plots and recursive feature elimination to select features. Compared with the principal component analysis (PCA) feature extraction, the detection accuracy is improved. After adding system dynamics to the algorithm, the time to detect attacks is advanced.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1109/tie.2020.2965467

IF: 7.7

2021-01-01

IEEE Transactions on Industrial Electronics

Abstract:The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.

Ruiwen He,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9346835

2020-01-01

Abstract:With the development of information technology and Power Internet of Things, the increasing number of networked terminals presents new network security threats. Industrial control equipment and systems have vulnerabilities in hardware, software and firmware, and advanced persistent threat against ICS has become more complex and diverse. However, most of the research are aimed at the detection of single vulnerability, and lack attack mechanism analysis and threat assessment for attack chain. We proposed a threat assessment method based on vulnerability descriptive text and described the attributes of attack samples according to the classification results in attack targets, methods and consequences. We constructed attack graphs based on attack sample attributes and cyber-physical topology to quantitatively evaluate the feasibility and benefits of each attack path from vulnerability capabilities and the impact of devices in the physical world. Finally, we took the substation device status monitoring system as an example to verify the feasibility of this method.

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang

DOI: https://doi.org/10.1016/j.comnet.2020.107677

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>Supervisory Control and Data Acquisition (SCADA) systems are becoming increasingly susceptible to the sophisticated and targeted cyber attacks which are typically carried out by exploiting the vulnerabilities of industrial control devices or protocols. However, most of the existing network intrusion detection methods only focus on detecting and characterizing cyber attacks against the SCADA system, but cannot fully describe their real impact on the system. In this paper, we propose a cyber-physical model for the SCADA system to detect intrusions from the SCADA network and evaluate their risk levels against the industrial process. The model aims at characterizing the network structure and industrial process of the SCADA system through extracting and correlating the communication patterns and states of ICS devices. And any violation of the model is considered abnormal behavior, which can be caused by false operation or network attacks. Through associating network intrusions with the status of the SCADA system, a risk assessment method is proposed to estimate the potential damage degree of the attack on the system, which provides network administrators with richer information about network attacks. Moreover, the comprehensive performance evaluation conducted on public SCADA network data sets shows that the proposed method outperforms the existing methods in detecting and analyzing various cyber attacks against the SCADA system.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Shanling Dong,Zheng-Guang Wu,Peng Shi

DOI: https://doi.org/10.1007/978-3-030-35566-1_12

2019-01-01

Abstract:In realistic control systems, faults are significant obstacles to obtain a better performance, higher reliability and safety [1, 2, 3]. They would likely appear due to unexpected variations in signals and components, sudden changes of working conditions, environmental noises, parameter shifting, etc. It is important to detect them timely and accurately for avoiding the degradation of performance and instability.

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

Yehong Yang

DOI: https://doi.org/10.2991/WARTIA-16.2016.25

2016-05-14

Abstract:With the popularity of computers, the Internet has entered the production and all aspects of social life, but the attendant problem of network security has become the focus of widespread concern. Network security situation awareness to effectively respond to network security issues provide a viable solution: for complex network environments and malicious attacks, a comprehensive analysis of attacks against various parts of the network system, from a macro point of view of network security situation be assess and predict the future of network security situation based on this information. For the predictive accuracy of prediction system for network security situation has improved significantly, and network security situation prediction method based on machine learning for the network security situation prediction have a high degree feasible, in the real network security situation awareness applications have certain research and practical value. Introduction of Network Security Situational Awareness Network security situation is the current status and trends of the entire information from a variety of factors operating conditions of various network devices, network behavior and user behavior constituted. Network security situational awareness can acquire, understand and display the network environment of security elements. Through a series of technical means in time and space, are fully aware of network security and access and associated elements as possible in a pluralistic, and the establishment of a network based on complex behaviors modeling and simulation situational analysis and pre-side system, and then integrate and analyze vast amounts of security associated with the network-related data. Network security situation awareness is a scientific and effective network security situation assessment and use of relevant technologies to make reasonable predictions about trends over time network security, network management personnel in advance to remind the network system for network equipment, network peer node hosts and data resources to make reasonable adjustments, upgrades and backup, network environment to address the risk of possible future harm to the network system, losses may result down to an acceptable range . Extract information network security situation is carried out on the basis of situational awareness that only a comprehensive collection of data and the use of sophisticated index system, to ensure the correctness of the results of the assessment. Therefore, in the design process model or system must pay attention to select a metric system. Network security situation is a source of diverse, different collection methods, different devices collect data formats, network security situation letter from mainly contains configuration, operating status, traffic, user behavior and other information.

Computer Science

Manikanta Reddy Dornala

DOI: https://doi.org/10.48550/arXiv.1812.03409

2018-12-09

Computers and Society

Abstract:Cyber attacks have become serious threats to Industrial Control systems as well. It becomes important to develop a serious threat defense system against such vulnerabilities. For such process control systems, safety should also be assured apart from security. As unearthing vulnerabilities and patching them is not a feasible solution, these critical infrastructures need safeguards to prevent accidents, both natural and artificial, that could potentially be hazardous. Morita proposed an effective Zone division, capable of evaluating remote and concealed attacks on the system, coupled with Principal Component Analysis. But the need to analyze the node that has been compromised and stopping any further damages, requires an automated technique. Illustrating the basic ideas we'll simulate a simple Water plant. We propose a new automated approach based on Long Short Term Memory networks capable of detecting attacks and pin point the location of the breach.

Jingcheng Zhao,Xiaomeng Li,Yaofu Cao,Junwen Liu,Junlu Yan,Chengwei Li

DOI: https://doi.org/10.1088/1742-6596/2078/1/012067

2021-11-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, international industrial control network security incidents have occurred frequently. As a core component of the industrial control field, intelligent power control systems are increasingly threatened by external network attacks. Based on the current research status of power industrial control network security, closely combining the development of active monitoring and defense technology in the public network field and the problems encountered by network security operators in actual work, this paper uses data mining methods to study the power control system network security situation awareness technology. Combing operational data collection and integrated processing, situation index screening and extraction, we use wavelet neural network analysis method to train the sampled data set, and finally calculate the true value of the network security status through deep intelligent learning. Finally, we conclude that the artificial intelligence algorithm based on wavelet neural network can be used for power control system network security situation awareness. In actual work, it can predict the situation value for a period of time in the future and assist network security personnel in judgment and decision-making.

Mariam Elnour,Mohammad Noorizadeh,Mohammad Shakerpour,Nader Meskin,Khaled Khan,Raj Jain

DOI: https://doi.org/10.1109/access.2023.3303015

IF: 3.9

2023-08-22

IEEE Access

Abstract:In light of the advancement of the technologies used in industrial control systems, securing their operation has become crucial, primarily since their activity is consistently associated with integral elements related to the environment, the safety and health of people, the economy, and many others. This work presents a distributed, machine learning based attack detection and mitigation framework for sensor false data injection cyber-physical attacks in industrial control systems. It is developed using the system's standard operational data and validated using a hybrid testbed of a reverse osmosis plant. A MATLAB/Simulink-based simulation model of the process validated with actual data from a local plant is used. The control system is implemented using Siemens S7-1200 programmable logic controllers with 200SP Distributed Input/Output modules. The proposed solution can be adopted in the existing industrial control systems and demonstrated effective performance in real-time detection and mitigation of actual cyber-physical attacks launched by compromising the communication links between the process and the programmable logic controllers.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tao Feng,Yanxia Shi,Renbin Gong,Qianchuan Zhao

DOI: https://doi.org/10.1109/icpics47731.2019.8942463

2019-01-01

Abstract:The information security problem of the industrial control system (ICS) has become prominent increasingly with the advancement of industry 4.0. The programmable logic controller (PLC) is the basic control device in the supervisory control and data acquisition (SCADA) of ICS. The stable operation of ICS is limited by the safety of PLC. In this paper, the PLC attack tree model, which targets the PLC equipment security, is built to analyze and evaluate the safety of PLC systematically. First, the attack path of the PLC has been analyzed. The attack nodes have been defined by employing the attack tree model. Second, the fuzzy analytic hierarchy process has been introduced to calculate the security attribute weight and quantify the attack probability of the leaf nodes. The Shapiro-Wilk test has been employed to ensure the normality of data. Finally, the attack probability of different attack paths has been calculated as the PLC attack tree model. The PLC attack tree model which proposed in this paper is employed to distinguish the probability of different attack paths. The proposed attack tree model provides a basis for decision- makers to take appropriate protective measures.

Jianlei Gao,Jun Li,Hao Jiang,Yaobing Li,Hengzhi Quan

DOI: https://doi.org/10.1109/cac51589.2020.9327136

2020-01-01

Abstract:Measurement and control system integrating different software and hardware is used to measure parameters, monitor process and control operation, which has been widely applied in critical infrastructures and has adopted Ethernet for data exchange. The recent publications have indicated that measurement and control systems are very vulnerable when they are exposed to cyber-attacks due to various intrinsic security weakness. Fins protocol as one of the most popular protocols is built into a larger number of Ormon devices that are used in different kinds of measurement, and control systems and has been targeted as the desirable candidate for cyber-attack. However, the traditional detection method based on traffic analysis and function code compliance detection is unable to detect mode-switching attack that is consistent with the protocol syntax, and it is a very harmful network attack against industrial devices. In this paper, we analyze the defects of measurement and control system using Fins protocol, launch mode-switching attack against Ormon PLC devices and display how to defend against this attack by designing a detection rules insert into Snort. Then, this detection approach is carried out to protect the security of Ormon PLC. Finally, the experimental results show that our detection approach can distinguish and detect this malicious cyber-attack efficiently.

Xiaojie Huang,Zhiqiang Li,Da-Wei Ding

DOI: https://doi.org/10.1016/j.jfranklin.2022.07.050

IF: 4.246

2022-08-05

Journal of the Franklin Institute

Abstract:This paper investigates the problem of finite-time attack detection for nonlinear complex cyber-physical networks under false data injection (FDI) attacks. Firstly, a Takagi-Sugeno (T-S) fuzzy model is used to approximate nonlinear complex cyber-physical networks in which the measurement channels are injected by FDI attacks. Secondly, based on adding a power integrator technique, a finite-time fuzzy observer is designed to achieve the rapid state observation of complex cyber-physical networks within a finite time by adjusting the observer parameters. Then, an attack detection mechanism consisting of the finite-time fuzzy observer and an attack detector is developed to detect FDI attacks, which can trigger an alarm within a finite time when FDI attacks occur. Finally, simulation results are given to show the effectiveness and superiority of the proposed method.

automation & control systems,engineering, electrical & electronic, multidisciplinary,mathematics, interdisciplinary applications

Sohrab Mokhtari,Kang K. Yen

DOI: https://doi.org/10.3390/electronics13163239

IF: 2.9

2024-08-16

Electronics

Abstract:The integration of advanced information and communication technology in smart grids has exposed them to increased cyber attacks. Traditional model-based fault detection systems rely on mathematical models to identify malicious activities but struggle with the complexity of modern systems. This paper explores the application of artificial intelligence, specifically machine learning, to develop fault detection mechanisms that do not depend on these models. We focus on operational technology for fault detection, isolation, and identification (FDII) within smart grids, specifically examining a load frequency control (LFC) system. Our proposed approach uses sensor data to accurately identify threats, demonstrating promising results in simulated environments.

engineering, electrical & electronic,computer science, information systems,physics, applied

Lei Wang,Shuai Ren,Guangao Li,Yang Liu,Gang Wang,Qian Sun

DOI: https://doi.org/10.1109/dsc53577.2021.00065

2021-10-01

Abstract:With the development of computer network and artificial intelligence technology, hydraulic mechanical system in state grid corporation has been developed and applied rapidly, but its network security has always been the focus of attention. The emergence and development of the intelligent diagnosis technology of network security protection provides the technical basis for it. The intelligent diagnosis technology of network security protection has great advantages and has been widely used in all walks of lifse. The artificial intelligence is introduced into the intelligent diagnosis system of the network security protection of the hydraulic machinery system, and the network security fault diagnosis model of the hydraulic machinery system is established by using the method, so as to analyze and eliminate the fault better and faster. In this paper, the network security protection diagnosis of hydraulic machinery system based on artificial intelligence is studied. Firstly, the principle of network security structure of hydraulic machinery system is introduced. Secondly, the design of network fault diagnosis expert system is introduced. Finally, the security defense technology of intelligent terminal virtualization technology is discussed. The research content has a certain practical value, and has a reference value for the intelligent development of construction machinery.

Abolfazl Falahati,Ebrahim Shafiee

DOI: https://doi.org/10.1007/s13177-021-00274-1

2021-09-30

International Journal of Intelligent Transportation Systems Research

Abstract:With the advancement of modern rail transport systems, high-speed railways' safety and reliability is improved enormously due to proper intelligent traffic management systems. The automatic train control and operating system receive the train location beacons and the railway line's essential information through various channels, such as Balise wirelessly. However, this technology is vulnerable to cyber-physical attacks. This article aims to investigate the existing cyber attacks on Balise that can result a physical turmoil. Due to the limitations and constraints of the railway infrastructures, the attacks and failure detection methods are proposed based on machine learning. Also, a fuzzy countermeasure system is developed to improve train safety against known and unknown cyber-attacks. The simulation results show 92% accuracy in the proposed successful attacks detection system. Moreover, a small amount of false-positive and false-negative warnings can be also revealed employing the proposed scheme. The proposed method does not require change railway infrastructure.