Shangqing Cui,Dongqin Feng

DOI: https://doi.org/10.1109/icpeca56706.2023.10076096

2023-01-01

Abstract:With the application of Internet technologies in the industrial field, industrial control systems (ICS) have the possibility of suffering malicious network attacks. Because ICS is widely used in critical infrastructure, designing attack detection algorithms for it can effectively reduce losses. Many papers have built physical models for cyber-attacks against ICS and the corresponding detection algorithms have been proposed. However, the detection performance can be further improved. This paper establishes the simulation attack on the Tennessee Eastman (TE) process and proposes an improved support vector machine (SVM) method to detect integrity attacks. This algorithm uses contribution plots and recursive feature elimination to select features. Compared with the principal component analysis (PCA) feature extraction, the detection accuracy is improved. After adding system dynamics to the algorithm, the time to detect attacks is advanced.

Wanjun LIU,Jitao QIN,Haicheng QU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017102502

2018-01-01

Abstract:Since the intrusion detection method based on One-Class Support Vector Machine (OCSVM) can not detect internal abnormal points and outliers,which leads to the deviation of decision function from training samples.A new OCSVM anomaly detection function combining DBSCAN (Density-Based Spatial Clustering of Applications with Noise) and K-means was proposed.Firstly,the outliers in the training data were removed by DBSCAN algorithm to eliminate the influence of outliers.Then,K-means clustering method was used to classify normal data clusters,so that the internal abnormal points could be selected.Finally,a one-class classifier for each data cluster was created to detect exception data by OCSVM algorithm.The experimental results on industrial control networks show that the combined classifier can detect the intrusion attacks of the industrial control network by using normal data,and it can improve the detection effect of OCSVM algorithm.In intrusion detection experiment of gas pipeline,the overall detection rate of the proposed method is 91.81％,while the overall detection rate of OCSVM algorithm is 80.77％.

Xianjing Li,Dongqin Feng

DOI: https://doi.org/10.1109/iciscae48440.2019.221645

2019-01-01

Abstract:Currently, the industrial control systems (ICS) have faced many changeable and complexed attacks. Apart from normal attack, there are also many variations, which put ICS into a huge hidden danger. Under this circumstance, the traditional detection techniques cannot identify the special variation types of attacks, effectively, comprehensively nor accurately. Therefore, a detection method named principal component analysis (PCA) with cosine similarity and support vector machine (SVM) is proposed. Moreover, the method is applied to detect the square wave attack in ICS. The detection method is executed as follows. Firstly, the raw signals are classified, by selecting proper length. Secondly, PCA method are used to reduce the dimension. Based on the first normal signal, the cosine similarity coefficients between the first normal part and the rest are calculated. Hence, the attack-feature vectors are composed by similarity coefficients. Next, data after that is selected to serve as the SVM training sample, replenishing the attack features. As for simulation, the cascade control loop of a typical industrial control system is chosen. The results show that the method can detect the signals, timely and accurately, no matter periodic square wave attack or aperiodic. For system, the proposed method and model can judge the security state of ICS. Above all, this method provides accurate decision-making suggestions to security management personnel.

Jingxuan Pang,Xiaokun Pu,Chunguang Li

DOI: https://doi.org/10.1109/tii.2022.3145834

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Anomaly detection plays an important role in industry, especially in ensuring system safety and product quality. Due to the unavailability of anomalous data in many practical cases, anomaly detection is usually solved by one-class classification (OCC) methods using only normal data. As a classical OCC method, one-class support vector machine (OCSVM) is a popular discriminative approach for anomaly detection, which detects abnormal data points by establishing a decision boundary in the kernel space. However, the performance of OCSVM heavily relies on kernel parameters, whose selection is not trivial for anomaly detection problems. Moreover, for some uneven and complex data distributions, different data regions may have quite different densities and shapes, making it difficult for OCSVM to obtain good boundaries in all regions using a global kernel parameter. To address the above two issues, in this article, we propose a hybrid algorithm incorporating vector quantization and OCSVM (VQ-OCSVM). Specifically, vector quantization is used to extract distribution information of normal data, and the results are used to construct an explicit mapping function to map data into a high-dimensional feature space. Then, OCSVM is performed in the feature space to build a classifier. By introducing the explicit mapping into OCSVM, the proposed method can effectively bypass the kernel parameter selection problem of the classical OCSVM method. Furthermore, the constructed mapping carries the data distribution information, and the VQ-OCSVM model can be regarded as an integration of generative learning and discriminative learning. The complementary properties of these two paradigms make the proposed VQ-OCSVM algorithm have better generalization capacity for complex data distribution. Both qualitative and quantitative experimental results demonstrate the effectiveness and advantages of the proposed method.

Haonan Chen,Xianda Liu,Tianyu Wang,Xuejing Zhang

DOI: https://doi.org/10.1007/978-3-030-78609-0_26

2021-01-01

Abstract:As an important part of guard system, intrusion detection systems have great significance to the security of industrial control systems. Cause the industrial control systems of the on-site environment is often very complicated, the process data extracted on-site have a wide variety of features, and they always have complex associations and are not independent. The intrusion detection algorithms for traditional industrial control systems often do not solve this problem, which results in a decrease in the accuracy, precision and high false negative rate (FNR), false positives rate (FPR). Aiming at solving the current problems, this paper proposes an algorithm combining the Fast Independent Principal Component Analysis (FastICA) and Support Vector Machine (SVM). Finally compared with the SVM and PCA-SVM algorithms, the experimental results show that the accuracy rate has been significantly improved and slight FPR.

Kai Guo,Datong Liu,Yu Peng,Xiyuan Peng

DOI: https://doi.org/10.1109/phm-chongqing.2018.00048

2018-01-01

Abstract:With large amount of industrial data available, data-driven anomaly detection methods have been widely used for ensuring industrial safety and preventing economic losses. Among them, one-class support vector machine (OCSVM) is an effective unsupervised method for detecting abnormal points by establishing a decision boundary in the kernel space and has obtained much attention in the research field in recent years. Through solving the convex quadratic programming problem, OCSVM obtains a classifier with maximum distance to the origin and satisfying maximum quantity of training samples, without utilizing anomaly data points. However, the outliers in the training set, which are more likely to be selected as support vectors, will lead to the degradation in the performance of OCSVM. Because the outliers are away from the center of the dataset and cannot represent the real characteristics for the data. To address this drawback, the clustering-based and LOF outlier detection method (CLOF), which has high computational efficiency and modeling accuracy, is adopted for eliminating the outliers and optimizing the final acquired boundary of OCSVM. Experimental results on shuttle flight data have illustrated the superior performance of the proposed approach.

Fangjun Kuang,Siyang Zhang,Zhong Jin,Weihong Xu

DOI: https://doi.org/10.1007/s00500-014-1332-7

IF: 3.732

2014-01-01

Soft Computing

Abstract:A novel support vector machine (SVM) model by combining kernel principal component analysis (KPCA) with improved chaotic particle swarm optimization (ICPSO) is proposed to deal with intrusion detection. The proposed method, in which multi-layer SVM classifier is employed to estimate whether the action is an attack, KPCA is applied as a preprocessor of SVM to reduce the dimension of feature vectors and shorten training time. To shorten the training time and improve the performance of SVM, N-RBF is employed to reduce the noise generated by feature differences, and ICPSO is presented to optimize the punishment factor C, kernel parameters \(\sigma \) and the tube size \(\varepsilon \) of SVM, which introduces chaos optimization and premature processing mechanism. Experimental results illustrate that the improved SVM model has faster computational time and higher predictive accuracy, and it can also shorten the training time and improve the performance of SVM.

Jun Wang,Xu Hong,Rong-Rong Ren,Tai-Hang Li

2009-01-01

Abstract:The success of any Intrusion Detection System (IDS) is a complicated problem due to its nonlinearity and the quantitative or qualitative network traffic data stream with irrelevant and redundant features. How to choose the effective and key features to IDS is very important topic in information security. Support vector machine (SVM) has been employed to provide potential solutions for the IDS problem. However, the practicability of SVM is affected due to the difficulty of selecting appropriate SVM parameters. Particle swarm optimization (PSO) is an optimization method, which is not only has strong global search capability, but also is very easy to implement. Thus, the proposed PSO-SVM model is applied to an intrusion detection problem, the KDD Cup 99 data set. The standard PSO is used to determine free parameters of support vector machine and the binary PSO is to obtain the optimum feature subset at building intrusion detection system. The experimental results indicate that the PSO-SVM method can achieve higher detection rate than regular SVM algorithms in the same time.

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Ghulam Mohi-Ud-Din,Zhiqiang Liu,Jiangbin Zheng,Sifei Wang,Zhijun Lin,Muhammad Asim,Yuxuan Zhong,Yuxin Chen

DOI: https://doi.org/10.1109/tnsm.2023.3258901

2023-01-01

IEEE Transactions on Network and Service Management

Abstract:The exponential growth in data communication and increase in network size have led to various intrusions and attacks. An Intrusion Detection System (IDS) can be provided as a crucial component of a network or database to ensure the security of data communication over a network. The network size is large, a large dataset may comprise more irrelevant, redundant, and high-dimensional features that impact feature classification, thus affecting the intrusion detection rate. This study presents a new hybrid enhanced normalised Crow Search Algorithm (CSA) and Particle Swarm Optimisation (PSO) technique to address feature selection issues and to classify global best features using a random-forest classifier. In the proposed algorithm, the benefits of the CSA between the search strategy and rapid convergence phenomenon of the PSO algorithm are utilised to select the global best solution in a large search space. A random-forest classifier is used to classify the features after they are updated with weight values for significant features, assessing the asymptotic variance of features and points that are closest to the optimal solution. The asymptotic features are subjected to the weighted least mean square (WLS) method to eliminate large deviations among the features. The random-forest classifier distinguishes between normal records and abnormal intrusion records. The performance assessment of the proposed hybrid IDS model is performed by utilising two datasets, which reveals that the proposed model outperforms other existing models. The simulation outcomes show higher accuracy rate, precision value, recall factor, and F1-Score, revealing the efficacy of the IDS model.

WenJie Tian,JiCheng Liu

DOI: https://doi.org/10.1109/wnis.2009.79

2009-01-01

Abstract:Because the network intrusion behaviors are characterized with uncertainty, complexity and diversity, a new method based on support vector regression (SVR) and particle swarm optimization algorithm (PSOA) is presented and used for pattern analysis of intrusion detection in this paper. The novel structure model has higher accuracy and faster convergence speed. We construct the network structure, and give the algorithm flow. We discussed and analyzed the impact factor of intrusion behaviors. With the ability of strong self-learning and faster convergence, this intrusion detection method can detect various intrusion behaviors rapidly and effectively by learning the typical intrusion characteristic information. We use rough set to reduce dimension. We apply this technique on KDD99 data set and get satisfactory results. The experimental result shows that this intrusion detection method is feasible and effective.

CHEN WU,LIANG Gang,YANG Jin

DOI: https://doi.org/10.3969/j.issn.1671-0428.2013.06.002

IF: 5.105

2013-01-01

Computers & Security

Abstract:Traditional intrusion detection algorithm in dealing with network streaming data,due to the large amount of network data,and has high dimension,redundancy,etc,lead to intrusion detection of large amount of calculation,take up more resources,inadequate training and prediction for a long time and so on,this will need to keep the data useful information under the premise of the feature extraction of data.Based on the kernel principal component analysis(KPCA) was carried out on the network intrusion data dimensionality and to eliminate redundant information processing,reduce the input dimension of support vector machine,using particle swarm optimization algorithm for the SVM parameters,selecting the modified kernel function instead of traditional single kernel function,the experiment proved that the improved algorithm effectively improves the intrusion detection system detection rates and improve the speed of prediction.

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Huazan Liu,Zhenzhou Ji,Chong Li,Kaikai Li

DOI: https://doi.org/10.1109/ICCEA58433.2023.10135289

2023-01-01

Abstract:As the development of the Internet of Things, industrial control network security issues have become more prominent. Anomaly detection technology is an important detection technology for ensuring the network security of industrial control systems, which can issue alarms and block responses before the system is compromised. However, most models currently suffer from problems such as low detection rate, high false positive rate, and inability to locate the anomalies. To address these issues, this paper proposes a multidimensional feature and spectral residual-based industrial control time series anomaly detection method (SRMCAD) to improve the accuracy of anomaly detection while reducing the false positive rate. First, this paper applies the spectral residual method to multidimensional time series anomaly detection in the industrial control domain, and uses the residual data obtained by spectral residual processing instead of the original data as input to the model. Secondly, to address the problem of imprecise device attack localization and high false positive rate in existing industrial control anomaly detection models, this paper designs and implements an industrial control anomaly detection model based on an encoding-decoding architecture, incorporating the idea of system state modeling and using the Mahalanobis distance as the loss function. Experimental results show that SRMCAD has significant advantages over current advanced methods.

Xin Xu,Xuening Wang

DOI: https://doi.org/10.1007/11527503_82

2005-01-01

Abstract:Network intrusion detection is an important technique in computer security. However, the performance of existing intrusion detection systems (IDSs) is unsatisfactory since new attacks are constantly developed and the speed of network traffic volumes increases fast. To improve the performance of IDSs both in accuracy and speed, this paper proposes a novel adaptive intrusion detection method based on principal component analysis (PCA) and support vector machines (SVMs). By making use of PCA, the dimension of network data patterns is reduced significantly. The multi-class SVMs are employed to construct classification models based on training data processed by PCA. Due to the generalization ability of SVMs, the proposed method has good classification performance without tedious parameter tuning. Dimension reduction using PCA may improve accuracy further. The method is also superior to SVMs without PCA in fast training and detection speed. Experimental results on KDD-Cup99 intrusion detection data illustrate the effectiveness of the proposed method.

Wei Yu,Zhixiang Chen,Hui Wang,Zeyu Miao,Dake Zhong

DOI: https://doi.org/10.1007/s10207-024-00949-2

2024-12-08

International Journal of Information Security

Abstract:With the widespread use of the industrial internet, industrial control systems (ICS) are increasingly vulnerable to network intrusions, making their security challenges more prominent. Current intrusion detection methods primarily focus on closed-set scenarios; however, in open-set scenarios, numerous unknown classes of intrusions lead to poor detection performance. To address this issue, this paper proposes a novel open-set industrial network intrusion detection method. The method begins with a feature extractor, termed GPL (BiGRU-PL), which integrates bidirectional gated recurrent units (BiGRU) and prototype learning (PL) through joint training. This model is trained using Distance-Based Cross-Entropy (DCE) loss and Prototype Loss, effectively enhancing intra-class compactness for known classes in the open set, increasing inter-class distance, and achieving separability between unknown and known classes in the feature space. Following this, the Weibull model is employed to construct an Extreme Value Theory (EVT) discriminant module that fits each known class and calculates an outlier probability threshold for each known class. Finally, the method computes the outlier probability value of each input sample for each known category and compares the test sample's outlier probability value against the threshold to recognize unknown classes. Experimental results on the CICIDS2017 dataset and Gas Pipeline dataset demonstrate the effectiveness of the proposed method. The method achieves high accuracy in recognizing known classes. Additionally, it effectively identifies unknown class intrusions in open-set scenarios with varying degrees of openness.

computer science, information systems, theory & methods, software engineering

Yulin Zhou,Lun Xie,Hang Pan

DOI: https://doi.org/10.3390/app12062765

2022-03-08

Applied Sciences

Abstract:The automation and intelligence of industrial manufacturing is the core of the fourth industrial revolution, and robotic arms and proprietary networked information systems are an integral part of this vision. However, with the benefits come risks that have been overlooked, and robotic arms have become a heavily attacked area. In order to improve the security of the robotic arm system, this paper proposes an intrusion detection method based on a state classification model. The closure operation process of the robotic arm is divided into five consecutive states, while a support vector machine based on the particle swarm optimization algorithm (PSO-H-SVM) classifies the operation state of the robotic arm. In the detection process, the classifier predicts the operation state of the robotic arm in real time, and the detection method determines whether the state transfer meets the logical requirements, and then determines whether the intrusion occurs. In addition, a response mechanism is proposed on the basis of the intrusion detection system to make protection measures for the robotic arm system. Finally, a physical experiment platform was built to test the intrusion detection method. The results showed that the classification accuracy of the PSO-H-SVM algorithm reached 96.02%, and the detection accuracy of the intrusion detection method reached 90%, which verified the effectiveness and reliability of the intrusion detection method.

Chao Wang,Yunxiao Sun,Sicai Lv,Chonghua Wang,Hongri Liu,Bailing Wang

DOI: https://doi.org/10.3390/electronics12040930

IF: 2.9

2023-02-13

Electronics

Abstract:Intrusion detection systems (IDSs) play a significant role in the field of network security, dealing with the ever-increasing number of network threats. Machine learning-based IDSs have attracted a lot of interest owing to their powerful data-driven learning capabilities. However, it is challenging to train the supervised learning algorithms when there are no attack data at hand. Semi-supervised anomaly detection algorithms, which train the model with only normal data, are more suitable. In this study, we propose a novel semi-supervised anomaly detection-based IDS that leverages the capabilities of representation learning and two anomaly detectors. In detail, the autoencoder (AE) is applied to extract representative features of normal data in the first step, and then two semi-supervised detectors, the one-class support vector machine (OCSVM) and Gaussian mixture model (GMM), are trained on the derived features. The two detectors collaborate to detect anomalous samples. The OCSVM predicts the abnormal samples initially, and after that, the GMM is applied to recheck the misclassified samples further. The experiments demonstrate that the AE improves the detection rate, and two detectors are more promising than a single one.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yingchao Xiao,Huangang Wang,Wenli Xu,Junwu Zhou

DOI: https://doi.org/10.1016/j.chemolab.2015.11.010

IF: 4.175

2015-01-01

Chemometrics and Intelligent Laboratory Systems

Abstract:One-class SVM (OCSVM) has been widely adopted in many one-class classification (OCC) application fields. However, when there are outliers in OCC training samples, the OCSVM performance will degrade. In order to solve this problem, a new method is proposed in this paper. This method first identifies some “suspected outliers” and removes them so as to obtain the decision boundary enclosing the “cluster core”. Then outliers are identified by this boundary and are removed from OCSVM training. The effectiveness of this proposed method is verified by experiments on UCI benchmark data sets and Tennessee Eastman Process data sets.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.