Yu Sun,Gangfeng Yan,Xiasheng Shi

DOI: https://doi.org/10.1088/1757-899x/631/4/042046

2019-01-01

IOP Conference Series Materials Science and Engineering

Abstract:Abstract Traditional methods for detecting data anomalies of power equipment fail to fully mine the data characteristics. And it has shortcomings such as complex calculation, poor flexibility and low accuracy. To solve the problem of abnormal fault detection of electric equipment, the abnormal detection algorithm based on statistical analysis and machine learning is used in the paper. The reconstruction method based on Long Short Term Memory (LSTM) time sequence is proposed for time series data abnormal detection. Experiments show that the new method is effective in detecting and correcting abnormal data, which reduces the detection time and improves the accuracy of state estimation results. There are huge differences within the positive samples in anomaly detection, so several methods are studied in the paper. One-class SVM algorithm is often used in novelty detection and isolation forest algorithm is used in outlier detection. Machine learning methods which is based on statistical analysis will play an increasingly important role in the fields of equipment monitoring and predictive maintenance, safety of electric equipment.

Ming Wan,Jinfang Li,Jiangyuan Yao,Rongbing Wang,Hao Luo

DOI: https://doi.org/10.32604/cmc.2020.09692

2020-01-01

Abstract:In process industries, the characteristics of industrial activities focus on the integrality and continuity of production process, which can contribute to excavating the appropriate features for industrial anomaly detection. From this perspective, this paper proposes a novel state-based control feature extraction approach, which regards the finite control operations as different states. Furthermore, the procedure of state transition can adequately express the change of successive control operations, and the statistical information between different states can be used to calculate the feature values. Additionally, OCSVM (One Class Support Vector Machine) and BPNN (BP Neural Network), which are optimized by PSO (Particle Swarm Optimization) and GA (Genetic Algorithm) respectively, are introduced as alternative detection engines to match with our feature extraction approach. All experimental results clearly show that the proposed feature extraction approach can effectively coordinate with the optimized classification algorithms, and the optimized GA-BPNN classifier is suggested as a more applicable detection engine by comparing its average detection accuracies with the ones of PSO-OCSVM classifier.

Qian Wang,He Chen,Yonghui Li,Branka Vucetic

DOI: https://doi.org/10.1109/iciai.2019.8850828

2019-01-01

Abstract:The convergence of operation technology (OT) and information and communication technology (ICT) in industrial control networks presents new challenges for anomaly detection algorithms. Machine learning has achieved great success over the past few years, which has also been considered as one of the popular solutions for anomaly detection in industrial control networks. In this paper, we survey the recent work on anomaly detection for industrial control networks exploiting machine learning techniques. We first summarize major differences between OT and ICT and analyze the corresponding advantages and disadvantages for anomaly detection. Based on the features of the industrial control networks, existing work are classified into data-based learning and industrial network-specified learning methods. We analyze the pros and cons of these two learning methods. We finally point out the promising future work within this research area.

Vegard Berge,Chunlei Li

2024-10-26

Abstract:Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.

Cryptography and Security

Wan, Ming,Li, Jinfang,Wang, Kai,Wang, Bailing

DOI: https://doi.org/10.1007/s12652-020-02636-1

IF: 3.662

2020-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Under the tendency of interconnection and interoperability in Industrial Internet, anomaly detection, which has been widely recognized, has won significant accomplishments in industrial cyber security. However, a crucial issue is how to effectively extract industrial communication features which can accurately and comprehensively describe industrial control operations. Aiming at the function code field in industrial Modbus/TCP communication protocol, this paper proposes a novel feature extraction algorithm based on weighted function code correlation, which not only indicates the contribution of single function code in the whole function code sequence, but also analyzes the correlation of different function codes. In order to design a serviceable detection engine, a dynamic adjusting ABC–SVM (Artificial Bee Colony–Support Vector Machine) anomaly detection model based on double mutations is also developed to identify abnormal behaviors in industrial control communications. The experimental results show that the proposed feature extraction algorithm can effectively reflect the changes of function control behavior in industrial control communications, and the improved ABC–SVM anomaly detection model can strengthen the detection performance by comparing with other anomaly detection engines.

Ming Wan,Yan Song,Yuan Jing,Junlu Wang

DOI: https://doi.org/10.1155/2018/5103270

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Function control, which is an essential link in industrial automation, is undergoing a growing integration with ICTs (Information Communication Technologies) because of the flexible manufacturing and convenient interoperability in CPSs (Cyber-Physical Systems). However, it has also brought the increasing dangers of cyberattacks caused by malicious or intentional industrial process control exploitations. In order to effectively detect these cyber intrusions and anomalies, this paper proposes a function-aware anomaly detection approach based on WNN (Wavelet Neural Network), which perceives the abnormal function control changes in industrial control communication. By appropriately extracting the time-related function control characteristics from industrial communication packets, this approach builds an optimized wavelet neural network to model the normal function control behaviors and calculates the detection threshold to differentiate the aberrant industrial process control activities. Additionally, a real-world control system, whose communication protocol is Modbus/TCP, is simulated to furnish the analyzed function control data. According to the experimental results, we fully demonstrate this approach has the fine detection accuracy and adequate real-time capability.

Zhen-wei HU,Yong SHI,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.12.027

2017-01-01

Abstract:Traditional intrusion detection method is unable to meet the needs of big-data era in accuracy and effectiveness, while the machine-learning algorithm is becoming main-stream. Now the main research focuses on machine-learning algorithm in support vector machines, and however it also has its own defects. Therefore, other excellent classification algorithms in machine learning are introduced. In addition, the classical NSL-KDD data set is used to compare the accuracy of the algorithm, and the applicable environment analyzed, thus to provide a basis for intrusion detection analysis in different scenarios in the future. After using the data set to complete the model training, the ROC curve, accuracy and other indicators are used to evaluate the model, and fairly good results are acquired.

Bedeuro Kim,Mohsen Ali Alawami,Eunsoo Kim,Sanghak Oh,Jeongyong Park,Hyoungshick Kim

DOI: https://doi.org/10.3390/s23031310

IF: 3.9

2023-01-24

Sensors

Abstract:Anomaly detection has been known as an effective technique to detect faults or cyber-attacks in industrial control systems (ICS). Therefore, many anomaly detection models have been proposed for ICS. However, most models have been implemented and evaluated under specific circumstances, which leads to confusion about choosing the best model in a real-world situation. In other words, there still needs to be a comprehensive comparison of state-of-the-art anomaly detection models with common experimental configurations. To address this problem, we conduct a comparative study of five representative time series anomaly detection models: InterFusion, RANSynCoder, GDN, LSTM-ED, and USAD. We specifically compare the performance analysis of the models in detection accuracy, training, and testing times with two publicly available datasets: SWaT and HAI. The experimental results show that the best model results are inconsistent with the datasets. For SWaT, InterFusion achieves the highest F1-score of 90.7% while RANSynCoder achieves the highest F1-score of 82.9% for HAI. We also investigate the effects of the training set size on the performance of anomaly detection models. We found that about 40% of the entire training set would be sufficient to build a model producing a similar performance compared to using the entire training set.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yanxin Wang,Johnny Wang,Andrew S. Miner

2004-01-01

Abstract:This paper explores the methodology of using kernels and Support Vector Machine (SVM) for intrusion detection. A new insight into two well known anomaly detection algorithms - STIDE and Markov Chain anomaly detectors, is achieved using kernel theory. We introduce two new classes of kernels used for intrusion detection – STIDE kernel and Markov Chain kernel. These kernels combined with SVM are presented to achieve improvements over STIDE and Markov Chain anomaly detectors. We provide empirical evidence that the new anomaly detectors are able to achieve better results than conventional anomaly detectors and behave robustly over noisy training data.

Chunjie Zhou,Shuang Huang,Naixue Xiong,Shuang-Hua Yang,Huiyun Li,Yuanqing Qin,Xuan Li

DOI: https://doi.org/10.1109/TSMC.2015.2415763

2015-01-01

Abstract:Industrial process automation is undergoing an increased use of information communication technologies due to high flexibility interoperability and easy administration. But it also induces new security risks to existing and future systems. Intrusion detection is a key technology for security protection. However, traditional intrusion detection systems for the IT domain are not entirely suitable for industrial process automation. In this paper, multiple models are constructed by comprehensively analyzing the multidomain knowledge of field control layers in industrial process automation, with consideration of two aspects: physics and information. And then, a novel multimodel-based anomaly intrusion detection system with embedded intelligence and resilient coordination for the field control system in industrial process automation is designed. In the system, an anomaly detection based on multimodel is proposed, and the corresponding intelligent detection algorithms are designed. Furthermore, to overcome the disadvantages of anomaly detection, a classifier based on an intelligent hidden Markov model, is designed to differentiate the actual attacks from faults. Finally, based on a combination simulation platform using optimized performance network engineering tool, the detection accuracy and the real-time performance of the proposed intrusion detection system are analyzed in detail. Experimental results clearly demonstrate that the proposed system has good performance in terms of high precision and good real-time capability.

Sumedha Seniaray,Rajni Jindal

DOI: https://doi.org/10.1007/s11277-024-11602-5

IF: 2.017

2024-10-05

Wireless Personal Communications

Abstract:Data and information, being a critical part of the Internet, are vital to network security. Intrusion Detection System (IDS) is required to preserve confidentiality, data integrity, and system availability from attacks. IDS collects network data from various places that may contain features that are redundant and irrelevant, leading to an increase in processing time and low detection rate. This study proposes a three-phase network-based IDS to counter this issue. Initially, network data is captured and preprocessed. In the second phase, we perform feature extraction, selection, and ranking to obtain the optimal feature set. A novel Dynamic Mutual Information-based Genetic Algorithm for feature selection (DMI-GA), aiming to enhance the performance of machine learning (ML) techniques by identifying an optimal set of features, is also proposed in this work. Finally, well-known ML models are employed to detect intrusions within this refined set of network traffic features. Experimental results demonstrate a significant improvement in detection accuracy when the ML models are trained and tested on an optimal set of features. It is also observed that DMI-GA combined with the Random Forest classifier, achieves the highest detection accuracy of 99.94%, surpassing the performance of existing state-of-the-art anomaly-based network intrusion detection systems. A comprehensive statistical analysis of these ML methods is also conducted using 10-fold and Leave-One-Out cross-validation strategies, as it mitigates overfitting and offers a thorough evaluation of the model's performance, resulting in an average accuracy of 99.91%.

telecommunications

Yuan Zhang,Qinghai Yang,Sangarapillai Lambotharan,Konstantinos Kyriakopoulos,Ibrahim Ghafir,Basil AsSadhan

DOI: https://doi.org/10.1109/wcsp.2019.8927907

2019-01-01

Abstract:With the rapid development of new technologies and applications of Internet, much attention has been paid to the detection of anomalies in cyberspace traffic. A series of intrusion detection techniques based on machine learning have been developed. Support vector machine (SVM), as an essential approach, has been paid close attention in this filed. Nevertheless, the existing SVM-based techniques with the training features can not efficiently detect short duration intrusions and attacks in the traffic. To tackle this issue, we propose an anomaly-based SVM detection scheme by extracting and optimizing the training features. It trains the SVM with Kullback-Leibler (KL) divergence and cross-correlation calculated by the control and data planes traffic. Following this way, the novel training method can effectively enhance the detection accuracy. And the performance of the presented scheme is validated and evaluated based on a recent realistic Internet traffic dataset. Finally, relevant results indicate that the developed method establishes the relationship between Transmission Control Protocol (TCP) traffic and intrusions. It can efficiently detect short duration intrusions and attacks in the network traffic.

Xiaofeng Chen,Hongyan Yan,Qiben Yan,Xiangliang Zhang

DOI: https://doi.org/10.1007/978-3-030-62460-6

2020-01-01

Abstract:Under the tendency of interconnection and interoperability in Industrial Internet, anomaly detection, which has been widely recognized, has achieved modest accomplishments in industrial cyber security. However, a significant issue is how to effectively extract industrial control features which can accurately and comprehensively describe industrial control operations. Aiming at the function code field in industrial Modbus/TCP communication protocol, this paper proposes a novel feature extraction algorithm based on weighted function code correlation, which not only indicates the contribution of single function code in the whole function code sequence, but also analyzes the correlation of different function codes. In order to establish a serviceable detection engine, a dynamic adjusting ABC-SVM (Artificial Bee Colony Support Vector Machine) anomaly detection model is also developed. The experimental results show that the proposed feature extraction algorithm can effectively reflect the changes of functional control behavior in process operations, and the improved ABC-SVM anomaly detection model can improve the detection ability by comparing with other anomaly detection engines.

Gauthama Raman M. R.,Chuadhry Mujeeb Ahmed,Aditya Mathur

DOI: https://doi.org/10.1186/s42400-021-00095-5

2021-08-02

Abstract:Abstract Gradual increase in the number of successful attacks against Industrial Control Systems (ICS) has led to an urgent need to create defense mechanisms for accurate and timely detection of the resulting process anomalies. Towards this end, a class of anomaly detectors, created using data-centric approaches, are gaining attention. Using machine learning algorithms such approaches can automatically learn the process dynamics and control strategies deployed in an ICS. The use of these approaches leads to relatively easier and faster creation of anomaly detectors compared to the use of design-centric approaches that are based on plant physics and design. Despite the advantages, there exist significant challenges and implementation issues in the creation and deployment of detectors generated using machine learning for city-scale plants. In this work, we enumerate and discuss such challenges. Also presented is a series of lessons learned in our attempt to meet these challenges in an operational plant.

computer science, information systems, interdisciplinary applications, software engineering

Ming Wan,Minglei Hao,Jiawei Li,Jiangyuan Yao,Yan Song

DOI: https://doi.org/10.32604/cmc.2023.044857

2023-01-01

Abstract:The process control-oriented threat, which can exploit OT (Operational Technology) vulnerabilities to forcibly insert abnormal control commands or status information, has become one of the most devastating cyber attacks in industrial automation control. To effectively detect this threat, this paper proposes one functional pattern-related anomaly detection approach, which skillfully collaborates the BinSeg (Binary Segmentation) algorithm with FSM (Finite State Machine) to identify anomalies between measuring data and control data. By detecting the change points of measuring data, the BinSeg algorithm is introduced to generate some initial sequence segments, which can be further classified and merged into different functional patterns due to their backward difference means and lengths. After analyzing the pattern association according to the Bayesian network, one functional state transition model based on FSM, which accurately describes the whole control and monitoring process, is constructed as one feasible detection engine. Finally, we use the typical SWaT (Secure Water Treatment) dataset to evaluate the proposed approach, and the experimental results show that: for one thing, compared with other change-point detection approaches, the BinSeg algorithm can be more suitable for the optimal sequence segmentation of measuring data due to its highest detection accuracy and least consuming time; for another, the proposed approach exhibits relatively excellent detection ability, because the average detection precision, recall rate and F1-score to identify 10 different attacks can reach 0.872, 0.982 and 0.896, respectively.

Johan Note,Maaruf Ali

DOI: https://doi.org/10.33166/aetic.2022.03.003

2022-07-01

Annals of Emerging Technologies in Computing

Abstract:Attacks against computer networks, “cyber-attacks”, are now common place affecting almost every Internet connected device on a daily basis. Organisations are now using machine learning and deep learning to thwart these types of attacks for their effectiveness without the need for human intervention. Machine learning offers the biggest advantage in their ability to detect, curtail, prevent, recover and even deal with untrained types of attacks without being explicitly programmed. This research will show the many different types of algorithms that are employed to fight against the different types of cyber-attacks, which are also explained. The classification algorithms, their implementation, accuracy and testing time are presented. The algorithms employed for this experiment were the Gaussian Naïve-Bayes algorithm, Logistic Regression Algorithm, SVM (Support Vector Machine) Algorithm, Stochastic Gradient Descent Algorithm, Decision Tree Algorithm, Random Forest Algorithm, Gradient Boosting Algorithm, K-Nearest Neighbour Algorithm, ANN (Artificial Neural Network) (here we also employed the Multilevel Perceptron Algorithm), Convolutional Neural Network (CNN) Algorithm and the Recurrent Neural Network (RNN) Algorithm. The study concluded that amongst the various machine learning algorithms, the Logistic Regression and Decision tree classifiers all took a very short time to be implemented giving an accuracy of over 90% for malware detection inside various test datasets. The Gaussian Naïve-Bayes classifier, though fast to implement, only gave an accuracy between 51-88%. The Multilevel Perceptron, non-linear SVM and Gradient Boosting algorithms all took a very long time to be implemented. The algorithm that performed with the greatest accuracy was the Random Forest Classification algorithm.

Basem AL-Madani,Ahmad Shawahna,Mohammad Qureshi

DOI: https://doi.org/10.48550/arXiv.1911.05692

2019-11-02

Abstract:Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Systems and Control

Niandong Liao,Xiaoxuan Li,Li, Xiaoxuan

DOI: https://doi.org/10.1007/s40815-022-01269-0

IF: 4.085

2022-03-23

International Journal of Fuzzy Systems

Abstract:As the digital world becomes the main complement to the physical world, establishing a solid line of defense against cyber attacks becomes critical and arduous. The intrusion detection systems (IDSs) based on the supervised learning method have achieved excellent performance, which requires a large amount of labeled data in the training phase. However, attacks occur much less frequently than normal behaviors, and it is difficult to obtain accurate labels. In addition, IDSs based on supervised learning cannot identify unknown attacks. At the same time, the problem that detection accuracy varies greatly with different applications is very significant in traditional unsupervised learning methods. Therefore, it is necessary to perform high-precision anomaly detection on unlabeled samples. This paper proposes a traffic anomaly detection model using K-means and Active Learning Method (ALM), which is mainly composed of a feature extraction module and an anomaly detection module. Firstly, the Pearson correlation coefficient and Light Gradient Boosting Machine (LightGBM) are used in the feature extraction module to select important features. Secondly, K-means divides the characteristic-processed traffic into normal or abnormal categories. Finally, the results of K-means are diffused through ALM, and new classification results are obtained after defuzzification, thereby improving the accuracy of anomaly detection. The latest CICDDoS2019 data set is used in the experiment. Experimental results show that the detection accuracy of the proposed model is above 90%, and the F1 score is above 95%, regardless of whether it is a binary classification of a single attack or a mixed classification of multiple attacks. Compared with three unsupervised learning methods K-means, Auto-encoder and short-term memory (LSTM) and three supervised learning methods Naive Bayes (NB), Support Vector Machine (SVM), Decision Tree (DT), the proposed model has higher classification accuracy and better generalization effect. This article is very helpful for exploring the application of unsupervised learning methods in network intrusion detection systems based on the characteristics of the data itself.

computer science, information systems,automation & control systems, artificial intelligence

Junhui Cai,Qianmu Li

DOI: https://doi.org/10.1109/pic50277.2020.9350752

2020-01-01

Abstract:In order to improve production and management efficiency, traditional industrial control systems are gradually connected to the Internet, and more likely to use advanced modern information technologies, such as cloud computing, big data technology, and artificial intelligence. Industrial control system is widely used in national key infrastructure. Meanwhile, a variety of attack threats and risks follow, and once the industrial control network suffers maliciously attack, the loss caused is immeasurable. In order to improve the security and stability of the industrial Internet, this paper studies the industrial control network traffic threat identification technology based on machine learning methods, including GK-SVDD, RNN and KPCA reconstruction error algorithm, and proposes a heuristic method for selecting Gaussian kernel width parameter in GK-SVDD to accelerate real-time threat detection in industrial control environments. Experiments were conducted on two public industrial control network traffic datasets. Compared with the existing methods, these methods can obtain faster detection efficiency and better threat identification performance.

Simon Duque Anton,Suneetha Kanoor,Daniel Fraunholz,Hans Dieter Schotten

DOI: https://doi.org/10.1145/3230833.3232818

2019-05-28

Abstract:In the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established communication protocols make this technology easy to integrate and use. Furthermore, productivity is increased in comparison to classic industrial control by making systems easier to manage, set up and configure. Unfortunately, most attack surfaces of home and office environments are introduced into industrial applications as well, which usually have very few security mechanisms in place. Over the last years, several technologies tackling that issue have been researched. In this work, machine learning-based anomaly detection algorithms are employed to find malicious traffic in a synthetically generated data set of Modbus/TCP communication of a fictitious industrial scenario. The applied algorithms are Support Vector Machine (SVM), Random Forest, k-nearest neighbour and k-means clustering. Due to the synthetic data set, supervised learning is possible. Support Vector Machine and k-nearest neighbour perform well with different data sets, while k-nearest neighbour and k-means clustering do not perform satisfactorily.

Cryptography and Security,Machine Learning