Yanjie Li,Xiaoyu Ji,Chenggang Li,Xiaofeng Xu,Wei Yan,Xu Yan,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.1109/iceiec49280.2020.9152334

2020-01-01

Abstract:In recent years, artificial intelligence has been widely used in the field of network security, which has significantly improved the effect of network security analysis and detection. However, because the power industrial control system is faced with the problem of shortage of attack data, the direct deployment of the network intrusion detection system based on artificial intelligence is faced with the problems of lack of data, low precision, and high false alarm rate. To solve this problem, we propose an anomaly traffic detection method based on cross-domain knowledge transferring. By using the TrAdaBoost algorithm, we achieve a lower error rate than using LSTM alone.

Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Ying-xu LAI,Jiao JIAO

DOI: https://doi.org/10.11936/bjutxb2014040009

2015-01-01

Abstract:To improve the detecting accuracy of malicious traffic in industrial control systems ( ICS) , an innovative approach based on structural time series model is proposed. Industrial Ethernet traffic can be decomposed into four components. Each component is established by a state space model respectively, which brings out high fitting precision. Therefore compared with X-12, the average positive rate of this method increases by 38%. In the meanwhile, this method provides a way to decrease false positive rate and time complexity.

Jiayi Liu,Yun Sha,Wenchang Zhang,Yong Yan,Xuejun Liu

DOI: https://doi.org/10.3390/s24186131

2024-09-23

Abstract:Anomaly detection in industrial control system (ICS) data is one of the key technologies for ensuring the security monitoring of ICSs. ICS data are characterized as complex, multi-dimensional, and long-sequence time-series data that embody ICS business logic. Due to its complex and varying periodic characteristics, as well as the presence of long-distance and misaligned temporal associations among features, current anomaly detection methods in ICS are insufficient for feature extraction. This paper proposes an anomaly detection method named TFANet, based on time-frequency fusion feature attention encoding. Considering that periodic variations are more concentrated in the frequency domain, this method first transforms the time-domain data into the frequency domain, obtaining both amplitude and phase data. Then, these data, together with the original time-series data, are used to extract features from two perspectives: long-term temporal changes and long-distance associations. Finally, the six features learned from both the time and frequency domains are fused, and the feature weights are calculated using an attention mechanism to complete the anomaly classification. In multi-classification tasks on three ICS datasets, the proposed method outperforms three popular time-series models-iTransformer, Crossformer, and TimesNet-across five metrics: accuracy, precision, recall, F1 score, and AUC-ROC, with average improvements of approximately 19%, 37%, 31%, 35%, and 22%, respectively.

Basem AL-Madani,Ahmad Shawahna,Mohammad Qureshi

DOI: https://doi.org/10.48550/arXiv.1911.05692

2019-11-02

Abstract:Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Systems and Control

Fei-Fan Tu,Dong-Jie Liu,Zhi-Wei Yan,Xiao-Bo Jin,Guang-Gang Geng

DOI: https://doi.org/10.1016/j.cose.2024.103961

IF: 5.105

2024-01-01

Computers & Security

Abstract:Networks and industrial systems play a pivotal role in modern society, and their security has garnered increasing attention. Anomalies within industrial equipment may propagate through fault transmission, leading to a cascade of failures. Additionally, cyberattacks on equipment can result in significant losses. Therefore, in the realm of industrial and cyberspace domains, an effective multivariate time series anomaly detection system for monitoring equipment is instrumental in ensuring the healthy operation of the machinery. Nevertheless, detecting anomalies in numerous time series remains challenging, stemming from the absence of anomaly labels and the complexity of the data patterns. Existing algorithms predominantly concentrate on modeling within the time domain, falling short in fully leveraging the informative features present in frequency domain data, resulting in diminished detection performance. This paper introduces STFT-TCAN, a model for anomaly detection in time series that seamlessly integrates information from both time and frequency domains for extracting data features. Sliding windows and the Short Time Fourier Transform (STFT) are utilized to construct a frequency matrix, effectively amalgamating the characteristics of both time and frequency domains within the time series. Furthermore, the model employs Temporal Convolutional Networks (TCN) and Transformer attention mechanisms (which combined to form the TCAN module) to capture the features of multivariate time series, thereby resulting in heightened detection accuracy. The proposed model undergoes validation on six publicly available datasets, showcasing the superior performance of the STFT-TCAN model in comparison to current baseline methods. It adeptly extracts features from both frequency and time domains in sequential data, thereby achieving state-of-the-art performance in tasks related to anomaly detection in multivariate time series.

Shujiang Xie,Lian Li,Yian Zhu

DOI: https://doi.org/10.1016/j.cose.2024.104075

IF: 5.105

2024-01-01

Computers & Security

Abstract:Effective anomaly detection in multivariate time series data is critical to ensuring the security of Internet of Things (IoT) devices and systems. However, building a high precision and low false positive rate anomaly detection model for the complex and volatile IoT environment is a challenging task. This is often due to issues such as a lack of anomaly labeling, high data volatility, and the complexity of device mechanisms. Traditional machine learning algorithms and sequence models frequently fail to account for feature correlation and temporal dependency in anomaly detection. Although deep learning-based anomaly detection methods have progressed, there is still room for improvement in precision, recall, and generalization ability. In this paper, we propose an anomaly detection model called Meta-MWDG to address these issues. The model is based on a multi-scale discrete wavelet decomposition and a dual graph attention network, which can effectively extract feature correlation and temporal dependency in multivariate time series data. Additionally, model-agnostic meta-learning (MAML) is introduced to improve the model’s generalization performance, enabling it to perform well on new tasks even with a few samples. A gated recurrent unit (GRU) is combined with a multi-head self-attention network to output both prediction and reconstruction results in a joint optimization strategy, improving the precision of anomaly detection. Extensive experimental studies demonstrate that Meta-MWDG outperforms the state-of-the-art methods in anomaly detection.

Mingxin Tang,Wei Chen,Wen Yang

DOI: https://doi.org/10.1080/09540091.2022.2092594

2022-01-01

Connection Science

Abstract:Anomaly detection of multi-dimensional time-series data is a key research area, and the analysis of control, switching, and other state signals (i.e., industrial state quantity time series) is of particular importance to the operational sciences. When only the limited values of industrial state quantities are taken in the discrete set, there is no continuous change trend, making it difficult to achieve good results when applying analogue anomaly detection methods directly. In this study, assuming a correlation between the time series of state and analogue quantities in industrial systems, a model for anomaly detection in state quantity time-series data is built through a correlation supported by long short-term memory, and the model is verified using real physical process data. These results demonstrate that the proposed method is superior to extant industrial time-series models. Thus far, no studies focusing on the anomaly detection of two-state quantity time-series outliers have been performed. We believe that the research problem addressed herein and the proposed method contribute an interesting design methodology for the anomaly detection of time-series data in IIoT.

Yingxu Lai,Zenghui Liu,Zhanwei Song,Yusheng Wang,Yiwei Gao

DOI: https://doi.org/10.1016/j.simpat.2016.01.013

IF: 4.199

2016-01-01

Simulation Modelling Practice and Theory

Abstract:With the ever growing demand of location-independent access to Autonomous Decentralized Systems (ADS), anomaly detection scheme for industrial Ethernet, which highly is satisfied with demanding real-time and reliable industrial applications, becomes one of the most pressing subjects in ADS. In this paper, we present an innovative approach to build a traffic model based on structural time series model for a chemical industry system. A basic structural model that decomposes time series into four items is established by the stationary analysis of industrial traffic. Parameters in the model are identified by the state space model, which is conducted from the training sequence using standard Kalman filter recursions and the EM algorithm. Furthermore, the performance of state space model is evaluated by the experimental results that confirm significant improvement in detection accuracy and the validity of abnormal data localization.

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Chunjie Zhou,Shuang Huang,Naixue Xiong,Shuang-Hua Yang,Huiyun Li,Yuanqing Qin,Xuan Li

DOI: https://doi.org/10.1109/TSMC.2015.2415763

2015-01-01

Abstract:Industrial process automation is undergoing an increased use of information communication technologies due to high flexibility interoperability and easy administration. But it also induces new security risks to existing and future systems. Intrusion detection is a key technology for security protection. However, traditional intrusion detection systems for the IT domain are not entirely suitable for industrial process automation. In this paper, multiple models are constructed by comprehensively analyzing the multidomain knowledge of field control layers in industrial process automation, with consideration of two aspects: physics and information. And then, a novel multimodel-based anomaly intrusion detection system with embedded intelligence and resilient coordination for the field control system in industrial process automation is designed. In the system, an anomaly detection based on multimodel is proposed, and the corresponding intelligent detection algorithms are designed. Furthermore, to overcome the disadvantages of anomaly detection, a classifier based on an intelligent hidden Markov model, is designed to differentiate the actual attacks from faults. Finally, based on a combination simulation platform using optimized performance network engineering tool, the detection accuracy and the real-time performance of the proposed intrusion detection system are analyzed in detail. Experimental results clearly demonstrate that the proposed system has good performance in terms of high precision and good real-time capability.

Bedeuro Kim,Mohsen Ali Alawami,Eunsoo Kim,Sanghak Oh,Jeongyong Park,Hyoungshick Kim

DOI: https://doi.org/10.3390/s23031310

IF: 3.9

2023-01-24

Sensors

Abstract:Anomaly detection has been known as an effective technique to detect faults or cyber-attacks in industrial control systems (ICS). Therefore, many anomaly detection models have been proposed for ICS. However, most models have been implemented and evaluated under specific circumstances, which leads to confusion about choosing the best model in a real-world situation. In other words, there still needs to be a comprehensive comparison of state-of-the-art anomaly detection models with common experimental configurations. To address this problem, we conduct a comparative study of five representative time series anomaly detection models: InterFusion, RANSynCoder, GDN, LSTM-ED, and USAD. We specifically compare the performance analysis of the models in detection accuracy, training, and testing times with two publicly available datasets: SWaT and HAI. The experimental results show that the best model results are inconsistent with the datasets. For SWaT, InterFusion achieves the highest F1-score of 90.7% while RANSynCoder achieves the highest F1-score of 82.9% for HAI. We also investigate the effects of the training set size on the performance of anomaly detection models. We found that about 40% of the entire training set would be sufficient to build a model producing a similar performance compared to using the entire training set.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Sizheng Chen,Dong Yan,Xing He

DOI: https://doi.org/10.23919/ccc63176.2024.10662146

2024-01-01

Abstract:Anomaly detection is a crucial task in monitoring the diverse states within Industrial Control Systems (ICS), which are typically characterized by Multivariate Time Series (MTS). Accurately detecting anomalies, along with identifying a set of highly anomalous metrics to explain these anomalies, is essential for facilitating effective troubleshooting. This paper introduces a sophisticated deep learning method that comprehensively addresses both temporal and feature correlations within multivariate time series data. During training, this method integrates models based on both forecasting and reconstruction. The forecasting model adeptly captures the temporal and feature dependencies within the data. Meanwhile, the reconstruction model enhances the system’s robustness, accommodating the stochastic nature of the time series and better resisting perturbations and noise. By synergizing these approaches, the method capitalizes on their combined strengths. The efficacy of this model is demonstrated through its evaluation on the SWaT water treatment dataset, where it achieves an impressive average anomaly detection F1-Score of 0.93, outperforming other methodologies in the field.

Hussain Nizam,Samra Zafar,Zefeng Lv,Fan Wang,Xiaopeng Hu

DOI: https://doi.org/10.1109/jsen.2022.3211874

IF: 4.3

2022-12-03

IEEE Sensors Journal

Abstract:The data produced by millions of connected devices and smart sensors in the Industrial Internet of Things (IIoT) is highly dynamic, large-scale, heterogeneous, and time-stamped. These time-stamped data are the core of IIoT automation and have the potential to affect industrial processes intensely. It poses significant challenges to effectively detect anomalies from time-series data and deliver actionable insights in real time to drive improvements to industrial processes. In most practical applications, where data are used to make automated decisions, real-time anomaly detection is critical. With this focus, in this article, we advise a hybrid end-to-end deep anomaly detection (DAD) framework to accurately detect anomalies and extremely rare events on sensitive, Internet of Things (IoT) streaming data in real time or near real time. The proposed framework is based on a convolutional neural network (CNN) and a two-stage long short-term memory (LSTM)-based Autoencoder (AE). We exploit a two-stage LSTM AE in parallel to detect anomalies and extremely rare events hidden in massive sensor data by identifying short- and long-term variations in actual sensor values from the predicted values. We design and train a hybrid model using the Keras/TensorFlow framework as the backend. The experimental results on one simulation and two real datasets demonstrate that the proposed framework achieved better performance and outperforms other state-of-the-art competitive models. Moreover, to prove that the proposed model can be designed for the network edge, we train, optimize, and quantize the model to run-on resource-constrained (i.e., edge) devices. Further evaluation indicates that the training and inference time for each sample is short enough to carry out anomaly detection on edge.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Han Li,Xinyu Wang,Zhongguo Yang,Sikandar Ali,Ning Tong,Samad Baseer

DOI: https://doi.org/10.1155/2022/4756480

IF: 3.12

2022-06-01

Computational Intelligence and Neuroscience

Abstract:In industry, sensor-based monitoring of equipment or environment has become a necessity. Instead of using a single sensor, multi-sensor system is used to fully detect abnormalities in complex scenarios. Recently, physical models, signal processing technology, and various machine learning models have improved the performance. However, these methods either do not consider the potential correlation between features or do not take advantage of the sequential changes of correlation while constructing an anomaly detection model. This paper firstly analyzes the correlation characteristic of a multi-sensor system, which shows a lot of clues to the anomaly/fault propagation. Then, a multi-sensor anomaly detection method, which finds and uses the correlation between features contained in the multidimensional time-series data, is proposed. The method converts the multidimensional time-series data into temporal correlation graphs according to time window. By transforming time-series data into graph structure, the task of anomaly detection is considered as a graph classification problem. Moreover, based on the stability and dynamics of the correlation between features, a structure-sensitive graph neural network is used to establish the anomaly detection model, which is used to discover anomalies from multi-sensor system. Experiments on three real-world industrial multi-sensor systems with anomalies indicate that the method obtained better performance than baseline methods, with the mean value of F1 score reaching more than 0.90 and the mean value of AUC score reaching more than 0.95. That is, the method can effectively detect anomalies of multidimensional time series.

mathematical & computational biology,neurosciences

Jiahao Shan,Donghong Cai,Fang,Zahid Khan,Pingzhi Fan

DOI: https://doi.org/10.1109/ojcoms.2024.3511951

2024-01-01

IEEE Open Journal of the Communications Society

Abstract:Anomaly detection of multivariate time series (MTS) is crucial in industrial intelligent systems. To address the challenges of absence of anomaly labels, fast inference time, multi-source and multi-modality in anomaly detection, researchers have primarily investigated unsupervised reconstruction-driven methods. However, the existing reconstruction-driven methods mainly focus on minimizing reconstruction errors while neglecting the importance of training methods that increase errors between normal and abnormal classes. Furthermore, accurately constructing the feature space of normal and abnormal classes during the reconstruction process remains a challenge. In this paper, we propose an innovative model, namely the confidence adversarial autoencoder (CAAE). The proposed CAAE combines a confidence network, based on window credibility judgment, with an autoencoder to provide credibility support for anomaly detection. We further introduce fake labels to provide the confidence network with a discriminative knowledge for identifying reconstructed data. Additionally, we implement the confidence adversarial training method to generate fake labels to construct an adversarial loss aiming to expand the decision boundary of anomaly scores. Extensive experimental results on publicly available time series datasets are provided to demonstrate the efficiency of our proposed CAAE. It reveals that excellent generalization ability and superior average performance are achieved on different datasets compared with the state-of-the-art methods.

Zhan-wei SONG,Rui-kang ZHOU,Ying-xu LAI,Ke-feng FAN,Xiang-zhen YAO,Lin LI,Wei LI

DOI: https://doi.org/10.11896/j.issn.1002-137X.2018.01.041

2018-01-01

Abstract:At present,the ICS network security has become a key problem in the field of information security.Detecting attacks,such as behavior data tampering attack and control program tampering attack,is a difficult problem of ICS network security.Therefore,this paper proposed an anomaly detection method based on behavior model.This method extracts the behavior data sequence from the industrial control network traffic.Then it constructs the normal behavior model according to the control process and the controlled process of ICS.At last,it determines whether an exception occurs by comparing and analyzing the behavior data extracted in real time and the behavior data predicted by the model.The experimental analysis shows that it can effectively detect behavior data tampering attack,control program tampering attack and so on.

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Jiang Lin,Xu Hang,Liu Jinhai,Shen Xiangkai,Lu Senxiang,Shi Zhan

DOI: https://doi.org/10.1007/s00521-022-07101-y

2022-01-01

Neural Computing and Applications

Abstract:To improve the validity of industrial multi-sensor signals, anomaly detection has become a significant part of industrial signal processing. In practical measurement, industrial multi-sensor signals are mostly fluctuant, and the correlation between the front and back signals is uncertain. These increase the difficulty of the abnormal signal detection. For these problems, this paper proposes an anomaly detection method for industrial multi-sensor signals based on enhanced spatiotemporal features. Firstly, a series of signal preprocessing is performed relying on the characteristics of data set, so that the signals will be processed in a stable state. Then, a stack spatial–temporal autoencoder, which relies on the improved deep stack long short-term memory and autoencoder feature extractors, is proposed to extract features and to reconstruct signals. Next, a high-dimensional unsupervised clusterer is proposed to detect the abnormal signals. Finally, two case studies in magnetic flux leakage (MFL) signals and Tennessee Eastman (TE) benchmark are conducted. MFL signals are the actual signals collected from the experimental platform, and TE benchmark is a public data set. State-of-the-art comparison experiments on feature extraction and abnormal signal detection are performed, and the results show that the proposed method is effective.

Xudong Lu,Shipeng Wang,Fengjian Kang,Shijun Liu,Hui Li,Xiangzhen Xu,Lizhen Cui

DOI: https://doi.org/10.1108/ijcs-09-2019-0024

2019-01-01

International Journal of Crowd Science

Abstract:Purpose – The purpose of this paper is to detect abnormal data of complex and sophisticated industrial equipment with sensors quickly and accurately. Due to the rapid development of the Internet of Things, more and more equipment is equipped with sensors, especially more complex and sophisticated industrial equipment is installed with a large number of sensors. A large amount of monitoring data is quickly collected to monitor the operation of the equipment. How to detect abnormal data quickly and accurately has become a challenge. Design/methodology/approach – In this paper, the authors propose an approach called Multiple Group Correlation-based Anomaly Detection (MGCAD), which can detect equipment anomaly quickly and accurately. The single-point anomaly degree of equipment and the correlation of each kind of data sequence are modeled by using multi-group correlation probability model (a probability distribution model which is helpful to the anomaly detection of equipment), and the anomaly detection of equipment is realized. Findings – The simulation data set experiments based on real data show that MGCAD has better performance than existing methods in processing multiple monitoring data sequences. Originality/value – The MGCAD method can detect abnormal data quickly and accurately, promote the intelligent level of smart articles and ultimately help to project the real world into cyber space in CrowdIntell Network.