Dinghua Wang,Dongqin Feng

DOI: https://doi.org/10.1109/iaeac.2018.8577543

2018-01-01

Abstract:Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.

Yi Yang,Hai-Qing Xu,Lei Gao,Y.B. Yuan,Kieran McLaughlin,Sakir Sezer

DOI: https://doi.org/10.1109/TPWRD.2016.2603339

IF: 4.825

2017-01-01

IEEE Transactions on Power Delivery

Abstract:Emerging cybersecurity vulnerabilities in supervisory control and data acquisition (SCADA) systems are becoming urgent engineering issues for modern substations. This paper proposes a novel intrusion detection system (IDS) tailored for cybersecurity of IEC 61850 based substations. The proposed IDS integrates physical knowledge, protocol specifications, and logical behaviors to provide a comprehens...

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Anbang Wang,Xinyu Gong,Jialiang Lu

DOI: https://doi.org/10.1109/smartcloud.2019.00028

2019-01-01

Abstract:With the development of network technology and the updating of intelligent networking devices, the variety of cyber attacks and the number of users being attacked are increasing. Intrusion Detection Systems (IDS) are commonly used in the field of network security to detect anomalous activity and behavior. Many previous works have achieved high detection accuracy on standard testing data sets by implementing mature Machine Learning (ML) algorithms. Inspired by the network ontology researches,, we propose two Long Short-Term Memory (LSTM) based IDSs with deep feature extraction: multi-class feature extraction IDS and dual-class feature extraction IDS. Through our experiments on the CICIDS2017 data set, we have found that multi-class feature extraction IDS can better identify the types of cyber attacks while the dual-class feature extraction IDS can better recall new attacks. We conclude that when the structure and characteristics of the classifier are limited, a reasonable selection of the feature extraction space can help improve the characteristics of the classifier and better achieve the downstream tasks in the security field.

Xuelei Wang,Colin Fidge,Ghavameddin Nourbakhsh,Ernest Foo,Zahra Jadidi,Calvin Li

DOI: https://doi.org/10.1109/access.2022.3142022

IF: 3.9

2022-01-01

IEEE Access

Abstract:In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Heng Zhang,Yinchu Wang,Yawen Xue,Ruilong Deng,Hongran Li,Jian Zhang

DOI: https://doi.org/10.23919/ccc63176.2024.10662787

2024-01-01

Abstract:Industrial network control systems (INCSs) are easy to be targeted by attackers due to their high economic value. Most of the existing defense methods are deployed at the network boundary, which causes high-security risks to INCS once an attacker enters the system. In addition, many existing intrusion detection systems (IDSs) build detection models based on historical data. When INCS lacks sufficient historical data, it is difficult to build detection models with high accuracy. In this paper, we propose a trust assessment model for INCS based on Fourier series fitting employing concept of zero trust to assess the real-time trust of INCS. The model alerts when INCS has low trust. We test two data injection attacks in the experiment to prove the effectiveness of our approach.

A. E. M. Eljialy,Mohammed Yousuf Uddin,Sultan Ahmad

DOI: https://doi.org/10.26599/tst.2023.9010032

2024-02-13

Tsinghua Science & Technology

Abstract:Intrusion detection systems (IDSs) are deployed to detect anomalies in real time. They classify a network's incoming traffic as benign or anomalous (attack). An efficient and robust IDS in software-defined networks is an inevitable component of network security. The main challenges of such an IDS are achieving zero or extremely low false positive rates and high detection rates. Internet of Things (IoT) networks run by using devices with minimal resources. This situation makes deploying traditional IDSs in IoT networks unfeasible. Machine learning (ML) techniques are extensively applied to build robust IDSs. Many researchers have utilized different ML methods and techniques to address the above challenges. The development of an efficient IDS starts with a good feature selection process to avoid overfitting the ML model. This work proposes a multiple feature selection process followed by classification. In this study, the Software-defined networking (SDN) dataset is used to train and test the proposed model. This model applies multiple feature selection techniques to select high-scoring features from a set of features. Highly relevant features for anomaly detection are selected on the basis of their scores to generate the candidate dataset. Multiple classification algorithms are applied to the candidate dataset to build models. The proposed model exhibits considerable improvement in the detection of attacks with high accuracy and low false positive rates, even with a few features selected.

computer science, information systems,engineering, electrical & electronic, software engineering

Estelle Hotellier,Franck Sicard,Julien Francq,Stéphane Mocanu

DOI: https://doi.org/10.1016/j.ins.2024.120102

IF: 8.1

2024-01-12

Information Sciences

Abstract:In this paper, we develop a specification-based, process-aware, Intrusion Detection System (IDS) for complex Industrial Control Systems (ICSs). Complex ICSs are distributed and hierarchical control systems built on top of local control loops which are the system's elementary building blocks. Process-aware attacks are sophisticated cyberattacks that aim to compromise the safety of the controlled physical process. Our approach aims to link safety specifications and security properties. Thus, we use international and industry standards specifications concerning local safety, global safety and networks of the industrial process, in order to obtain security properties. The obtained security properties are cybersecurity related requirements. They are translated into security patterns in order to be runtime monitored by our network IDS. This latter relies on a distributed monitoring framework, capturing network traffic between the local loops and the distributed control level, as well as between distributed control and supervisory control. We implemented and evaluated our IDS on a real ICS. We experimentally show that our IDS detects a large spectrum of attacks. We also show that our distributed IDS is scalable since its detection response time as a function of the number of monitored security patterns, is linear. A demonstrator comprising code extracts is made available.

computer science, information systems

Ibrahim M. EL EL-Hasnony,

DOI: https://doi.org/10.54216/jisiot.000204

2019-01-01

Journal of Intelligent Systems and Internet of Things

Abstract:Wireless sensor network (WSN) is mainly utilized for data gathering and surveillance applications. As WSN is majorly deployed in harsh and hostile environments, security remains a critical issue which needs to be resolved. An intrusion detection system (IDS) is one of the proficient ways used to determine the presence of abnormal behaviors (i.e. intrusions) in the network. Earlier studies have focused on the design of machine learning (ML) and deep learning (ML) models to design IDS. With this motivation, this paper presents an intelligent differential evolution based feature selection with deep neural network (IDEFS-DNN) for intrusion detection in WSN. The proposed IDEFS-DNN model aims to select optimum set of features and classify the intrusions in the network. In addition, the IDEFS-DNN technique involves the design of IDEFS technique to choose a subset of optimum features. Moreover, the chosen features are fed into the DNN technique for classification purposes. The usage of IDEFS technique helps to reduce the complexity and increase the classifier outcome. In order to portray the improved performance of the IDEFS-DNN technique, wide ranging experiments take place on benchmark datasets and the results are inspected under varying aspects. The simulation results ensured the enhanced intrusion detection performance of the IDEFS-DNN technique over the other IDS models.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.3390/electronics8121545

IF: 2.9

2019-01-01

Electronics

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

Xiao Chun Yin,Zeng Guang Liu,Lewis Nkenyereye,Bruce Ndibanje

DOI: https://doi.org/10.3390/s19224952

2019-11-14

Abstract:We present an innovative approach for a Cybersecurity Solution based on the Intrusion Detection System to detect malicious activity targeting the Distributed Network Protocol (DNP3) layers in the Supervisory Control and Data Acquisition (SCADA) systems. As Information and Communication Technology is connected to the grid, it is subjected to both physical and cyber-attacks because of the interaction between industrial control systems and the outside Internet environment using IoT technology. Often, cyber-attacks lead to multiple risks that affect infrastructure and business continuity; furthermore, in some cases, human beings are also affected. Because of the traditional peculiarities of process systems, such as insecure real-time protocols, end-to-end general-purpose ICT security mechanisms are not able to fully secure communication in SCADA systems. In this paper, we present a novel method based on the DNP3 vulnerability assessment and attack model in different layers, with feature selection using Machine Learning from parsed DNP3 protocol with additional data including malware samples. Moreover, we developed a cyber-attack algorithm that included a classification and visualization process. Finally, the results of the experimental implementation show that our proposed Cybersecurity Solution based on IDS was able to detect attacks in real time in an IoT-based Smart Grid communication environment.

Muneeba Nasir,Abdul Rehman Javed,Muhammad Adnan Tariq,Muhammad Asim,Thar Baker

DOI: https://doi.org/10.1007/s11227-021-04250-0

IF: 3.3

2022-01-13

The Journal of Supercomputing

Abstract:Devices belonging to the realm of edge Internet of Things (IoT) are becoming highly susceptible to intrusion attacks. The large-scale development in edge IoT, ease of availability, and affordability have drastically increased its usage in the real world. The business market revolves around producing better, innovative, and appealing products every day. However, security is often left unchecked to achieve these standards. Therefore, vulnerabilities present in these devices make them susceptible to various intrusion attacks. We devised a model named DF-IDS for detecting intrusions in IoT traffic. DF-IDS consists of two main phases: In the 1stdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$1^{st}$$end{document} phase, it comparatively selects the best features from the feature matrix using SpiderMonkey (SM), principle component analysis (PCA), information gain (IG), and correlation attribute evaluation (CAE). In the 2nddocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$2^{nd}$$end{document} phase, these features along with assigned labels are used to train a deep neural network for intrusion detection. DF-IDS achieves an accuracy of 99.23% with an F1-score of 99.27%. It shows improvement not only in accuracy but also in F1 score as compared to the other comparative models and existing studies.

Vegard Berge,Chunlei Li

2024-10-26

Abstract:Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.

Cryptography and Security

Firuz Kamalov,Sherif Moussa,Rita Zgheib,Omar Mashaal

DOI: https://doi.org/10.1109/ISCID51228.2020.00065

2021-06-29

Abstract:In this paper, we analyze existing feature selection methods to identify the key elements of network traffic data that allow intrusion detection. In addition, we propose a new feature selection method that addresses the challenge of considering continuous input features and discrete target values. We show that the proposed method performs well against the benchmark selection methods. We use our findings to develop a highly effective machine learning-based detection systems that achieves 99.9% accuracy in distinguishing between DDoS and benign signals. We believe that our results can be useful to experts who are interested in designing and building automated intrusion detection systems.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Joseph Bamidele Awotunde,Chinmay Chakraborty,Abidemi Emmanuel Adeniyi

DOI: https://doi.org/10.1155/2021/7154587

2021-09-02

Wireless Communications and Mobile Computing

Abstract:The Industrial Internet of Things (IIoT) is a recent research area that links digital equipment and services to physical systems. The IIoT has been used to generate large quantities of data from multiple sensors, and the device has encountered several issues. The IIoT has faced various forms of cyberattacks that jeopardize its capacity to supply organizations with seamless operations. Such risks result in financial and reputational damages for businesses, as well as the theft of sensitive information. Hence, several Network Intrusion Detection Systems (NIDSs) have been developed to fight and protect IIoT systems, but the collections of information that can be used in the development of an intelligent NIDS are a difficult task; thus, there are serious challenges in detecting existing and new attacks. Therefore, the study provides a deep learning-based intrusion detection paradigm for IIoT with hybrid rule-based feature selection to train and verify information captured from TCP/IP packets. The training process was implemented using a hybrid rule-based feature selection and deep feedforward neural network model. The proposed scheme was tested utilizing two well-known network datasets, NSL-KDD and UNSW-NB15. The suggested method beats other relevant methods in terms of accuracy, detection rate, and FPR by 99.0%, 99.0%, and 1.0%, respectively, for the NSL-KDD dataset, and 98.9%, 99.9%, and 1.1%, respectively, for the UNSW-NB15 dataset, according to the results of the performance comparison. Finally, simulation experiments using various evaluation metrics revealed that the suggested method is appropriate for IIOT intrusion network attack classification.

computer science, information systems,telecommunications,engineering, electrical & electronic

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Zakaria El Mrabet,Mehdi Ezzari,Hassan Elghazi,Badr Abou El Majd

DOI: https://doi.org/10.48550/arXiv.2001.00916

2019-12-31

Cryptography and Security

Abstract:Smart grid is an alternative solution of the conventional power grid which harnesses the power of the information technology to save the energy and meet today's environment requirements. Due to the inherent vulnerabilities in the information technology, the smart grid is exposed to a wide variety of threats that could be translated into cyber-attacks. In this paper, we develop a deep learning-based intrusion detection system to defend against cyber-attacks in the advanced metering infrastructure network. The proposed machine learning approach is trained and tested extensively on an empirical industrial dataset which is composed of several attack categories including the scanning, buffer overflow, and denial of service attacks. Then, an experimental comparison in terms of detection accuracy is conducted to evaluate the performance of the proposed approach with Naive Bayes, Support Vector Machine, and Random Forest. The obtained results suggest that the proposed approaches produce optimal results comparing to the other algorithms. Finally, we propose a network architecture to deploy the proposed anomaly-based intrusion detection system across the Advanced Metering Infrastructure network. In addition, we propose a network security architecture composed of two types of Intrusion detection system types, Host and Network-based, deployed across the Advanced Metering Infrastructure network to inspect the traffic and detect the malicious one at all the levels.

A. Termanini,D. Al-Abri,H. Bourdoucen,A. Al Maashri

DOI: https://doi.org/10.1007/s10207-024-00916-x

2024-11-10

International Journal of Information Security

Abstract:Industrial control systems (ICS) are vital parts of the physical infrastructure for many industrial assets, such as oil and gas fields, water stations, and power generation plants. Inadequate protection of such critical assets may lead to disruption of vital services and substantial monetary losses. Therefore, the safety of these assets is prioritized as national security. Operational technology networks have a unique nature and different requirements than conventional enterprise networks as they seek tailored security solutions to detect and prevent cyberattacks on such attractive targets. Motivated by a necessary need from industry and academia, this paper aims to present a broad survey of the research works related to developing Intrusion Detection Systems in ICS networks focusing on using recent machine learning techniques. A proposed review methodology is presented and applied to the relevant selected literature. The paper offers a comparative analysis to provide better insights into this domain, where it identifies several unresolved challenges that present intriguing research prospects for the industry and academic community.

computer science, information systems, theory & methods, software engineering

Y. Yang,K. McLaughlin,S. Sezer,Y. B. Yuan,W. Huang

DOI: https://doi.org/10.1109/pesgm.2014.6939218

2014-01-01

Abstract:Cyber threats in Supervisory Control and Data Acquisition (SCADA) systems have the potential to render physical damage and jeopardize power system operation, safety and stability. SCADA systems were originally designed with little consideration of escalating cyber threats and hence the problem of how to develop robust intrusion detection technologies to tailor the requirements of SCADA is an emerging topic and a big challenge. This paper proposes a stateful Intrusion Detection System (IDS) using a Deep Packet Inspection (DPI) method to improve the cyber-security of SCADA systems using the IEC 60870-5-104 protocol which is tailored for basic telecontrol communications. The proposed stateful protocol analysis approach is presented that is designed specifically for the IEC 60870-5-104 protocol. Finally, the novel intrusion detection approach are implemented and validated.