Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Ruochen Zhou,Zhiyun Wang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9347104

2020-01-01

Abstract:Programmable logic controller (PLC) is one of the critical infrastructure in industrial control system, which is therefore vulnerable to a variety of cyber-attacks. To mitigate this issue, we design an anomaly detection system, a novel non-invasive intrusion detection method for PLC. Our system utilizes the magnetic side-channel information around the power supply module of PLC and analyzes the running status rely on the fact that different programs will result in various magnetic characteristic. We design a classification algorithm which can extract representational features from the raw signal, as well as avoid the interference of environmental noise. To validate the idea, we design 3 types of attacks and implement on the prototype of thermal power plant in laboratory. The evaluation shows our system is feasible to detect attacks and achieve an overall detection accuracy above 90%.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1109/tie.2020.2965467

IF: 7.7

2021-01-01

IEEE Transactions on Industrial Electronics

Abstract:The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Xianjing Li,Dongqin Feng

DOI: https://doi.org/10.1109/iciscae48440.2019.221645

2019-01-01

Abstract:Currently, the industrial control systems (ICS) have faced many changeable and complexed attacks. Apart from normal attack, there are also many variations, which put ICS into a huge hidden danger. Under this circumstance, the traditional detection techniques cannot identify the special variation types of attacks, effectively, comprehensively nor accurately. Therefore, a detection method named principal component analysis (PCA) with cosine similarity and support vector machine (SVM) is proposed. Moreover, the method is applied to detect the square wave attack in ICS. The detection method is executed as follows. Firstly, the raw signals are classified, by selecting proper length. Secondly, PCA method are used to reduce the dimension. Based on the first normal signal, the cosine similarity coefficients between the first normal part and the rest are calculated. Hence, the attack-feature vectors are composed by similarity coefficients. Next, data after that is selected to serve as the SVM training sample, replenishing the attack features. As for simulation, the cascade control loop of a typical industrial control system is chosen. The results show that the method can detect the signals, timely and accurately, no matter periodic square wave attack or aperiodic. For system, the proposed method and model can judge the security state of ICS. Above all, this method provides accurate decision-making suggestions to security management personnel.

Aidong Xu,Yixin Jiang,Yang Cao,Guoming Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei247390.2019.9062014

2019-01-01

Abstract:With the rapid development of information technology and the Internet of Things, the common information technologies are being applied to the power grid. It brings about the tremendous improvement in productivity, yet breaks down the safety barrier, which makes the power grid a popular target for attacks. The Distribution Terminal Unit (DTU) is a critical part of the power grid because of the acts as access points in the substation and controls the grid equipment. However, DTUs are vulnerable to different types of attacks, which can cause significant property loss or even casualties To monitor the operation of DTU, we proposed a real-time monitoring system by analyzing the side-channel information of power consumption. To validate this idea, we design 3 types of attacks and collect the power information separately, then we choose representational power features and machine learning algorithm for detecting those attacks. We validate that it is feasible to detect attacks and achieves a detection accuracy above 99%.

Shangqing Cui,Dongqin Feng

DOI: https://doi.org/10.1109/icpeca56706.2023.10076096

2023-01-01

Abstract:With the application of Internet technologies in the industrial field, industrial control systems (ICS) have the possibility of suffering malicious network attacks. Because ICS is widely used in critical infrastructure, designing attack detection algorithms for it can effectively reduce losses. Many papers have built physical models for cyber-attacks against ICS and the corresponding detection algorithms have been proposed. However, the detection performance can be further improved. This paper establishes the simulation attack on the Tennessee Eastman (TE) process and proposes an improved support vector machine (SVM) method to detect integrity attacks. This algorithm uses contribution plots and recursive feature elimination to select features. Compared with the principal component analysis (PCA) feature extraction, the detection accuracy is improved. After adding system dynamics to the algorithm, the time to detect attacks is advanced.

Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Da-long LIU,Dong-qin FENG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2018.09.014

2018-01-01

Abstract:As industrial control system is threatened by sinusoidal attack, the mathematical model was established using a typical loop of the control system; the Fourier transform and wavelet analysis was used to analyze its different characteristics in the aspect of attack ability and concealment. Then, an algorithm was developed against sinusoidal attack using multi-scale principal component analysis (MSPCA) with online implementation. Simulation of sinusoidal attack on Tenessee Eastman (TE) process show that sinusoidal attack not only causes physical damage, but also conceals the damage. When the frequency of sinusoidal attack is higher, the attack can not be detected by the traditional principal component analysis (PCA) method, meanwhile, our method can detect the attack quickly and accurately.

Xiaoyu Jiang,Zhiqiang Ge

DOI: https://doi.org/10.1109/tai.2022.3145335

2022-01-01

IEEE Transactions on Artificial Intelligence

Abstract:With the rapid development of information technology, intelligent upgrading of the manufacturing industry has broken the closed environment of traditional industrial control systems (ICS); thus, the information security of ICS has been seriously threatened. As part of ICS, the process monitoring system (PMS) is heavily subject to external risks. Data-driven PMSs have been widely used as initial lines of defense to ensure ICS safety. Once the PMS is under attack, the consequences on the whole ICS will be unimaginable. Unfortunately, the safety issues of the PMS have received inadequate attention. This article reveals PMS’s vulnerabilities through effective attacks. A novel method called subspace transfer network (STN) is proposed to conduct adversarial and poisoning attacks on the PMS simultaneously. Then the attack task flow is defined and explained to make online adversarial attacks and data poisoning on PMS. Meanwhile, aiming at two poisoning goals, targeted and untargeted attacks of STN are designed, respectively. Finally, the PMS’s fragility is verified in two industrial benchmarks.

Xinchen Zhang,Zhihan Jiang,Yulong Ding,Edith C.H. Ngai,Shuang-Hua Yang

DOI: https://doi.org/10.1016/j.jfranklin.2024.107000

IF: 4.246

2024-09-01

Journal of the Franklin Institute

Abstract:As the Industrial Internet-of-Things (IIoT) evolves, a growing number of industrial control systems (ICSs) are connecting to the Internet, making them more vulnerable to malicious attacks. This paper addresses the detection of false data injection (FDI) attacks, a prevalent threat to open ICSs. We introduce an innovative anomaly detection technique using isomorphic analysis to safeguard ICSs against FDI attacks. Isomorphic analysis involves comparing transmitted signals with their expected values, which are derived from mathematical models or isomorphic components. For a comprehensive defense mechanism, we incorporate three specific detectors: the control signal detector, the actuating signal detector, and the sensor reading detector. Designed to detect FDI attacks across various parts of the ICS, these detectors ensure the integrity of all transmitted signals throughout the physical control system. While the control signal detector adopts a threshold method, the other two rely on statistical approaches. If an attack is detected, the detectors can correct tampered signals before they reach downstream components, enhancing the system’s overall resilience and fault tolerance. The effectiveness of these detectors is supported by rigorous mathematical proofs. Moreover, our experimental findings further reveal the superiority of the isomorphic strategy over prior work in terms of detection rate, detection time delay, and system resilience.

automation & control systems,engineering, electrical & electronic, multidisciplinary,mathematics, interdisciplinary applications

Riccardo Colelli,Filippo Magri,Stefano Panzieri,Federica Pascucci

DOI: https://doi.org/10.48550/arXiv.2110.12963

2021-10-25

Cryptography and Security

Abstract:Over the past decade, industrial control systems have experienced a massive integration with information technologies. Industrial networks have undergone numerous technical transformations to protect operational and production processes, leading today to a new industrial revolution. Information Technology tools are not able to guarantee confidentiality, integrity and availability in the industrial domain, therefore it is of paramount importance to understand the interaction of the physical components with the networks. For this reason, usually, the industrial control systems are an example of Cyber-Physical Systems (CPS). This paper aims to provide a tool for the detection of cyber attacks in cyber-physical systems. This method is based on Machine Learning to increase the security of the system. Through the analysis of the values assumed by Machine Learning it is possible to evaluate the classification performance of the three models. The model obtained using the training set, allows to classify a sample of anomalous behavior and a sample that is related to normal behavior. The attack identification is implemented in water tank system, and the identification approach using Machine Learning aims to avoid dangerous states, such as the overflow of a tank. The results are promising, demonstrating its effectiveness.

Jinping Liu,Wuxia Zhang,Tianyu Ma,Zhaohui Tang,Yongfang Xie,Weihua Gui,Jean Paul Niyoyita

DOI: https://doi.org/10.1016/j.eswa.2020.113578

IF: 8.5

2020-11-01

Expert Systems with Applications

Abstract:<p>Industrial Cyber-physical systems (ICPSs), integrating communication, computation and control of industrial processes are referred to as a core technology to approach the <em>Industry 4.0</em>. Ensuring the ICPS security is of paramount importance in smart manufacturing. Considering the characteristics of large-scale, geographically-dispersed and multi-dimensional heterogeneous, federated and life-critical natures of ICPSs, this paper investigates a hierarchically distributed intrusion detection scheme that seeks to achieve the all-round safety protection of ICPSs according to the system structure and attacking types of each ICPS layer. For physical system-relevant perceptual executive layer, potential and covert attacks are detected by the clustered sensory system state residual anomaly monitoring based on a process noise and measurement noise-adaptive Kalman filter (PNMN-AKF). PNMN-AKF can perform a joint recursive estimation of dynamic system states, time-varying process and measurement noise covariance matrices by the variational Bayes approximation framework. In cyberspace, potential cyber-attacks are detected by the anomaly monitoring of the statistical distribution of the network transmission characteristics of data transmission layer by introducing a forgetting factor-induced recursive Gaussian mixture model (FF-RGMM). In the application control layer, a regularized sparse deep belief network model is introduced to characterize the misuse behavior for detecting potential attacks. Extensive validation and comparative experiments have been conducted on a numerical simulation system and a comprehensive ICPS simulation platform by using OPNET and a commonly-used benchmark simplified Tennessee Eastman process (STEP) based on Matlab/Simulink. Experimental results demonstrate that the proposed hierarchically distributed intrusion detection method can efficiently recognize potential and covert cyber-attacks in each ICPSs link with low false alarm rate and missing detection rate, which lays a foundation for the overall security monitoring of ICPSs.</p>

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Jake Cho,Seonghyeon Gong

DOI: https://doi.org/10.3390/electronics13010158

IF: 2.9

2023-12-30

Electronics

Abstract:Industrial control systems (ICS) are critical networks directly linked to the value of core national and societal assets, yet they are increasingly becoming primary targets for numerous cyberattacks today. The ICS network, a fusion of operational technology (OT) and information technology (IT) networks, possesses a broad attack vector, and attacks targeting ICS often take the form of advanced persistent threats (APTs) exploiting zero-day vulnerabilities. However, most existing ICS security techniques have been adaptations of security technologies for IT networks, and security measures tailored to the characteristics of ICS data are currently insufficient. To mitigate cyber threats to ICS networks, this paper proposes an anomaly detection technique based on dynamic data abstraction. The proposed method abstracts ICS data collected in real time using a dynamic data abstraction technique based on noise reduction. The abstracted data are then used to optimize both the update rate and the detection accuracy of the anomaly detection model through model adaptation and incremental learning processes. The proposed approach updates the model by quickly reflecting data on new attack patterns and their distributions, effectively shortening the dwell time in response to APTs utilizing zero-day vulnerabilities. We demonstrate the attack response performance and detection accuracy of the proposed dynamic data abstraction-based anomaly detection technique through experiments using the SWaT dataset generated from a testbed of an actual ICS process. The experiments show that the proposed model achieves high accuracy with a small number of abstracted data while rapidly learning new attack pattern data in real-time without compromising accuracy. The proposed technique can effectively respond to cyberattacks targeting ICS by quickly learning and reflecting trends in attack patterns that exploit zero-day vulnerabilities.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3103765

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Recently, data-driven industrial monitoring systems have been rapidly developed and significantly improved the performance on industrial monitoring tasks. However, the widely deployed data-driven models expose industrial data to more unsecured links, which significantly increase the safety risk of safe-critical industrial systems. The research about adversarial attacks has shown that the potential attackers can utilize tiny crafted perturbations on the input data to mislead the machine learning models’ output. In this article, a novel cross-domain data protection scheme named “Data Guardian” is proposed to authenticate and correct industrial data under potential attacks on data-driven monitoring systems. “Data Guardian” embeds designed redundancy information into the data least significant bits, based on $q$ -ary low-density parity-check (LDPC) codes over the Galois field (finite field). The data are encoded at the secured industrial sites and then decoded before being input into the monitoring systems, in which the security risk is usually higher. The decoding capability of $q$ -ary LDPC codes is improved by the data statistical characteristics, with a new proposed prior estimation method. In the experiments, “Data Guardian” is tested under the attacks to the fault diagnosis models on the Tennessee Eastman process and rolling element bearing from Case Western Reserve University. The results show that “Data Guardian” can efficiently reduce the success rate of adversarial attacks, especially when the attack variable ratio is small.

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Qi Ao

DOI: https://doi.org/10.1109/dsa51864.2020.00028

2020-11-01

Abstract:In the last decade, the industrial field has suffered from a large number of attacks, which are diverse and difficult to detect. Aiming at the stealthy attacks suffered by industrial control systems, this paper processed an intrusion detection method oriented to industrial control process. The method focused on the change in the state of the controlled physical system, and under the premise that the alarm mechanism cannot detect the attack, it abstracted the intrusion detection into the optimization stopping of the detection of the state of the controlled system. Through adaptive optimization of the reference value in the non-parametric cumulative sum (CUSUM) algorithm, the detection delay of the industrial control process is further shortened. Simulation experiments show that this method can detect the tampering of the sensor observation data by the attacker in time, and effectively avoid the physical damage of the controlled system.

Suman Sourav,Binbin Chen

DOI: https://doi.org/10.48550/arXiv.2307.15926

2023-07-29

Abstract:For industrial control systems (ICS), many existing defense solutions focus on detecting attacks only when they make the system behave anomalously. Instead, in this work, we study how to detect attackers who are still in their hiding phase. Specifically, we consider an off-path false-data-injection attacker who makes the original sensor's readings unavailable and then impersonates that sensor by sending out legitimate-looking fake readings, so that she can stay hidden in the system for a prolonged period of time (e.g., to gain more information or to launch the actual devastating attack on a specific time). To expose such hidden attackers, our approach relies on continuous injection of ``micro distortion'' to the original sensor's readings, either through digital or physical means. We keep the distortions strictly within a small magnitude (e.g., $0.5\%$ of the possible operating value range) to ensure that it does not affect the normal functioning of the ICS. Micro-distortions are generated based on secret key(s) shared only between the targeted sensor and the defender. For digitally-inserted micro-distortions, we propose and discuss the pros and cons of a two-layer least-significant-bit-based detection algorithm. Alternatively, when the micro-distortions are added physically, a main design challenge is to ensure the introduced micro-distortions do not get overwhelmed by the fluctuation of actual readings and can still provide accurate detection capability. Towards that, we propose a simple yet effective Filtered-$\Delta$-Mean-Difference algorithm that can expose the hidden attackers in a highly accurate and fast manner. We demonstrate the effectiveness and versatility of our defense by using real-world sensor reading traces from different industrial control (including smart grid) systems.

Cryptography and Security

Wangkun Xu,Fei Teng

DOI: https://doi.org/10.48550/arXiv.2011.01816

2020-11-03

Systems and Control

Abstract:As one of the largest and most complex systems on earth, power grid (PG) operation and control have stepped forward as a compound analysis on both physical and cyber layers which makes it vulnerable to assaults from economic and security considerations. A new type of attack, namely as combined data Integrity-Availability attack, has been recently proposed, where the attackers can simultaneously manipulate and blind some measurements on SCADA system to mislead the control operation and keep stealthy. Compared with traditional FDIAs, this combined attack can further complicate and vitiate the model-based detection mechanism. To detect such attack, this paper proposes a novel random denoising LSTM-AE (LSTMRDAE) framework, where the spatial-temporal correlations of measurements can be explicitly captured and the unavailable data is countered by the random dropout layer. The proposed algorithm is evaluated and the performance is verified on a standard IEEE 118-bus system under various unseen attack attempts.