Yanjie Li,Xiaoyu Ji,Chenggang Li,Xiaofeng Xu,Wei Yan,Xu Yan,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.1109/iceiec49280.2020.9152334

2020-01-01

Abstract:In recent years, artificial intelligence has been widely used in the field of network security, which has significantly improved the effect of network security analysis and detection. However, because the power industrial control system is faced with the problem of shortage of attack data, the direct deployment of the network intrusion detection system based on artificial intelligence is faced with the problems of lack of data, low precision, and high false alarm rate. To solve this problem, we propose an anomaly traffic detection method based on cross-domain knowledge transferring. By using the TrAdaBoost algorithm, we achieve a lower error rate than using LSTM alone.

Yingxu Lai,Jingwen Zhang,Zenghui Liu

DOI: https://doi.org/10.1155/2019/8124254

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:The massive use of information technology has brought certain security risks to the industrial production process. In recent years, cyber-physical attacks against industrial control systems have occurred frequently. Anomaly detection technology is an essential technical means to ensure the safety of industrial control systems. Considering the shortcomings of traditional methods and to facilitate the timely analysis and location of anomalies, this study proposes a solution based on the deep learning method for industrial traffic anomaly detection and attack classification. We use a convolutional neural network deep learning representation model as the detection model. The original one-dimensional data are mapped using the feature mapping method to make them suitable for model processing. The deep learning method can automatically extract critical features and achieve accurate attack classification. We performed a model evaluation using real network attack data from a supervisory control and data acquisition (SCADA) system. The experimental results showed that the proposed method met the anomaly detection and attack classification needs of a SCADA system. The proposed method also promotes the application of deep learning methods in industrial anomaly detection.

Yibo Hu,Dinghua Zhang,Guoyan Cao,Quan Pan

DOI: https://doi.org/10.1109/smc.2019.8913895

2019-01-01

Abstract:Industrial control system (ICS) security is an important topic in context of Industry 4.0. Due to limited industrial network data and insufficient data analysis, anomaly detection for ICS is hardly to implement to enforce ICS security. The paper analyzes the traditional IT network data and ICS network data, bridges the common knowledge of network flow data feature of the both networks, and transfers the anomaly detection knowledge of traditional IT network into ICS network by means of a designed convolutional neural network (CNN) mechanism. Specific experiments validate the accuracy and reliability of the proposed CNN mechanism.

Basem AL-Madani,Ahmad Shawahna,Mohammad Qureshi

DOI: https://doi.org/10.48550/arXiv.1911.05692

2019-11-02

Abstract:Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Systems and Control

Maged Abdelaty,Roberto Doriguzzi-Corin,Domenico Siracusa

DOI: https://doi.org/10.1109/TETC.2021.3073017

2020-09-14

Abstract:Deep Learning is emerging as an effective technique to detect sophisticated cyber-attacks targeting Industrial Control Systems (ICSs). The conventional approach to detection in literature is to learn the "normal" behaviour of the system, to be then able to label noteworthy deviations from it as anomalies. However, during operations, ICSs inevitably and continuously evolve their behaviour, due to e.g., replacement of devices, workflow modifications, or other reasons. As a consequence, the accuracy of the anomaly detection process may be dramatically affected with a considerable amount of false alarms being generated. This paper presents DAICS, a novel deep learning framework with a modular design to fit in large ICSs. The key component of the framework is a 2-branch neural network that learns the changes in the ICS behaviour with a small number of data samples and a few gradient updates. This is supported by an automatic tuning mechanism of the detection threshold that takes into account the changes in the prediction error under normal operating conditions. In this regard, no specialised human intervention is needed to update the other parameters of the system. DAICS has been evaluated using publicly available datasets and shows an increased detection rate and accuracy compared to state of the art approaches, as well as higher robustness to additive noise.

Cryptography and Security

Laisen Nie,Zhaolong Ning,Xiaojie Wang,Xiping Hu,Jun Cheng,Yongkang Li

DOI: https://doi.org/10.1109/tnse.2020.2990984

IF: 6.6

2020-01-01

IEEE Transactions on Network Science and Engineering

Abstract:As an industrial application of Internet of Things (IoT), Internet of Vehicles (IoV) is one of the most crucial techniques for Intelligent Transportation System (ITS), which is a basic element of smart cities. The primary issue for the deployment of ITS based on IoV is the security for both users and infrastructures. The Intrusion Detection System (IDS) is important for IoV users to keep them away from various attacks via the malware and ensure the security of users and infrastructures. In this paper, we design a data-driven IDS by analyzing the link load behaviors of the Road Side Unit (RSU) in the IoV against various attacks leading to the irregular fluctuations of traffic flows. A deep learning architecture based on the Convolutional Neural Network (CNN) is designed to extract the features of link loads, and detect the intrusion aiming at RSUs. The proposed architecture is composed of a traditional CNN and a fundamental error term in view of the convergence of the backpropagation algorithm. Meanwhile, a theoretical analysis of the convergence is provided by the probabilistic representation for the proposed CNN-based deep architecture. We finally evaluate the accuracy of our method by way of implementing it over the testbed.

Jie Wang,Pengfei Li,Weiqiang Kong,Ran An

DOI: https://doi.org/10.3390/math10162872

IF: 2.4

2022-08-12

Mathematics

Abstract:With the rapid development of network technologies, the network security of industrial control systems has aroused widespread concern. As a defense mechanism, an ideal intrusion detection system (IDS) can effectively detect abnormal behaviors in a system without affecting the performance of the industrial control system (ICS). Many deep learning methods are used to build an IDS, which rely on massive numbers of variously labeled samples for model training. However, network traffic is imbalanced, and it is difficult for researchers to obtain sufficient attack samples. In addition, the attack variants are rich, and constructing all possible attack types in advance is impossible. In order to overcome these challenges and improve the performance of an IDS, this paper presents a novel intrusion detection approach which integrates a one-dimensional convolutional autoencoder (1DCAE) and support vector data description (SVDD) for the first time. For the two-stage training process, 1DCAE fails to retain the key features of intrusion detection and SVDD has to add restrictions, so a joint optimization solution is introduced. A three-stage optimization process is proposed to obtain better performance. Experiments on the benchmark intrusion detection dataset NSL-KDD show that the proposed method can effectively detect various unknown attacks, learning with only normal traffic. Compared with the recent state-of-art intrusion detection baselines, the proposed method is improved in most metrics.

mathematics

Zhi-Yang,Xiao-jun

2020-01-01

Abstract:Intrusion Detection Algorithm of Power Grid Industrial Control System Based on CNN ZHAO Zhi-Yang, XIA Xiao-Jun (University of Chinese Academy of Sciences, Beijing 100049, China) (Shenyang Institute of Computing Technology, Chinese Academy of Sciences, Shenyang 110168, China) Abstract: Traditional power grid industrial control systems are mainly isolated from external networks through tools such as firewalls, but with the application of new technologies such as cloud computing and the Internet of Things, the degree of interconnection between networks has continued to deepen, and the difficulty of security protection has greatly increased. How to effectively detect network intrusion behavior has become very important. Compared with traditional intrusion detection technology, convolutional neural networks have a better ability to extract intrusion features. This study proposes a power grid industrial control system intrusion detection algorithm based on convolutional neural networks. The KDD99 dataset is processed for model training, and a cascade convolution layer is added to optimize the network structure. Under the premise of small parameter scale, the real-time requirements of the model are guaranteed. Compared with the traditional SVM algorithm and the k-means algorithm, the intrusion detection accuracy of the proposed algorithm in this study is improved, the false detection rate is reduced, and the intrusion behavior to the power grid industrial control system can be effectively detected.

Wenli Shang,Jiawei Qiu,Haotian Shi,Shuang Wang,Lei Ding,Yanjun Xiao

DOI: https://doi.org/10.1155/2024/5459452

IF: 8.993

2024-06-04

International Journal of Intelligent Systems

Abstract:Industrial control systems (ICSs), as critical national infrastructures, are increasingly susceptible to sophisticated security threats. To address this challenge, our study introduces the CAE‐T, a deep convolutional autoencoding transformer network designed for efficient anomaly detection and real‐time fault monitoring in ICS. The CAE‐T utilizes unsupervised deep learning, employing a convolutional autoencoder for spatial feature extraction from multidimensional time‐series data, and combines this with a transformer architecture to capture long‐term temporal dependencies. The design of the model facilitates rapid training and inference, while its dual‐component approach, utilizing an optimization function based on support vector data description (SVDD), enhances detection accuracy. This integration synergistically combines spatiotemporal feature extraction, significantly improving the robustness and precision of anomaly detection in ICS environments. The CAE‐T model demonstrated notable performance enhancements across three industrial control system datasets. Notably, the CAE‐T model achieved approximately a 70.8% increase in F1 score and a 9.2% rise in AUC on the WADI dataset. On the SWaT dataset, the model showed improvements of approximately 2.8% in F1 score and 5% in AUC. The power system dataset saw more modest gains, with an approximately 0.1% uptick in F1 score and a 1% increase in AUC. These improvements validate the CAE‐T model's efficacy and robustness in anomaly detection across various scenarios.

computer science, artificial intelligence

Tohid Behdadnia,Geert Deconinck

DOI: https://doi.org/10.48550/arXiv.2209.08099

IF: 5.414

2022-09-16

Machine Learning

Abstract:In modern highly interconnected power grids, automatic generation control (AGC) is crucial in maintaining the stability of the power grid. The dependence of the AGC system on the information and communications technology (ICT) system makes it vulnerable to various types of cyber-attacks. Thus, information flow (IF) analysis and anomaly detection became paramount for preventing cyber attackers from driving the cyber-physical power system (CPPS) to instability. In this paper, the ICT network traffic rules in CPPSs are explored and the frequency domain features of the ICT network traffic are extracted, basically for developing a robust learning algorithm that can learn the normal traffic pattern based on the ResNeSt convolutional neural network (CNN). Furthermore, to overcome the problem of insufficient abnormal traffic labeled samples, transfer learning approach is used. In the proposed data-driven-based method the deep learning model is trained by traffic frequency features, which makes our model robust against AGC's parameters uncertainties and modeling nonlinearities.

Xinrui Dong,Yingxu Lai

DOI: https://doi.org/10.1109/ISADS56919.2023.10092008

2023-01-01

Abstract:The integration of industrialization and informatization has exposed industrial control systems (ICSs) to increasingly serious security challenges. Currently, the mainstream method to protect the security of ICSs is intrusion detection system (IDS) based on deep-learning. However, these methods depend on a massive amount of high-quality data. Owing to the characteristics and protocol limitations, ICSs data usually experience low-quality and data imbalance problems, which significantly affects the accuracy of IDS.In this study, an IDS for ICS that combines data expansion algorithm and CNN was proposed. A novel normalized neighborhood weighted convex combined random sample (NNW-CCRS) oversampling algorithm was designed, which automatically attenuates the effects of noise and expanding imbalanced data to produce balanced ICS datasets. By reducing the impact of imbalanced ICS data on IDSs, our system effectively protects the security of ICS. Secure Water Treatment dataset (SWaT) was used for experimental validation. The experimental results confirmed that the accuracy of the proposed system improved by approximately 20%, compared to the ICS without data expansion.

Gauthama Raman M. R.,Chuadhry Mujeeb Ahmed,Aditya Mathur

DOI: https://doi.org/10.1186/s42400-021-00095-5

2021-08-02

Abstract:Abstract Gradual increase in the number of successful attacks against Industrial Control Systems (ICS) has led to an urgent need to create defense mechanisms for accurate and timely detection of the resulting process anomalies. Towards this end, a class of anomaly detectors, created using data-centric approaches, are gaining attention. Using machine learning algorithms such approaches can automatically learn the process dynamics and control strategies deployed in an ICS. The use of these approaches leads to relatively easier and faster creation of anomaly detectors compared to the use of design-centric approaches that are based on plant physics and design. Despite the advantages, there exist significant challenges and implementation issues in the creation and deployment of detectors generated using machine learning for city-scale plants. In this work, we enumerate and discuss such challenges. Also presented is a series of lessons learned in our attempt to meet these challenges in an operational plant.

computer science, information systems, interdisciplinary applications, software engineering

Mohammad Kazim Hooshmand,Doreswamy Hosahalli

DOI: https://doi.org/10.1049/cit2.12078

IF: 7.985

2022-01-31

CAAI Transactions on Intelligence Technology

Abstract:Convolutional neural networks (CNNs) are the specific architecture of feed‐forward artificial neural networks. It is the de‐facto standard for various operations in machine learning and computer vision. To transform this performance towards the task of network anomaly detection in cyber‐security, this study proposes a model using one‐dimensional CNN architecture. The authors' approach divides network traffic data into transmission control protocol (TCP), user datagram protocol (UDP), and OTHER protocol categories in the first phase, then each category is treated independently. Before training the model, feature selection is performed using the Chi‐square technique, and then, over‐sampling is conducted using the synthetic minority over‐sampling technique to tackle a class imbalance problem. The authors' method yields the weighted average f‐score 0.85, 0.97, 0.86, and 0.78 for TCP, UDP, OTHER, and ALL categories, respectively. The model is tested on the UNSW‐NB15 dataset.

Jun Wang,Changfu Si,Zhen Wang,Qiang Fu

DOI: https://doi.org/10.32604/cmc.2024.050223

2024-01-01

Abstract:Nowadays, with the rapid development of industrial Internet technology, on the one hand, advanced industrial control systems (ICS) have improved industrial production efficiency. However, there are more and more cyber-attacks targeting industrial control systems. To ensure the security of industrial networks, intrusion detection systems have been widely used in industrial control systems, and deep neural networks have always been an effective method for identifying cyber attacks. Current intrusion detection methods still suffer from low accuracy and a high false alarm rate. Therefore, it is important to build a more efficient intrusion detection model. This paper proposes a hybrid deep learning intrusion detection method based on convolutional neural networks and bidirectional long short-term memory neural networks (CNN-BiLSTM). To address the issue of imbalanced data within the dataset and improve the model’s detection capabilities, the Synthetic Minority Over-sampling Technique-Edited Nearest Neighbors (SMOTE-ENN) algorithm is applied in the preprocessing phase. This algorithm is employed to generate synthetic instances for the minority class, simultaneously mitigating the impact of noise in the majority class. This approach aims to create a more equitable distribution of classes, thereby enhancing the model’s ability to effectively identify patterns in both minority and majority classes. In the experimental phase, the detection performance of the method is verified using two data sets. Experimental results show that the accuracy rate on the CICIDS-2017 data set reaches 97.7%. On the natural gas pipeline dataset collected by Lan Turnipseed from Mississippi State University in the United States, the accuracy rate also reaches 85.5%.

Li Zhang,Zhuo Lv,Xuesong Zhang,Cen Chen,Nuannuan Li,Yidong Li,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-36938-5_24

2019-01-01

Abstract:Industrial Control Systems (ICS) are the critical infrastructures of power grids. It is very important to monitor and control industrial equipment through the networks. Most ICSs currently used in smart grid contain IT key equipment and communication technologies to implement the communication and logic control functions. However, unlike traditional IT network traffic, these power-related industrial control systems have variety of proprietary protocols. Obviously, in typical complex systems the manually intensive processing of data is costly and sub-optimal. In this paper, we propose an novel traffic anomaly detection model for power ICS based on Multi-Head attention (MHA) method, in which the collected raw traffic was converted into the form of matrix. The MHA and Convolutional Neural Network (CNN) model were used to classify traffic data. We replace the traditional feature extraction and rule making process with an acceptable computational cost. The effectiveness of our approach is demonstrated by experiments on two real world power ICS testbeds: a power generation simulation platform based on a distributed control system (DCS) and a substation slave station. Comparing with some classical machine learning algorithms and Convolutional Neural Networks, the experimental results show that our MHA model outperforms the CNN-based and classical machine learning detection models with an accuracy rate of 99.86%.

Vegard Berge,Chunlei Li

2024-10-26

Abstract:Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.

Cryptography and Security

S. Nagarajan,S. Kayalvizhi,R. Subhashini,V. Anitha

DOI: https://doi.org/10.1016/j.cie.2023.109166

2023-04-23

Abstract:The security analysis has become the hotspot concern in Industrial Control Systems (ICSs) that grabs the research attention in today's era. Owing to the rapid admittance of the Industrial Internet of Things (IIoT), the superimposition of fog and cloud computing plays a pivotal role for rectifying such issues as fewer computation resources and more latency in the network. In addition to this, security issue comes first while developing the ICS in the sector of IIoT. In general, ICS is applied for various processes, such as electric utilization and water supply management, that are related to every individual's life. Though it is interlinked with the Internet, it can easily expose to different threats. To defend the model, Intrusion Detection Systems (IDS) are employed. In signature-based detection, anomaly detection is used to find out the unknown attacks in the network. Yet, the ICS is structured with many software and hardware tools. It also seems in the openness nature of the industrial environment that, it becomes vulnerable to various attacks. Hence, detecting unknown attacks is a complex task in the openness nature of the industrial environment. It causes failure to protect such systems from malicious entities that could result in more complications for humans. Hence, the detection of malicious activities is essential. In order to provide an efficient model, a new hybrid deep learning is proposed in ICS. Initially, the original data is to be collected based on the ICS industry. Secondly, the gathered data is preprocessed to clean the artifacts and clean the data. Thirdly, the optimal features are chosen directly from the gathered data with the help of a hybrid algorithm called the Hybrid Honey Badger-World Cup Algorithm (HHB-WCA). The chosen optimal features are fed to the hybrid deep learning termed as Autoencoder-Bi-directional Long Short-Term Memory (A-Bi-LSTM), where the encoded features from Autoencoder are extracted and encoded features are subjected to the Bi-LSTM classifier. Finally, the simulation outcome has shown that the developed method is compared with the other traditional algorithms to detect the unknown classes in the network.

computer science, interdisciplinary applications,engineering, industrial

Kai Jin,Lei Zhang,Yujie Zhang,Duo Sun,Xiaoyuan Zheng

DOI: https://doi.org/10.3390/electronics12204329

IF: 2.9

2023-10-19

Electronics

Abstract:The current mainstream intrusion detection models often have a high false negative rate, significantly affecting intrusion detection systems' (IDSs) practicability. To address this issue, we propose an intrusion detection model based on a multi-scale one-dimensional convolutional neural network module (MS1DCNN), an efficient channel attention module (ECA), and two bidirectional long short-term memory modules (BiLSTMs). The proposed hybrid MS1DCNN-ECA-BiLSTM model uses the MS1DCNN module to extract features with a different granularity from the input data and uses the ECA module to enhance the weight of important features. Finally, the model carries out sequence learning through two BiLSTM layers. We use the dung beetle optimizer (DBO) to optimize the hyperparameters in the model to obtain better classification results. Additionally, we use the synthetic minority oversampling technique (SMOTE) to fill several samples to reduce the local false negative rate. In this paper, we train and test the model using accurate network data from a water storage industrial control system. In the multi-classification experiment, the model's accuracy was 97.04%, the precision was 97.17%, and the false negative rate was 2.95%; in the binary classification experiment, the accuracy and false negative rate were 99.30% and 0.7%. Compared with other mainstream methods, our model has a higher score. This study provides a new algorithm for the intrusion detection of industrial control systems.

engineering, electrical & electronic,computer science, information systems,physics, applied

Qian Wang,He Chen,Yonghui Li,Branka Vucetic

DOI: https://doi.org/10.1109/iciai.2019.8850828

2019-01-01

Abstract:The convergence of operation technology (OT) and information and communication technology (ICT) in industrial control networks presents new challenges for anomaly detection algorithms. Machine learning has achieved great success over the past few years, which has also been considered as one of the popular solutions for anomaly detection in industrial control networks. In this paper, we survey the recent work on anomaly detection for industrial control networks exploiting machine learning techniques. We first summarize major differences between OT and ICT and analyze the corresponding advantages and disadvantages for anomaly detection. Based on the features of the industrial control networks, existing work are classified into data-based learning and industrial network-specified learning methods. We analyze the pros and cons of these two learning methods. We finally point out the promising future work within this research area.

Daniel Fährmann,Naser Damer,Florian Kirchbuchner,Arjan Kuijper

DOI: https://doi.org/10.3390/s22082886

IF: 3.9

2022-04-09

Sensors

Abstract:Heterogeneous cyberattacks against industrial control systems (ICSs) have had a strong impact on the physical world in recent decades. Connecting devices to the internet enables new attack surfaces for attackers. The intrusion of ICSs, such as the manipulation of industrial sensory or actuator data, can be the cause for anomalous ICS behaviors. This poses a threat to the infrastructure that is critical for the operation of a modern city. Nowadays, the best techniques for detecting anomalies in ICSs are based on machine learning and, more recently, deep learning. Cybersecurity in ICSs is still an emerging field, and industrial datasets that can be used to develop anomaly detection techniques are rare. In this paper, we propose an unsupervised deep learning methodology for anomaly detection in ICSs, specifically, a lightweight long short-term memory variational auto-encoder (LW-LSTM-VAE) architecture. We successfully demonstrate our solution under two ICS applications, namely, water purification and water distribution plants. Our proposed method proves to be efficient in detecting anomalies in these applications and improves upon reconstruction-based anomaly detection methods presented in previous work. For example, we successfully detected 82.16% of the anomalies in the scenario of the widely used Secure Water Treatment (SWaT) benchmark. The deep learning architecture we propose has the added advantage of being extremely lightweight.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation