Dinghua Wang,Dongqin Feng

DOI: https://doi.org/10.1109/iaeac.2018.8577543

2018-01-01

Abstract:Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.

Lai Yingxu,Jiao,Liu Jing

DOI: https://doi.org/10.1109/isads.2015.28

2015-01-01

Abstract:With the growing demand of location-independent access to Industrial Control Systems (ICS), anomaly detection scheme for industrial Ethernet which highly satisfied with demanding real-time and reliable industrial applications becomes one of the problems in ICS. In this paper, we present an innovative approach to build a traffic model based on structural time series model. Basic structural model which decomposes time series into four factors is established by the stationary analysis of industrial traffic. Parameters in the model are identified by state space model which is conducted from the training sequence using standard Kalman filter recursions and EM algorithm. Furthermore, performance of state space model is evaluated by the experimental comparative results that confirm significant improvement in detection accuracy and the validity of abnormal data localization.

Ying-xu LAI,Jiao JIAO

DOI: https://doi.org/10.11936/bjutxb2014040009

2015-01-01

Abstract:To improve the detecting accuracy of malicious traffic in industrial control systems ( ICS) , an innovative approach based on structural time series model is proposed. Industrial Ethernet traffic can be decomposed into four components. Each component is established by a state space model respectively, which brings out high fitting precision. Therefore compared with X-12, the average positive rate of this method increases by 38%. In the meanwhile, this method provides a way to decrease false positive rate and time complexity.

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang

DOI: https://doi.org/10.1016/j.comnet.2020.107677

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>Supervisory Control and Data Acquisition (SCADA) systems are becoming increasingly susceptible to the sophisticated and targeted cyber attacks which are typically carried out by exploiting the vulnerabilities of industrial control devices or protocols. However, most of the existing network intrusion detection methods only focus on detecting and characterizing cyber attacks against the SCADA system, but cannot fully describe their real impact on the system. In this paper, we propose a cyber-physical model for the SCADA system to detect intrusions from the SCADA network and evaluate their risk levels against the industrial process. The model aims at characterizing the network structure and industrial process of the SCADA system through extracting and correlating the communication patterns and states of ICS devices. And any violation of the model is considered abnormal behavior, which can be caused by false operation or network attacks. Through associating network intrusions with the status of the SCADA system, a risk assessment method is proposed to estimate the potential damage degree of the attack on the system, which provides network administrators with richer information about network attacks. Moreover, the comprehensive performance evaluation conducted on public SCADA network data sets shows that the proposed method outperforms the existing methods in detecting and analyzing various cyber attacks against the SCADA system.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lijuan Xu,Bailing Wang,Xiaoming Wu,Dawei Zhao,Lei Zhang,Zhen Wang

DOI: https://doi.org/10.1109/tnse.2021.3130602

IF: 6.6

2022-03-01

IEEE Transactions on Network Science and Engineering

Abstract:By violating semantic constraints that the control process impose, the semantic attack leads the Industry Control Systems (ICS) into an undesirable state or critical state. The spread of semantic attack has caused huge economic losses and casualties to critical infrastructure. Therefore, detecting semantic attack is referred to an urgent and critical task. However, few existing detecting techniques can achieve satisfactory effects in detecting semantic attack of ICS, due to the high requirements of complete critical state-based semantic behavior features description, joint detection on multivariate type state variables, and validity of field states datasets under semantic attacks. In an effort to deal with above challenges, We label device states databases with temporal characteristics and divide impacts on states of field devices under semantic attacks into three categories, including absent in states set, confused sequences, irregular frequency. On this basis, we establish a behavioral model based on secondary labeling of states-duration evolution graph (BMSLS), then implement an adaptive secure state-based semantic attack detection framework furtherly. Compared with the traditional Auto Regression (AR) algorithm, the newer time series correlation graph model, and other five deep learning algorithms, our proposed framework demonstrates the superior effect on the detection of semantic attack.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Basem AL-Madani,Ahmad Shawahna,Mohammad Qureshi

DOI: https://doi.org/10.48550/arXiv.1911.05692

2019-11-02

Abstract:Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Systems and Control

Chuan Sheng,Yu Yao,Wenxuan Li,Wei Yang,Ying Liu

DOI: https://doi.org/10.1109/TNSM.2023.3238402

2023-01-01

IEEE Transactions on Network and Service Management

Abstract:Attack Traffic Classification (ATC) technique is an essential tool for Industrial Control System (ICS) network security, which can be widely used in active defense, situational awareness, attack source traceback and so on. At present, the state-of-the-art ATC methods are usually based on traffic statistical features and machine learning techniques, including supervised classification methods and unsupervised clustering methods. However, it is difficult for these methods to overcome the problems of lack of attack samples and high real-time requirement in ATC in Supervisory Control and Data Acquisition (SCADA) networks. In order to address the above problems, we propose a self-growing ATC model based on a new density-based heuristic clustering method, which can continuously and automatically detect and distinguish different kinds of unknown attack traffic generated by various attack tools against SCADA networks in real time. An effective representation method of SCADA network traffic is proposed to further improve the performance of ATC. In addition, a large number of experiments are conducted on a compound dataset consisting of the SCADA network dataset, the attack tool dataset and the ICS honeypot dataset, to evaluate the proposed method. The experimental results show that the proposed method outperforms existing state-of-the-art ATC methods in the crucial situation of only normal SCADA network traffic.

Yingxu Lai,Zenghui Liu,Zhanwei Song,Yusheng Wang,Yiwei Gao

DOI: https://doi.org/10.1016/j.simpat.2016.01.013

IF: 4.199

2016-01-01

Simulation Modelling Practice and Theory

Abstract:With the ever growing demand of location-independent access to Autonomous Decentralized Systems (ADS), anomaly detection scheme for industrial Ethernet, which highly is satisfied with demanding real-time and reliable industrial applications, becomes one of the most pressing subjects in ADS. In this paper, we present an innovative approach to build a traffic model based on structural time series model for a chemical industry system. A basic structural model that decomposes time series into four items is established by the stationary analysis of industrial traffic. Parameters in the model are identified by the state space model, which is conducted from the training sequence using standard Kalman filter recursions and the EM algorithm. Furthermore, the performance of state space model is evaluated by the experimental results that confirm significant improvement in detection accuracy and the validity of abnormal data localization.

Frantzy Mesadieu,Damiano Torre,Anitha Chennameneni

DOI: https://doi.org/10.1109/access.2024.3390722

IF: 3.9

2024-05-10

IEEE Access

Abstract:The prevalence of cyber-attacks perpetrated over the last two decades, including coordinated attempts to breach targeted organizations, has drastically and systematically exposed some of the more critical vulnerabilities existing in our cyber ecosystem. Particularly in Supervisory Control and Data Acquisition (SCADA) systems with targeted attacks aiming to bypass signature-based protocols, attempting to gain control over operational processes. In the past, researchers utilized deep learning and reinforcement learning algorithms to mitigate threats against industrial control systems (ICS). However, as technology evolves, these techniques become ineffective in monitoring and enhancing the cybersecurity defenses of those system against unwanted attacks. To address these concerns, we propose a deep reinforcement learning (DRL) framework for anomaly detection in the SCADA network. Our model utilizes a "Q-network", which allows it to achieve state-of-the-art performance in pattern recognition from complex tasks. We validated our solution on two publicly available datasets. The WUSTL-IIoT-2018 and the WUSTL-IIoT-2021, each comprised of twenty-five networking features representing benign and attack traffic. The results obtained shows that our model successfully achieved an accuracy of 99.36% in attack detection, highlighting DRL's potential to enhance the security of critical infrastructure and laying the foundation for future research in this domain.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Chao Sang,Jianhua Li,Jun Wu,Wu Yang

DOI: https://doi.org/10.1109/msn60784.2023.00042

2023-01-01

Abstract:Today, with more and more devices in the industrial control system (ICS), the risk becomes higher and brings more attack surfaces. The need for reliable anomaly detection systems is increasing. Traditional SCADA-based detection systems deployed are difficult to assess large-scale control systems accurately, and novel AI-based technologies struggle to ensure timely response. In this paper, we propose an edge computing assisted delay-aware anomaly detection (ECADA) scheme for ICS, which considers both the accuracy and timeliness, and ensures that abnormal conditions can be accurately detected and handled in a short time. First, we model the components in ICS as three layers, taking network resources, delay, and reliability into consideration. Second, we convert the anomaly detection procedure into a decision making problem. By dividing the warning capabilities into various levels, the flexibility of the anomaly detection system is enhanced. Third, we cast a mixed-integer linear programming (MILP) problem to find the efficient anomaly detection mechanism, so that it can be dynamically scheduled to achieve the tradeoff between reliability and timeliness. We use an real-world industrial system dataset for experimental evaluation. By comparing with various traditional anomaly detection methods, it is proved that ECADA can always ensure reliable response of anomaly detection system in various network environments.

Haicheng Qu,Jitao Qin,Wanjun Liu,Hao Chen

DOI: https://doi.org/10.1007/978-3-319-73447-7_48

2017-01-01

Abstract:Cyber security threats of industrial control system have become increasingly sophisticated and complex. In the related intrusion detection, there is a problem that intrusion detection based on network communication behavior cannot fully find out the potential intrusion. The Machine Learning is applied to seek out the abnormal of industrial network. First of all, the supervised learning methods, such as Decision Tree, K-Nearest Neighbors, SVM and so on, were adopted to deal with SCADA network dataset and related discriminated features. Next, an anomaly detection model is built using One-Class classification method, and the effect of the One-Class Classification method in the SCADA network dataset is analyzed from the recall rate, the accuracy rate, the false positive rate and the false negative rate. It is shown that the anomaly detection model constructed by the One-Class Support Vector Machine (OCSVM) method has high accuracy, and the Decision Tree method can commendably detect the intrusion behavior.

Li Zhang,Zhuo Lv,Xuesong Zhang,Cen Chen,Nuannuan Li,Yidong Li,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-36938-5_24

2019-01-01

Abstract:Industrial Control Systems (ICS) are the critical infrastructures of power grids. It is very important to monitor and control industrial equipment through the networks. Most ICSs currently used in smart grid contain IT key equipment and communication technologies to implement the communication and logic control functions. However, unlike traditional IT network traffic, these power-related industrial control systems have variety of proprietary protocols. Obviously, in typical complex systems the manually intensive processing of data is costly and sub-optimal. In this paper, we propose an novel traffic anomaly detection model for power ICS based on Multi-Head attention (MHA) method, in which the collected raw traffic was converted into the form of matrix. The MHA and Convolutional Neural Network (CNN) model were used to classify traffic data. We replace the traditional feature extraction and rule making process with an acceptable computational cost. The effectiveness of our approach is demonstrated by experiments on two real world power ICS testbeds: a power generation simulation platform based on a distributed control system (DCS) and a substation slave station. Comparing with some classical machine learning algorithms and Convolutional Neural Networks, the experimental results show that our MHA model outperforms the CNN-based and classical machine learning detection models with an accuracy rate of 99.86%.

Hanan Hindy,David Brosset,Ethan Bayne,Amar Seeam,Xavier Bellekens

DOI: https://doi.org/10.1007/978-3-030-12786-2_1

2019-03-06

Abstract:Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work focuses on notifying the operator when an anomaly occurs with a probability of the event occurring. This additional information helps in accelerating the mitigation process. The model is trained and tested using a real-world dataset.

Cryptography and Security,Machine Learning

Huazan Liu,Zhenzhou Ji,Chong Li,Kaikai Li

DOI: https://doi.org/10.1109/ICCEA58433.2023.10135289

2023-01-01

Abstract:As the development of the Internet of Things, industrial control network security issues have become more prominent. Anomaly detection technology is an important detection technology for ensuring the network security of industrial control systems, which can issue alarms and block responses before the system is compromised. However, most models currently suffer from problems such as low detection rate, high false positive rate, and inability to locate the anomalies. To address these issues, this paper proposes a multidimensional feature and spectral residual-based industrial control time series anomaly detection method (SRMCAD) to improve the accuracy of anomaly detection while reducing the false positive rate. First, this paper applies the spectral residual method to multidimensional time series anomaly detection in the industrial control domain, and uses the residual data obtained by spectral residual processing instead of the original data as input to the model. Secondly, to address the problem of imprecise device attack localization and high false positive rate in existing industrial control anomaly detection models, this paper designs and implements an industrial control anomaly detection model based on an encoding-decoding architecture, incorporating the idea of system state modeling and using the Mahalanobis distance as the loss function. Experimental results show that SRMCAD has significant advantages over current advanced methods.

Amit Kleinmann,Ori Amichay,Avishai Wool,David Tenenbaum,Ofer Bar,Leonid Lev

DOI: https://doi.org/10.48550/arXiv.1706.09303

2017-06-28

Abstract:SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage.

Cryptography and Security

Y. Yang,K. McLaughlin,S. Sezer,Y. B. Yuan,W. Huang

DOI: https://doi.org/10.1109/pesgm.2014.6939218

2014-01-01

Abstract:Cyber threats in Supervisory Control and Data Acquisition (SCADA) systems have the potential to render physical damage and jeopardize power system operation, safety and stability. SCADA systems were originally designed with little consideration of escalating cyber threats and hence the problem of how to develop robust intrusion detection technologies to tailor the requirements of SCADA is an emerging topic and a big challenge. This paper proposes a stateful Intrusion Detection System (IDS) using a Deep Packet Inspection (DPI) method to improve the cyber-security of SCADA systems using the IEC 60870-5-104 protocol which is tailored for basic telecontrol communications. The proposed stateful protocol analysis approach is presented that is designed specifically for the IEC 60870-5-104 protocol. Finally, the novel intrusion detection approach are implemented and validated.

Chunjie Zhou,Shuang Huang,Naixue Xiong,Shuang-Hua Yang,Huiyun Li,Yuanqing Qin,Xuan Li

DOI: https://doi.org/10.1109/TSMC.2015.2415763

2015-01-01

Abstract:Industrial process automation is undergoing an increased use of information communication technologies due to high flexibility interoperability and easy administration. But it also induces new security risks to existing and future systems. Intrusion detection is a key technology for security protection. However, traditional intrusion detection systems for the IT domain are not entirely suitable for industrial process automation. In this paper, multiple models are constructed by comprehensively analyzing the multidomain knowledge of field control layers in industrial process automation, with consideration of two aspects: physics and information. And then, a novel multimodel-based anomaly intrusion detection system with embedded intelligence and resilient coordination for the field control system in industrial process automation is designed. In the system, an anomaly detection based on multimodel is proposed, and the corresponding intelligent detection algorithms are designed. Furthermore, to overcome the disadvantages of anomaly detection, a classifier based on an intelligent hidden Markov model, is designed to differentiate the actual attacks from faults. Finally, based on a combination simulation platform using optimized performance network engineering tool, the detection accuracy and the real-time performance of the proposed intrusion detection system are analyzed in detail. Experimental results clearly demonstrate that the proposed system has good performance in terms of high precision and good real-time capability.

Kai Yang,Qiang Li,Ting Li,Haining Wang,Limin Sun

DOI: https://doi.org/10.1109/jiot.2024.3496896

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The time-delay attacks pose serious security threats to the industrial control systems (ICS), where ICS infrastructures (e.g., chemical factories) could suffer severe safety consequences. They could bypass current delay detection methods by avoiding triggering packet timeouts. In this paper, we reveal that malicious states caused by the time-delay attacks in ICS scenarios can be detected by analyzing ICS programs. We propose detecting a time-delay attack in ICS scenarios by comparing the difference between malicious and benign states, meeting the real-time and non-interference requirements. Specifically, we utilize symbolic execution to analyze ICS programs to generate the benign states of ICS and leverage the key features of time-delay attacks to create the malicious states of ICS, where the states are transferred through the network for remote control and monitoring. We propose a multi-modal neural network whose inputs are the malicious states sampled from the ICS network traffic and the time domain features, and the output is whether such a time-delay attack exists. We implement a prototype system and conduct real-world experiments to evaluate the performance of our detection approach. Our experiments cover 102 vulnerable ICS programs and 5 types of time-delay attacks. The evaluation results show that our approach can detect ICS time-delay attacks in 0.6s, with 97.2% precision and 98% recall.