A Novel Intrusion Detection Algorithm for Industrial Control Systems Based on CNN and Process State Transition

As closed Industrial Control Systems (ICS) gradually evolve toward networking, ICS data and operational processes can be easily tampered with by attackers, causing industrial control equipment to fail or become damaged. Depending on the characteristics of ICS business logic stability, this paper proposes a novel two-level anomaly detection framework to ensure that system data and business logic are safe and reliable. Specifically, basic information is obtained from network traffic. In our framework, the first-level detection uses convolutional neural network (CNN) to feature extraction and anomaly identification. In the second-level detection, we propose a process state transfer algorithm. The feature extracted by the CNN model is invoked as the input of the algorithm to construct the normal state process transfer model of ICS. The model detects whether the current data meets the normal state transition process of the system, and may find unknown attacks or 0-day attacks. Finally, through laboratory gas pipeline network system verification, we found that the anomaly detection framework combined with the two methods has more outstanding performance than several current latest technologies.

[1]  Thomas H. Morris,et al.  Developing a Hybrid Intrusion Detection System Using Data Mining for Power Systems , 2015, IEEE Transactions on Smart Grid.

[2]  Sakir Sezer,et al.  Towards A Stateful Analysis Framework for Smart Grid Network Intrusion Detection , 2016, ICS-CSR.

[3]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[4]  Chao Gao,et al.  Security Vulnerabilities of Internet of Things: A Case Study of the Smart Plug System , 2017, IEEE Internet of Things Journal.

[5]  Jie Cheng,et al.  Learning Bayesian Networks from Data: An Efficient Approach Based on Information Theory , 1999 .

[6]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[7]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[8]  Thomas H. Morris,et al.  Machine learning for power system disturbance and cyber-attack discrimination , 2014, 2014 7th International Symposium on Resilient Control Systems (ISRCS).

[9]  Béla Genge,et al.  A clustering-based approach to detect cyber attacks in process control systems , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[10]  Igor Nai Fovino,et al.  An experimental investigation of malware attacks on SCADA systems , 2009, Int. J. Crit. Infrastructure Prot..

[11]  Ning Lu,et al.  Safeguarding SCADA Systems with Anomaly Detection , 2003, MMM-ACNS.

[12]  Yoshua. Bengio,et al.  Learning Deep Architectures for AI , 2007, Found. Trends Mach. Learn..

[13]  Zhen Ling,et al.  An End-to-End View of IoT Security and Privacy , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[14]  Jason Weston,et al.  Natural Language Processing (Almost) from Scratch , 2011, J. Mach. Learn. Res..

[15]  Mark Goadrich,et al.  The relationship between Precision-Recall and ROC curves , 2006, ICML.

[16]  Bernard H. Stark,et al.  IEEE International Conference on Industrial Informatics , 2009 .

[17]  Paul Honeine,et al.  ${l_p}$-norms in One-Class Classification for Intrusion Detection in SCADA Systems , 2014, IEEE Transactions on Industrial Informatics.

[18]  Zibin Zheng,et al.  Wide and Deep Convolutional Neural Networks for Electricity-Theft Detection to Secure Smart Grids , 2018, IEEE Transactions on Industrial Informatics.

[19]  Sujeet Shenoi,et al.  A Taxonomy of Attacks on the DNP3 Protocol , 2009, Critical Infrastructure Protection.

[20]  Heng-Tze Cheng,et al.  Wide & Deep Learning for Recommender Systems , 2016, DLRS@RecSys.

[21]  Thiemo Voigt,et al.  SVELTE: Real-time intrusion detection in the Internet of Things , 2013, Ad Hoc Networks.

[22]  Tingting Li,et al.  Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[23]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[24]  Levente Buttyán,et al.  Duqu: A Stuxnet-like malware found in the wild , 2011 .

[25]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[26]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .