Anomaly-based Intrusion Detection in Industrial Data with SVM and Random Forests

Attacks on industrial enterprises are increasing in number as well as in effect. Since the introduction of industrial control systems in the 1970’$s$, industrial networks have been the target of malicious actors. More recently, the political and warfare-aspects of attacks on industrial and critical infrastructure are becoming more relevant. In contrast to classic home and office IT systems, industrial IT, so-called OT systems, have an effect on the physical world. Furthermore, industrial devices have long operation times, sometimes several decades. Updates and fixes are tedious and often not possible. The threats on industry with the legacy requirements of industrial environments creates the need for efficient intrusion detection that can be integrated into existing systems. In this work, the network data containing industrial operation is analysed with machine learning- and time series-based anomaly detection algorithms in order to discover the attacks introduced to the data. Two different data sets are used, one Modbus-based gas pipeline control traffic and one OPC UA-based batch processing traffic. In order to detect attacks, two machine learning-based algorithms are used, namely SVM and Random Forest. Both perform well, with Random Forest slightly outperforming SVM. Furthermore, extracting and selecting features as well as handling missing data is addressed in this work.

[1]  Hans D. Schotten,et al.  Implementing SCADA Scenarios and Introducing Attacks to Obtain Training Data for Intrusion Detection Methods , 2019, ArXiv.

[2]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[3]  J L Schafer,et al.  Multiple Imputation for Multivariate Missing-Data Problems: A Data Analyst's Perspective. , 1998, Multivariate behavioral research.

[4]  Rayford B. Vaughn,et al.  A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems , 2012, 2012 45th Hawaii International Conference on System Sciences.

[5]  Christian Haas,et al.  Anomaly Detection in Industrial Networks using Machine Learning: A Roadmap , 2016, ML4CPS.

[6]  Mohammad Zulkernine,et al.  Network Intrusion Detection using Random Forests , 2005, PST.

[7]  S. Sastry,et al.  SCADA-specific Intrusion Detection / Prevention Systems : A Survey and Taxonomy , 2010 .

[8]  Frank Kargl,et al.  Sequence-aware Intrusion Detection in Industrial Control Systems , 2015, CPSS@ASIACSS.

[9]  Lior Rokach,et al.  Top-down induction of decision trees classifiers - a survey , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[10]  Taekyoung Kwon,et al.  An Experimental Study of Hierarchical Intrusion Detection for Wireless Industrial Sensor Networks , 2010, IEEE Transactions on Industrial Informatics.

[11]  Ian P. Turnipseed,et al.  Industrial Control System Simulation and Data Logging for Intrusion Detection System Research , 2015 .

[12]  Ashkan Sami,et al.  SysDetect: A systematic approach to critical state determination for Industrial Intrusion Detection Systems using Apriori algorithm , 2015 .

[13]  Hans D. Schotten,et al.  Two decades of SCADA exploitation: A brief history , 2017, 2017 IEEE Conference on Application, Information and Network Security (AINS).

[14]  Robert C. Holte,et al.  C4.5, Class Imbalance, and Cost Sensitivity: Why Under-Sampling beats Over-Sampling , 2003 .

[15]  Wei Gao On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems , 2019 .

[16]  Wenke Lee,et al.  Intrusion Detection Techniques for Mobile Wireless Networks , 2003, Wirel. Networks.

[17]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[18]  Anca Draghici,et al.  Product Design Process Model in the Digital Factory Context , 2013 .

[19]  Bernhard E. Boser,et al.  A training algorithm for optimal margin classifiers , 1992, COLT '92.

[20]  Yanqing Zhang,et al.  SVMs Modeling for Highly Imbalanced Classification , 2009, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[21]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[22]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[23]  K. Selvakumar,et al.  Eaack- A Secure Intrusion Detection System for Manets , 2015 .

[24]  Daniel Fraunholz,et al.  Using Temporal and Topological Features for Intrusion Detection in Operational Networks , 2019, ARES.

[25]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[26]  David M Kreindler,et al.  The effects of the irregular sample and missing data in time series analysis. , 2006, Nonlinear dynamics, psychology, and life sciences.

[27]  Mark A. Buckner,et al.  An Evaluation of Machine Learning Methods to Detect Malicious SCADA Communications , 2013, 2013 12th International Conference on Machine Learning and Applications.

[28]  Ravi Sankar,et al.  A Survey of Intrusion Detection Systems in Wireless Sensor Networks , 2014, IEEE Communications Surveys & Tutorials.

[29]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[30]  Hans D. Schotten,et al.  Time is of the Essence: Machine Learning-Based Intrusion Detection in Industrial Time Series Data , 2018, 2018 IEEE International Conference on Data Mining Workshops (ICDMW).

[31]  Hans D. Schotten,et al.  Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set , 2018, ARES.

[32]  Hans D. Schotten,et al.  Putting Together the Pieces: A Concept for Holistic Industrial Intrusion Detection , 2019, ArXiv.

[33]  Min Wei,et al.  Intrusion detection scheme using traffic prediction for wireless industrial networks , 2012, Journal of Communications and Networks.

[34]  Hans D. Schotten,et al.  Modern Problems Require Modern Solutions: Hybrid Concepts for Industrial Intrusion Detection , 2019, ArXiv.

[35]  Hartmut König,et al.  Towards Learning Normality for Anomaly Detection in Industrial Control Networks , 2013, AIMS.