AADS: A Noise-Robust Anomaly Detection Framework for Industrial Control Systems

Deep Neural Networks are emerging as effective techniques to detect sophisticated cyber-attacks targeting Industrial Control Systems (ICSs). In general, these techniques focus on learning a “normal” behavior of the system, to be then able to label noteworthy deviations from it as anomalies. However, during operations, ICSs inevitably and continuously evolve their behavior, due to e.g., replacement of devices, workflow modifications, or other reasons. As a consequence, the quality of the anomaly detection process may be dramatically affected with a considerable amount of false alarms being generated. This paper presents AADS (Adaptive Anomaly Detection in industrial control Systems), a novel framework based on neural networks and greedy-algorithms that tailors the learning-based anomaly detection process to the changing nature of ICSs. AADS efficiently adapts a pre-trained model to learn new changes in the system behavior with a small number of data samples (i.e., time steps) and a few gradient updates. The performance of AADS is evaluated using the Secure Water Treatment (SWaT) dataset, and its sensitivity to additive noise is investigated. Our results show an increased detection rate compared to state of the art approaches, as well as more robustness to additive noise.

[1]  Jong Hyuk Park,et al.  SH-SecNet: An enhanced secure network architecture for the diagnosis of security threats in a smart home , 2017 .

[2]  Pedro Casas,et al.  Adaptive Network Security through Stream Machine Learning , 2018, SIGCOMM Posters and Demos.

[3]  Graham C. Goodwin,et al.  Architectures and coder design for networked control systems , 2008, Autom..

[4]  Mei Wang,et al.  Deep Visual Domain Adaptation: A Survey , 2018, Neurocomputing.

[5]  Qin Lin,et al.  TABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems , 2018, AsiaCCS.

[6]  Sergey Levine,et al.  Model-Agnostic Meta-Learning for Fast Adaptation of Deep Networks , 2017, ICML.

[7]  Asaf Shabtai,et al.  Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks , 2018, CPS-SPC@CCS.

[8]  Vanessa Sochat,et al.  Singularity: Scientific containers for mobility of compute , 2017, PloS one.

[9]  Stamatis Karnouskos,et al.  Stuxnet worm impact on industrial cyber-physical system security , 2011, IECON 2011 - 37th Annual Conference of the IEEE Industrial Electronics Society.

[10]  Geoffrey E. Hinton,et al.  On the importance of initialization and momentum in deep learning , 2013, ICML.

[11]  Zhi-Hong Guan,et al.  PERFORMANCE ANALYSIS OF NETWORKED CONTROL SYSTEMS WITH SNR CONSTRAINTS , 2012 .

[12]  Joshua Achiam,et al.  On First-Order Meta-Learning Algorithms , 2018, ArXiv.

[13]  Sridhar Adepu,et al.  Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[14]  Jianying Zhou,et al.  Noise Matters: Using Sensor and Process Noise Fingerprint to Detect Stealthy Cyber Attacks and Authenticate sensors in CPS , 2018, ACSAC.

[15]  Dmitry Shalyga,et al.  Anomaly Detection for Water Treatment System based on Neural Network with Automatic Architecture Optimization , 2018, ArXiv.

[16]  Gerhard P Hancke,et al.  Introduction to Industrial Control Networks , 2013, IEEE Communications Surveys & Tutorials.

[17]  Pedro Casas,et al.  Stream-based Machine Learning for Network Security and Anomaly Detection , 2018, Big-DAMA@SIGCOMM.

[18]  Sridhar Adepu,et al.  Generalized Attacker and Attack Models for Cyber Physical Systems , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[19]  Heng-Tze Cheng,et al.  Wide & Deep Learning for Recommender Systems , 2016, DLRS@RecSys.