A new perspective towards the development of robust data-driven intrusion detection for industrial control systems

Abstract Most of the machine learning-based intrusion detection tools developed for Industrial Control Systems (ICS) are trained on network packet captures, and they rely on monitoring network layer traffic alone for intrusion detection. This approach produces weak intrusion detection systems, as ICS cyber-attacks have a real and significant impact on the process variables. A limited number of researchers consider integrating process measurements. However, in complex systems, process variable changes could result from different combinations of abnormal occurrences. This paper examines recent advances in intrusion detection algorithms, their limitations, challenges and the status of their application in critical infrastructures. We also introduce the discussion on the similarities and conflicts observed in the development of machine learning tools and techniques for fault diagnosis and cybersecurity in the protection of complex systems and the need to establish a clear difference between them. As a case study, we discuss special characteristics in nuclear power control systems and the factors that constraint the direct integration of security algorithms. Moreover, we discuss data reliability issues and present references and direct URL to recent open-source data repositories to aid researchers in developing data-driven ICS intrusion detection systems.

[1]  Zheng Yan,et al.  A survey on network data collection , 2018, J. Netw. Comput. Appl..

[2]  Erik Westring,et al.  A Survey of Industrial Control System Testbeds , 2015, NordSec.

[3]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[4]  Ian P. Turnipseed A new scada dataset for intrusion detection research , 2015 .

[5]  José M. Fernandez,et al.  Providing SCADA Network Data Sets for Intrusion Detection Research , 2016, CSET @ USENIX Security Symposium.

[6]  Mauricio Papa,et al.  A SCADA Intrusion Detection Framework that Incorporates Process Semantics , 2016, CISRC.

[7]  Brent Kesler,et al.  The Vulnerability of Nuclear Facilities to Cyber Attack; Strategic Insights: Spring 2010 , 2011 .

[8]  Andrew H. Sung,et al.  Intrusion detection using an ensemble of intelligent paradigms , 2005, J. Netw. Comput. Appl..

[9]  Francisco Herrera,et al.  On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on Intrusion Detection Systems , 2015, Expert Syst. Appl..

[10]  Bogdan Trawinski,et al.  Comparative Analysis of Premises Valuation Models Using KEEL, RapidMiner, and WEKA , 2009, ICCCI.

[11]  Wei Gao,et al.  Industrial Control System Traffic Data Sets for Intrusion Detection Research , 2014, Critical Infrastructure Protection.

[12]  Dilip Patel,et al.  Assessing and augmenting SCADA cyber security: A survey of techniques , 2017, Comput. Secur..

[13]  Richard P. Lippmann,et al.  An Overview of Issues in Testing Intrusion Detection Systems , 2003 .

[14]  Rafal Rohozinski,et al.  Stuxnet and the Future of Cyber War , 2011 .

[15]  Paul Honeine,et al.  ${l_p}$-norms in One-Class Classification for Intrusion Detection in SCADA Systems , 2014, IEEE Transactions on Industrial Informatics.

[16]  Grenville J. Armitage,et al.  A survey of techniques for internet traffic classification using machine learning , 2008, IEEE Communications Surveys & Tutorials.

[17]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[18]  Gulshan Kumar,et al.  Design of an Evolutionary Approach for Intrusion Detection , 2013, TheScientificWorldJournal.

[19]  Akinjide A. Akinola,et al.  Cyber-Security Evaluation for a Hypothetical Nuclear Power Plant using the Attack Tree Method , 2014 .

[20]  Thiago Alves,et al.  Embedding Encryption and Machine Learning Intrusion Prevention Systems on Programmable Logic Controllers , 2018, IEEE Embedded Systems Letters.

[21]  Sridhar Adepu,et al.  Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[22]  B. Muthukumar,et al.  Intrusion Detection System (IDS): Anomaly Detection Using Outlier Detection Approach , 2015 .

[23]  Mamun Bin Ibne Reaz,et al.  A survey of intrusion detection systems based on ensemble and hybrid classifiers , 2017, Comput. Secur..

[24]  Dieter Gollmann,et al.  The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems , 2015, AsiaCCS.

[25]  Jill Slay,et al.  The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set , 2016, Inf. Secur. J. A Glob. Perspect..

[26]  Oded Gonda Understanding the threat to SCADA networks , 2014, Netw. Secur..

[27]  Zhiliang Wang,et al.  False sequential logic attack on SCADA system and its physical impact analysis , 2016, Comput. Secur..

[28]  Yong-kuo Liu,et al.  Support vector ensemble for incipient fault diagnosis in nuclear plant components , 2018, Nuclear Engineering and Technology.

[29]  Yong-kuo Liu,et al.  SVR optimization with soft computing algorithms for incipient SGTR diagnosis , 2018 .

[30]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[31]  Leandros A. Maglaras,et al.  A Cybersecurity Detection Framework for Supervisory Control and Data Acquisition Systems , 2016, IEEE Transactions on Industrial Informatics.

[32]  Nour Moustafa,et al.  Identification of malicious activities in industrial internet of things based on deep learning models , 2018, J. Inf. Secur. Appl..

[33]  Sherif Abdelwahed,et al.  An Evaluation of Selection Method in the Classification of Scada Datasets Based on the Characteristics of the Data and Priority of Performance , 2017, ICCDA '17.

[34]  Jun Gao,et al.  Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection , 2014, IEEE Transactions on Cybernetics.

[35]  Ali A. Ghorbani,et al.  Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization , 2018, ICISSP.

[36]  Paulo Simões,et al.  Denial of Service Attacks: Detecting the Frailties of Machine Learning Algorithms in the Classification Process , 2018, CRITIS.

[37]  Xinghuo Yu,et al.  A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection , 2009, IEEE Network.

[38]  H. S. Hota,et al.  Data Mining Approach for Developing Various Models Based on Types of Attack and Feature Selection as Intrusion Detection Systems (IDS) , 2013, ICACNI.

[39]  Thomas Morris,et al.  OpenPLC: An IEC 61, 131-3 compliant open source industrial controller for cyber security research , 2018, Comput. Secur..

[40]  Yong-kuo Liu,et al.  Knowledge base operator support system for nuclear power plant fault diagnosis , 2018 .

[41]  Nour Moustafa,et al.  UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set) , 2015, 2015 Military Communications and Information Systems Conference (MilCIS).

[42]  Chih-Fong Tsai,et al.  CANN: An intrusion detection system based on combining cluster centers and nearest neighbors , 2015, Knowl. Based Syst..

[43]  Avishai Wool,et al.  Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems , 2015, Int. J. Crit. Infrastructure Prot..

[44]  Dhiren Patel,et al.  Evaluation of Modified Vector Space Representation Using ADFA-LD and ADFA-WD Datasets , 2015 .

[45]  Paul Honeine,et al.  Detection of cyberattacks in a water distribution system using machine learning techniques , 2016, 2016 Sixth International Conference on Digital Information Processing and Communications (ICDIPC).

[46]  Wolfgang Banzhaf,et al.  The use of computational intelligence in intrusion detection systems: A review , 2010, Appl. Soft Comput..

[47]  Milos Manic,et al.  Towards resilient critical infrastructures: Application of Type-2 Fuzzy Logic in embedded network security cyber sensor , 2011, 2011 4th International Symposium on Resilient Control Systems.

[48]  Minrui Fei,et al.  Anomaly behavior detection and reliability assessment of control systems based on association rules , 2018, Int. J. Crit. Infrastructure Prot..

[49]  V. S. Shankar Sriram,et al.  An efficient intrusion detection system based on hypergraph - Genetic algorithm for parameter optimization and feature selection in support vector machine , 2017, Knowl. Based Syst..

[50]  Ali A. Ghorbani,et al.  A detailed analysis of the KDD CUP 99 data set , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.

[51]  Jiankun Hu,et al.  Generation of a new IDS test dataset: Time to retire the KDD collection , 2013, 2013 IEEE Wireless Communications and Networking Conference (WCNC).

[52]  Asaf Shabtai,et al.  Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks , 2018, CPS-SPC@CCS.

[53]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[54]  Elena Sitnikova,et al.  Privacy preservation intrusion detection technique for SCADA systems , 2017, 2017 Military Communications and Information Systems Conference (MilCIS).

[55]  Igor Nai Fovino,et al.  Scada Malware, a Proof of Concept , 2008, CRITIS.

[56]  Gisung Kim,et al.  A novel hybrid intrusion detection method integrating anomaly detection with misuse detection , 2014, Expert Syst. Appl..

[57]  Erhan Guven,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2016, IEEE Communications Surveys & Tutorials.

[58]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[59]  P. Mell,et al.  Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme , 2002 .

[60]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[61]  Jamie B. Coble,et al.  Multilayer Data-Driven Cyber-Attack Detection System for Industrial Control Systems Based on Network, System, and Process Data , 2019, IEEE Transactions on Industrial Informatics.

[62]  Z. Li,et al.  Automatic fine-grained access control in SCADA by machine learning , 2019, Future Gener. Comput. Syst..

[63]  Yu-Lin He,et al.  Fuzziness based semi-supervised learning approach for intrusion detection system , 2017, Inf. Sci..

[64]  Naghmeh Moradpoor,et al.  A supervised energy monitoring-based machine learning approach for anomaly detection in a clean water supply system , 2018, 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security).

[65]  Thomas H. Morris,et al.  Machine learning for power system disturbance and cyber-attack discrimination , 2014, 2014 7th International Symposium on Resilient Control Systems (ISRCS).

[66]  Christian Diedrich,et al.  Deep Feature Extraction for multi-Class Intrusion Detection in Industrial Control Systems , 2017 .

[67]  Leandros A. Maglaras,et al.  A novel intrusion detection method based on OCSVM and K-means recursive clustering , 2015, EAI Endorsed Trans. Security Safety.