Multilayer Data-Driven Cyber-Attack Detection System for Industrial Control Systems Based on Network, System, and Process Data

The growing number of attacks against cyber-physical systems in recent years elevates the concern for cybersecurity of industrial control systems (ICSs). The current efforts of ICS cybersecurity are mainly based on firewalls, data diodes, and other methods of intrusion prevention, which may not be sufficient for growing cyber threats from motivated attackers. To enhance the cybersecurity of ICS, a cyber-attack detection system built on the concept of defense-in-depth is developed utilizing network traffic data, host system data, and measured process parameters. This attack detection system provides multiple-layer defense in order to gain the defenders precious time before unrecoverable consequences occur in the physical system. The data used for demonstrating the proposed detection system are from a real-time ICS testbed. Five attacks, including man in the middle (MITM), denial of service (DoS), data exfiltration, data tampering, and false data injection, are carried out to simulate the consequences of cyber attack and generate data for building data-driven detection models. Four classical classification models based on network data and host system data are studied, including k-nearest neighbor (KNN), decision tree, bootstrap aggregating (bagging), and random forest (RF), to provide a secondary line of defense of cyber-attack detection in the event that the intrusion prevention layer fails. Intrusion detection results suggest that KNN, bagging, and RF have low missed alarm and false alarm rates for MITM and DoS attacks, providing accurate and reliable detection of these cyber attacks. Cyber attacks that may not be detectable by monitoring network and host system data, such as command tampering and false data injection attacks by an insider, are monitored for by traditional process monitoring protocols. In the proposed detection system, an auto-associative kernel regression model is studied to strengthen early attack detection. The result shows that this approach detects physically impactful cyber attacks before significant consequences occur. The proposed multiple-layer data-driven cyber-attack detection system utilizing network, system, and process data is a promising solution for safeguarding an ICS.

[1]  Joelle Pineau,et al.  Online Bagging and Boosting for Imbalanced Data Streams , 2013, IEEE Transactions on Knowledge and Data Engineering.

[2]  Kyaw Zin Lin,et al.  Enhancement of Preventing Application Layer Based on DDOS Attacks by Using Hidden Semi-Markov Model , 2015, ICGEC.

[3]  Dayu Yang,et al.  Anomaly-Based Intrusion Detection for SCADA Systems , 2006 .

[4]  Erik Westring,et al.  A Survey of Industrial Control System Testbeds , 2015, NordSec.

[5]  Mariana Belgiu,et al.  Random forest in remote sensing: A review of applications and future directions , 2016 .

[6]  George Loukas Cyber-Physical Attack Steps , 2015 .

[7]  Jianghai Li,et al.  Cyber Attack Detection of I&C Systems in NPPS Based on Physical Process Data , 2016 .

[8]  A. K. Bhattacharjee,et al.  Securing a Cyber Physical System in Nuclear Power Plants Using Least Square Approximation and Computational Geometric Approach , 2017 .

[9]  Igor Nai Fovino,et al.  State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept , 2009, CRITIS.

[10]  Lalu Banoth,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2017 .

[11]  Wei Jiang,et al.  k-Nearest Neighbor Classification over Semantically Secure Encrypted Relational Data , 2014, IEEE Transactions on Knowledge and Data Engineering.

[12]  Jamie B. Coble,et al.  A Review of Prognostics and Health Management Applications in Nuclear Power Plants , 2020, International Journal of Prognostics and Health Management.

[13]  Hsiao-Hwa Chen,et al.  Intrusion Detection in Cyber-Physical Systems: Techniques and Challenges , 2014, IEEE Systems Journal.

[14]  Mauro Conti,et al.  A Survey of Man In The Middle Attacks , 2016, IEEE Communications Surveys & Tutorials.

[15]  Erhan Guven,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2016, IEEE Communications Surveys & Tutorials.

[16]  Ming Yang,et al.  Comparison of machine learning methods for stationary wavelet entropy-based multiple sclerosis detection: decision tree, k-nearest neighbors, and support vector machine , 2016, Simul..

[17]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[18]  Qusay H. Mahmoud,et al.  Cyber physical systems security: Analysis, challenges and solutions , 2017, Comput. Secur..

[19]  Wei Gao On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems , 2019 .

[20]  CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS A GOOD PRACTICE , 2011 .

[21]  Threat landscape for industrial automation systems , 2018 .