Anomaly detection in Industrial Control Systems using Logical Analysis of Data

Abstract Cyber attacks on Industrial Control Systems (ICSs) to disrupt the associated physical systems, like power grids and water treatment plants, are a harsh reality of the world today. Detection and prevention of anomalous behaviors such as cyber attacks are of vital importance. This paper focuses on a method to detect such anomalous behaviors in near real-time using laptop class processing power. ICSs depend on the sensor measurements to monitor and operate a plant. Moreover, any change in the behaviors of a physical process due to an attack can also be unearthed from the sensor measurements. Under different circumstances, these sensor measurements follow typical patterns. A partially defined Boolean function based supervised classification method, known as Logical Analysis of Data (LAD), can extract patterns (or rules) from historical sensor measurements, and these rules can categorize the condition of a plant. In this paper, these rules are used to design an Anomaly Detection System (ADS) to unearth anomalous behaviors. The efficacy of the proposed method is assessed using the sensor measurements from a testbed known as Secure Water Treatment (SWaT) system. The proposed technique is generic and can be extended to other ICSs such as power and transportation. Additionally, compared to other anomaly detection approaches, LAD-based ADS also helps to localize the anomaly.

[1]  Mathias Ekstedt,et al.  Cyber Security Risks Assessment with Bayesian Defense Graphs and Architectural Models , 2009 .

[2]  Sridhar Adepu,et al.  An Approach for Formal Analysis of the Security of a Water Treatment Testbed , 2018, 2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC).

[3]  Xavier Litrico,et al.  Cyber Security of Water SCADA Systems—Part I: Analysis and Experimentation of Stealthy Deception Attacks , 2013, IEEE Transactions on Control Systems Technology.

[4]  Sandro Etalle,et al.  ECFI: Asynchronous Control Flow Integrity for Programmable Logic Controllers , 2017, ACSAC.

[5]  Peter L. Hammer,et al.  Logical analysis of data—An overview: From combinatorial optimization to medical applications , 2006, Ann. Oper. Res..

[6]  Bradley R. Schmerl,et al.  View Consistency in Architectures for Cyber-Physical Systems , 2011, 2011 IEEE/ACM Second International Conference on Cyber-Physical Systems.

[7]  Y. Crama,et al.  Cause-effect relationships and partially defined Boolean functions , 1988 .

[8]  Martin Anthony,et al.  Robust cutpoints in the logical analysis of numerical data , 2012, Discret. Appl. Math..

[9]  Alok N. Choudhary,et al.  An FPGA Implementation of Decision Tree Classification , 2007, 2007 Design, Automation & Test in Europe Conference & Exhibition.

[10]  Sridhar Adepu,et al.  Distributed Attack Detection in a Water Treatment Plant: Method and Case Study , 2018, IEEE Transactions on Dependable and Secure Computing.

[11]  Toshihide Ibaraki,et al.  An Implementation of Logical Analysis of Data , 2000, IEEE Trans. Knowl. Data Eng..

[12]  Long Cheng,et al.  Orpheus: Enforcing Cyber-Physical Execution Semantics to Defend Against Data-Oriented Attacks , 2017, ACSAC.

[13]  Edward A. Lee Cyber Physical Systems: Design Challenges , 2008, 2008 11th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC).

[14]  Srinivas Sampalli,et al.  A Survey of Security in SCADA Networks: Current Issues and Future Challenges , 2019, IEEE Access.

[15]  Mark A. Buckner,et al.  An Evaluation of Machine Learning Methods to Detect Malicious SCADA Communications , 2013, 2013 12th International Conference on Machine Learning and Applications.

[16]  Jun Sun,et al.  Towards Learning and Verifying Invariants of Cyber-Physical Systems by Code Mutation , 2016, FM.

[17]  Thomas G. Dietterich,et al.  Learning Boolean Concepts in the Presence of Many Irrelevant Features , 1994, Artif. Intell..

[18]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[19]  Vadim V. Lozin,et al.  Recent advances in the theory and practice of Logical Analysis of Data , 2019, Eur. J. Oper. Res..

[20]  Renato Bruni,et al.  Logical Analysis of Data as a tool for the analysis of Probabilistic Discrete Choice Behavior , 2018, Comput. Oper. Res..

[21]  Carsten Bormann,et al.  Terminology for Constrained-Node Networks , 2014, RFC.

[22]  Jianying Zhou,et al.  Noise Matters: Using Sensor and Process Noise Fingerprint to Detect Stealthy Cyber Attacks and Authenticate sensors in CPS , 2018, ACSAC.

[23]  Haider Abbas,et al.  Cloud-Assisted IoT-Based SCADA Systems Security: A Review of the State of the Art and Future Challenges , 2016, IEEE Access.

[24]  S. Shankar Sastry,et al.  Secure Control: Towards Survivable Cyber-Physical Systems , 2008, 2008 The 28th International Conference on Distributed Computing Systems Workshops.

[25]  Ahmad-Reza Sadeghi,et al.  C-FLAT: Control-Flow Attestation for Embedded Systems Software , 2016, CCS.

[26]  Karl Henrik Johansson,et al.  Attack models and scenarios for networked control systems , 2012, HiCoNS '12.

[27]  Alexander Kogan,et al.  Logical analysis of data – the vision of Peter L. Hammer , 2007, Annals of Mathematics and Artificial Intelligence.

[28]  Jianying Zhou,et al.  NoisePrint: Attack Detection Using Sensor and Process Noise Fingerprint in Cyber Physical Systems , 2018, AsiaCCS.

[29]  Mani Srivastava,et al.  PyCRA: Physical Challenge-Response Authentication For Active Sensors Under Spoofing Attacks , 2015, CCS.

[30]  Dilip Patel,et al.  Assessing and augmenting SCADA cyber security: A survey of techniques , 2017, Comput. Secur..

[31]  Thomas H. Morris,et al.  Machine learning for power system disturbance and cyber-attack discrimination , 2014, 2014 7th International Symposium on Resilient Control Systems (ISRCS).

[32]  Sridhar Adepu,et al.  A Dataset to Support Research in the Design of Secure Water Treatment Systems , 2016, CRITIS.

[33]  Aditya Mathur,et al.  A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems , 2019, NDSS.

[34]  Nils Ole Tippenhauer,et al.  HAMIDS: Hierarchical Monitoring Intrusion Detection System for Industrial Control Systems , 2016, CPS-SPC '16.

[35]  Avi Ostfeld,et al.  Characterizing Cyber-Physical Attacks on Water Distribution Systems , 2017 .

[36]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[37]  Xavier Litrico,et al.  Cyber Security of Water SCADA Systems—Part II: Attack Detection Using Enhanced Hydrodynamic Models , 2013, IEEE Transactions on Control Systems Technology.

[38]  Hua Liu,et al.  Watch Me, but Don't Touch Me! Contactless Control Flow Monitoring via Electromagnetic Emanations , 2017, CCS.

[39]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[40]  Qin Lin,et al.  TABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems , 2018, AsiaCCS.

[41]  Jun Sun,et al.  Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning , 2017, 2017 IEEE International Conference on Data Mining Workshops (ICDMW).

[42]  Asaf Shabtai,et al.  Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks , 2018, CPS-SPC@CCS.

[43]  Jun Sun,et al.  Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[44]  Fengjun Li,et al.  Cyber-Physical Systems Security—A Survey , 2017, IEEE Internet of Things Journal.

[45]  Christos-Savvas Bouganis,et al.  Novel Cascade FPGA Accelerator for Support Vector Machines Classification , 2012, IEEE Transactions on Neural Networks and Learning Systems.

[46]  Toshihide Ibaraki,et al.  Logical analysis of numerical data , 1997, Math. Program..

[47]  William H. Sanders,et al.  Go with the flow: toward workflow-oriented security assessment , 2013, NSPW '13.

[48]  Sridhar Adepu,et al.  Distributed Detection of Single-Stage Multipoint Cyber Attacks in a Water Treatment Plant , 2016, AsiaCCS.

[49]  Sridhar Adepu,et al.  Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[50]  Srinivas Sampalli,et al.  SCADA (Supervisory Control and Data Acquisition) systems: Vulnerability assessment and security recommendations , 2020, Comput. Secur..

[51]  Qusay H. Mahmoud,et al.  A hybrid model for anomaly-based intrusion detection in SCADA networks , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[52]  Florian Dörfler,et al.  Cyber-physical attacks in power networks: Models, fundamental limitations and monitor design , 2011, IEEE Conference on Decision and Control and European Control Conference.

[53]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[54]  Daniel Jackson,et al.  Model-Based Security Analysis of a Water Treatment System , 2016, 2016 IEEE/ACM 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS).

[55]  Calin Belta,et al.  Anomaly detection in cyber-physical systems: A formal methods approach , 2014, 53rd IEEE Conference on Decision and Control.