A real-time anomaly-based IDS for cyber-attack detection at the industrial process level of Critical Infrastructures

Abstract This work presents a real time anomaly-based detection system designed to work at the industrial process level of Critical Infrastructures (CI). The system’s core algorithm is based on negative selection and works in two phases: it first learns from the normal behaviour of the process, and then performs detection and raises alarms each time an abnormal behaviour is found. The main goal of the proposed tool is the detection of attacks targeting the physical components or devices composing the industrial process level of CI such as electric, gas or water utilities. The proposed IDS uses a multi-agent approach to tackle the complex problem of monitoring large amounts of data coming from measurements recorded by Industrial Control Systems. It was built on an open source distributed computation system for real time analysis. This tool was developed, tested, and validated during the EU-funded project PREEMPTIVE. Detection results obtained on a water treatment plant laboratory are presented and discussed.