Super Learner Ensemble for Anomaly Detection and Cyber-Risk Quantification in Industrial Control Systems

Industrial control systems (ICSs) are integral parts of smart cities and critical to modern societies. Despite indisputable opportunities introduced by disruptor technologies, they proliferate the cybersecurity threat landscape, which is increasingly more hostile. The quantum of sensors utilized by ICS aided by artificial intelligence (AI) enables data collection capabilities to facilitate automation, process streamlining, and cost reduction. However, apart from the operational use, the sensors generated data combined with AI can be innovatively utilized to model anomalous behavior as part of layered security to increase resilience to cyberattacks. We introduce a framework to profile anomalous behavior in ICS and derive a cyber-risk score. A novel super learner ensemble for one-class classification is developed, using overlapping rolling windows with stratified, <inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula>-fold, <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula>-repeat cross-validation applied to each base learner followed by majority voting to derive the best learner. Our approach is demonstrated on a liquid distribution sensor data set. The experimental results reveal that the proposed technique achieves an overall <inline-formula> <tex-math notation="LaTeX">$F1$ </tex-math></inline-formula>-score of 99.13%, an anomalous recall score of 99% detecting anomalies lasting only 17 s. The key strength of the framework is the low computational complexity and error rate. The framework is modular, generic, applicable to other ICS, and transferable to other smart city sectors.

[1]  Kevin M. Stine Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (French Translation) , 2022 .

[2]  Gregory Epiphaniou,et al.  Cyber Resilience and Incident Response in Smart Cities: A Systematic Literature Review , 2020, Smart Cities.

[3]  Brian J. Smith,et al.  Feature Engineering and Selection: A Practical Approach for Predictive Models , 2020 .

[4]  Stephan Berger,et al.  Attacks on the Industrial Internet of Things - Development of a multi-layer Taxonomy , 2020, Comput. Secur..

[5]  MARIAM ELNOUR,et al.  A Dual-Isolation-Forests-Based Attack Detection Framework for Industrial Control Systems , 2020, IEEE Access.

[6]  Sherali Zeadally,et al.  Cybersecurity in industrial control systems: Issues, technologies, and challenges , 2019, Comput. Networks.

[7]  Mariko Fujimoto,et al.  Cyber Security Risk Assessment on Industry 4.0 using ICS testbed with AI and Cloud , 2019, 2019 IEEE Conference on Application, Information and Network Security (AINS).

[8]  Budi Rahardjo,et al.  Anomaly Detection and Data Recovery on Mini Batch Distillation Column based Cyber Physical System , 2019, 2019 6th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI).

[9]  H. Hwang,et al.  Machines Learning Trends, Perspectives and Prospects in Education Sector , 2019, Proceedings of the 2019 3rd International Conference on Education and Multimedia Technology - ICEMT 2019.

[10]  Kim-Kwang Raymond Choo,et al.  An Ensemble Intrusion Detection Technique Based on Proposed Statistical Flow Features for Protecting Network Traffic of Internet of Things , 2019, IEEE Internet of Things Journal.

[11]  Zhenwei Zhang,et al.  Radiological images and machine learning: trends, perspectives, and prospects , 2019, Comput. Biol. Medicine.

[12]  Insoo Koo,et al.  Unsupervised Machine Learning-Based Detection of Covert Data Integrity Assault in Smart Grid Networks Utilizing Isolation Forest , 2019, IEEE Transactions on Information Forensics and Security.

[13]  P. J. García-Nieto,et al.  Review: machine learning techniques applied to cybersecurity , 2019, International Journal of Machine Learning and Cybernetics.

[14]  Gregory Epiphaniou,et al.  Federated Blockchain-Based Tracking and Liability Attribution Framework for Employees and Cyber-Physical Objects in a Smart Workplace , 2019, 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3).

[15]  Naixue Xiong,et al.  A Fuzzy Probability Bayesian Network Approach for Dynamic Cybersecurity Risk Assessment in Industrial Control Systems , 2018, IEEE Transactions on Industrial Informatics.

[16]  Qin Lin,et al.  TABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems , 2018, AsiaCCS.

[17]  Michele Colajanni,et al.  On the effectiveness of machine and deep learning for cyber security , 2018, 2018 10th International Conference on Cyber Conflict (CyCon).

[18]  David Brosset,et al.  Dataset of anomalies and malicious acts in a cyber-physical subsystem , 2017, Data in brief.

[19]  Miriam A. M. Capretz,et al.  An ensemble learning framework for anomaly detection in building energy consumption , 2017 .

[20]  Florian Skopik,et al.  Correlating cyber incident information to establish situational awareness in Critical Infrastructures , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[21]  Naixue Xiong,et al.  Multimodel-Based Incident Prediction and Risk Assessment in Dynamic Cybersecurity Protection for Industrial Control Systems , 2016, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[22]  Paul Smith,et al.  Towards a Resilience Metric Framework for Cyber-Physical Systems , 2016, ICS-CSR.

[23]  Florian Skopik,et al.  A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing , 2016, Comput. Secur..

[24]  Hans J. Pasman,et al.  How Can We Improve Hazop, Our Old Work Horse, and Do More with Its Results? an Overview of Recent Developments , 2016 .

[25]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[26]  Dieter Gollmann,et al.  Cyber-Physical Systems Security , 2015, The New Codebreakers.

[27]  Donn B. Parker,et al.  Toward a New Framework for Information Security , 2015 .

[28]  Michael I. Jordan,et al.  Machine learning: Trends, perspectives, and prospects , 2015, Science.

[29]  Gilles Louppe,et al.  Scikit-learn: Machine Learning Without Learning the Machinery , 2015, GETMBL.

[30]  Lamine Mili,et al.  On the Definition of Cyber-Physical Resilience in Power Systems , 2015, ArXiv.

[31]  André Carlos Ponce de Leon Ferreira de Carvalho,et al.  Filter Feature Selection for One-Class Classification , 2014, Journal of Intelligent & Robotic Systems.

[32]  Chen-Ching Liu,et al.  A PMU-based risk assessment framework for power control systems , 2013, 2013 IEEE Power & Energy Society General Meeting.

[33]  Dorothy Marinucci,et al.  Advances in Cyber Security , 2013 .

[34]  Qaisar Shafi,et al.  Cyber Physical Systems Security: A Brief Survey , 2012, 2012 12th International Conference on Computational Science and Its Applications.

[35]  Jorge Lobo,et al.  Risk-based security decisions under uncertainty , 2012, CODASPY '12.

[36]  Yu-Lun Huang,et al.  An Analytic Hierarchy Process-Based Risk Assessment Method for Wireless Networks , 2011, IEEE Transactions on Reliability.

[37]  Paul Cornish,et al.  Cyber Security and the UK’s Critical National Infrastructure , 2011 .

[38]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[39]  Chandan Srivastava,et al.  Support Vector Data Description , 2011 .

[40]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[41]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[42]  Konrad S. Wrona,et al.  Real-time automated risk assessment in protected core networking , 2010, Telecommun. Syst..

[43]  Ian Jenkinson,et al.  An Offshore Risk Analysis Method Using Fuzzy Bayesian Network , 2009 .

[44]  Guy Lapalme,et al.  A systematic analysis of performance measures for classification tasks , 2009, Inf. Process. Manag..

[45]  Siv Hilde Houmb,et al.  Estimating ToE Risk Level Using CVSS , 2009, 2009 International Conference on Availability, Reliability and Security.

[46]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[47]  Qi Yong,et al.  Information Security Risk Assessment Based on Analytic Hierarchy Process and Fuzzy Comprehensive , 2008, 2008 International Conference on Risk Management & Engineering Management.

[48]  Stephen Tyree,et al.  Strata-Gem: risk assessment through mission modeling , 2008, QoP '08.

[49]  A. En-Nouaary,et al.  Catalog of Metrics for Assessing Security Risks of Software throughout the Software Development Life Cycle , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[50]  Brunil Romero,et al.  Simon's Intelligence Phase for Security Risk Assessment in Web Applications , 2008, Fifth International Conference on Information Technology: New Generations (itng 2008).

[51]  Leonard J. Bass,et al.  Risk Themes Discovered through Architecture Evaluations , 2007, 2007 Working IEEE/IFIP Conference on Software Architecture (WICSA'07).

[52]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[53]  Richard Gowland,et al.  The accidental risk assessment methodology for industries (ARAMIS)/layer of protection analysis (LOPA) methodology: a step forward towards convergent practices in risk assessment? , 2006, Journal of hazardous materials.

[54]  Subhash C. Bagui,et al.  Combining Pattern Classifiers: Methods and Algorithms , 2005, Technometrics.

[55]  V. Vittal,et al.  Risk Assessment for Special Protection Systems , 2002, IEEE Power Engineering Review.

[56]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[57]  Thomas G. Dietterich Multiple Classifier Systems , 2000, Lecture Notes in Computer Science.

[58]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD '00.

[59]  Thomas G. Dietterich Approximate Statistical Tests for Comparing Supervised Classification Learning Algorithms , 1998, Neural Computation.

[60]  Vijay Vittal,et al.  A risk-based security index for determining operating limits in stability-limited electric power systems , 1997 .

[61]  Gregory Epiphaniou,et al.  Blockchain for Modern Digital Forensics: The Chain-of-Custody as a Distributed Ledger , 2019, Blockchain and Clinical Trial.

[62]  Ben van Lier The industrial internet of things and cyber security: An ecological and systemic perspective on security in digital industrial ecosystems , 2017, 2017 21st International Conference on System Theory, Control and Computing (ICSTCC).

[63]  Tim Watson,et al.  Enabling intelligent cities through cyber security of building information and building systems , 2014 .

[64]  Katsunori Mikuniya Global Risks Report , 2013 .

[65]  K. Schwab The Fourth Industrial Revolution , 2013 .

[66]  Dirk Van,et al.  Ensemble Methods: Foundations and Algorithms , 2012 .

[67]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[68]  M. J. van der Laan,et al.  Statistical Applications in Genetics and Molecular Biology Super Learner , 2010 .

[69]  V. Vittal,et al.  Risk assessment for special protection systems , 2002, 2002 IEEE Power Engineering Society Winter Meeting. Conference Proceedings (Cat. No.02CH37309).

[70]  Finn V. Jensen,et al.  Bayesian Networks and Decision Graphs , 2001, Statistics for Engineering and Information Science.

[71]  K. Hadri Testing The Null Hypothesis Of Stationarity Against The Alternative Of A Unit Root In Panel Data With Serially Correlated Errors , 1999 .