A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

Industrial Control Systems (ICS) consisting of integrated hardware and software components designed to monitor and control a variety of industrial processes, are typically deployed in critical infrastructures such as water treatment plants, power grids and gas pipelines. Unlike conventional IT systems, the consequences of deviations from normal operation in ICS have the potential to cause significant physical damage to equipment, the environment and even human life. The active monitoring of invariant rules that define the physical conditions that must be maintained for the normal operation of ICS provides a means to improve the security and dependability of such systems by which early detection of anomalous system states may be achieved, allowing for timely mitigating actions – such as fault checking, system shutdown – to be taken. Generally, invariant rules are predefined by system engineers during the design phase of a given ICS build. However, this manually intensive process is costly, error-prone and, in typically complex systems, sub-optimal. In this paper we propose a novel framework that is designed to systematically generate invariant rules from information contained within ICS operational data logs, using a combination of several machine learning and data mining techniques. The effectiveness of our approach is demonstrated by experiments on two real world ICS testbeds: a water distribution system and a water treatment plant. We show that sets of invariant rules, far larger than those defined manually, can be successfully derived by our framework and that they may be used to deliver significant improvements in anomaly detection compared with the invariant rules defined by system engineers as well as the commonly used residual errorbased anomaly detection model for ICS. Keywords—industrial control systems, anomaly detection, invariant rules, machine learning.

[1]  Hiroki Arimura,et al.  LCM ver. 2: Efficient Mining Algorithms for Frequent/Closed/Maximal Itemsets , 2004, FIMI.

[2]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2011, TSEC.

[3]  Ulrich Güntzer,et al.  Algorithms for association rule mining — a general survey and comparison , 2000, SKDD.

[4]  Avishai Wool,et al.  A Statechart-Based Anomaly Detection Model for Multi-Threaded SCADA Systems , 2015, CRITIS.

[5]  Mohammed J. Zaki,et al.  CHARM: An Efficient Algorithm for Closed Itemset Mining , 2002, SDM.

[6]  A. G. Expósito,et al.  Power system state estimation : theory and implementation , 2004 .

[7]  Jun Sun,et al.  Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[8]  Raheem A. Beyah,et al.  Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems , 2016, NDSS.

[9]  Maciej J. Zawodniok,et al.  Unified Invariants for Cyber-Physical Switched System Stability , 2014, IEEE Transactions on Smart Grid.

[10]  Man-Ki Yoon,et al.  Communication Pattern Monitoring: Improving the Utility of Anomaly Detection for Industrial Control Systems , 2014 .

[11]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[12]  Sridhar Adepu,et al.  A Dataset to Support Research in the Design of Secure Water Treatment Systems , 2016, CRITIS.

[13]  Frank Kargl,et al.  Sequence-aware Intrusion Detection in Industrial Control Systems , 2015, CPSS@ASIACSS.

[14]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[15]  R. Tibshirani,et al.  Regression shrinkage and selection via the lasso: a retrospective , 2011 .

[16]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[17]  Nicolas Pasquier,et al.  Discovering Frequent Closed Itemsets for Association Rules , 1999, ICDT.

[18]  Sridhar Adepu,et al.  From Design to Invariants: Detecting Attacks on Cyber Physical Systems , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[19]  Saman A. Zonouz,et al.  Detecting Industrial Control Malware Using Automated PLC Code Analytics , 2014, IEEE Security & Privacy.

[20]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[21]  Zulaiha Ali Othman,et al.  2011 3 Rd Conference on Data Mining and Optimization (dmo) Anomaly Detection for Ptm's Network Traffic Using Association Rule , 2022 .

[22]  P. Krishna Reddy,et al.  Novel techniques to reduce search space in multiple minimum supports-based frequent pattern mining algorithms , 2011, EDBT/ICDT '11.

[23]  D. Rubin,et al.  Maximum likelihood from incomplete data via the EM - algorithm plus discussions on the paper , 1977 .

[24]  Das Amrita,et al.  Mining Association Rules between Sets of Items in Large Databases , 2013 .

[25]  Sridhar Adepu,et al.  Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[26]  Saifur Rahman,et al.  Analyzing Invariants in Cyber-Physical Systems using Latent Factor Regression , 2015, KDD.

[27]  Jürgen Schmidhuber,et al.  Recurrent nets that time and count , 2000, Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks. IJCNN 2000. Neural Computing: New Challenges and Perspectives for the New Millennium.

[28]  Gösta Grahne,et al.  Fast algorithms for frequent itemset mining using FP-trees , 2005, IEEE Transactions on Knowledge and Data Engineering.

[29]  Maciej J. Zawodniok,et al.  Stability of a Cyber-physical Smart Grid System Using Cooperating Invariants , 2013, 2013 IEEE 37th Annual Computer Software and Applications Conference.

[30]  Sridhar Adepu,et al.  Using Process Invariants to Detect Cyber Attacks on a Water Treatment System , 2016, SEC.

[31]  Henrik Sandberg,et al.  Stealth Attacks and Protection Schemes for State Estimators in Power Systems , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[32]  Tingting Li,et al.  Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[33]  Philip K. Chan,et al.  Learning rules for anomaly detection of hostile network traffic , 2003, Third IEEE International Conference on Data Mining.

[34]  Thomas H. Morris,et al.  Developing a Hybrid Intrusion Detection System Using Data Mining for Power Systems , 2015, IEEE Transactions on Smart Grid.

[35]  Wynne Hsu,et al.  Mining association rules with multiple minimum supports , 1999, KDD '99.

[36]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[37]  Yen-Liang Chen,et al.  Mining association rules with multiple minimum supports: a new mining algorithm and a support tuning mechanism , 2004, Decision Support Systems.

[38]  Long Cheng,et al.  Orpheus: Enforcing Cyber-Physical Execution Semantics to Defend Against Data-Oriented Attacks , 2017, ACSAC.

[39]  Zhanxing Zhu,et al.  A Deep Learning-based Framework for Conducting Stealthy Attacks in Industrial Control Systems , 2017, ArXiv.

[40]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[41]  Osamu Mizuno,et al.  Log-Based Anomaly Detection of CPS Using a Statistical Method , 2017, 2017 8th International Workshop on Empirical Software Engineering in Practice (IWESEP).

[42]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[43]  Sridhar Adepu,et al.  Effectiveness of Association Rules Mining for Invariants Generation in Cyber-Physical Systems , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).