A novel online state-based anomaly detection system for process control networks

Abstract Industrial control networks are the core part of critical infrastructures such as power grid and oil refinery. In recent years, the number of cyber-attacks to industrial control networks are growing increasingly. Moreover, connecting industrial networks to the public network makes these critical infrastructures more vulnerable to the cyber-attacks. Therefore, improving the security of these networks has attracted much attention nowadays. To protect industrial control networks, the proposed online method is able to detect anomalies with low computational time while do not use prior knowledge about the system and anomalies. This method can adjust the severity of detection in order to efficiently detect changes which lead to anomalies; And also can be adapted to inevitable network changes by updating the anomaly threshold using the latest normal states. The proposed method finds anomalies in the network using high-pass filters and Euclidean distance of the current state with the latest states. To evaluate the efficiency of the proposed approach, a boiler control system is simulated and three test datasets are provided from this simulation. The proposed intrusion detection system was evaluated through these datasets, as well as the SWaT dataset. The results show that the proposed approach not only is highly effective for detecting anomalies, but also is adaptable to the normal variations in the network.

[1]  Sridhar Adepu,et al.  A Dataset to Support Research in the Design of Secure Water Treatment Systems , 2016, CRITIS.

[2]  Nada Golmie,et al.  An integrated detection system against false data injection attacks in the Smart Grid , 2015, Secur. Commun. Networks.

[3]  Aiko Pras,et al.  Towards periodicity based anomaly detection in SCADA networks , 2012, Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012).

[4]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[5]  Ing-Ray Chen,et al.  Behavior-Rule Based Intrusion Detection Systems for Safety Critical Smart Grid Applications , 2013, IEEE Transactions on Smart Grid.

[6]  Kevin Wong,et al.  Enhancing Suricata intrusion detection system for cyber security in SCADA networks , 2017, 2017 IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE).

[7]  Ashkan Sami,et al.  SIDS: State-based intrusion detection for stage-based cyber physical systems , 2018, Int. J. Crit. Infrastructure Prot..

[8]  James M. Taylor,et al.  Enhancing integrity of modbus TCP through covert channels , 2017, 2017 11th International Conference on Signal Processing and Communication Systems (ICSPCS).

[9]  Li Lin,et al.  Intrusion Detection of Industrial Control System Based on Modbus TCP Protocol , 2017, 2017 IEEE 13th International Symposium on Autonomous Decentralized System (ISADS).

[10]  E. I. Vilkas Axiomatic Definition of the Value of a Matrix Game , 1963 .

[11]  Leandros A. Maglaras,et al.  The industrial control system cyber defence triage process , 2017, Comput. Secur..

[12]  Geoffrey I. Webb,et al.  Characterizing concept drift , 2015, Data Mining and Knowledge Discovery.

[13]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[14]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[15]  Xinghuo Yu,et al.  An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems , 2014, Comput. Secur..

[16]  Igor Nai Fovino,et al.  State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept , 2009, CRITIS.

[17]  Jens Myrup Pedersen,et al.  A nifty collaborative intrusion detection and prevention architecture for Smart Grid ecosystems , 2017, Comput. Secur..

[18]  Hong Li,et al.  A survey of intrusion detection on industrial control systems , 2018, Int. J. Distributed Sens. Networks.

[19]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[20]  Yong Wang,et al.  SRID: State Relation Based Intrusion Detection for False Data Injection Attacks in SCADA , 2014, ESORICS.

[21]  Geir E. Dullerud,et al.  Distributed control design for spatially interconnected systems , 2003, IEEE Trans. Autom. Control..

[22]  Ashkan Sami,et al.  SysDetect: A systematic approach to critical state determination for Industrial Intrusion Detection Systems using Apriori algorithm , 2015 .

[23]  Juergen Jasperneite,et al.  The Future of Industrial Communication: Automation Networks in the Era of the Internet of Things and Industry 4.0 , 2017, IEEE Industrial Electronics Magazine.