Double Behavior Characteristics for One-Class Classification Anomaly Detection in Networked Control Systems

Due to the growing dependencies of information network technology, networked control systems are undergoing a severe blow of cyberattacks, and simply modeling cyberattacks is inadequate and impractical for the detection requirements, because of various vulnerabilities in these systems and the diversities of cyberattacks. Actually, a feasible viewpoint is to identify misbehaviors by constructing a normal model of industrial communication behaviors. However, one of the chief difficulties is how to completely and appropriately summarize industrial communication behaviors according to the specific communication characteristics. In view of process control and data acquisition, this paper associates industrial communication characteristics with the time sequence, and further extracts two distinct behaviors: function control behavior and process data behavior. Based on these double behavior characteristics, we introduce one-class classification to detect the corresponding anomalies, respectively. Besides, we also present the weighted mixed Kernel function and parameter optimization method to improve classification performance. Experimental results clearly demonstrate that the proposed approach has significant advantages of classification accuracy and detection efficiency.

[1]  Bernhard Schölkopf,et al.  Nonlinear Component Analysis as a Kernel Eigenvalue Problem , 1998, Neural Computation.

[2]  Alfonso Valdes,et al.  Communication pattern anomaly detection in process control systems , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[3]  Stanislav Ponomarev,et al.  Industrial Control System Network Intrusion Detection by Telemetry Analysis , 2016, IEEE Transactions on Dependable and Secure Computing.

[4]  Aarcha Anoop,et al.  New Genetic Algorithm Based Intrusion Detection System for SCADA , 2013 .

[5]  Tim Verdonck,et al.  Robust kernel principal component analysis and classification , 2010, Adv. Data Anal. Classif..

[6]  Milos Manic,et al.  Fuzzy logic based anomaly detection for embedded network security cyber sensor , 2011, 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS).

[7]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[8]  Wolfgang Kröger,et al.  Performance of Electric Power Systems Under Physical Malicious Attacks , 2013, IEEE Systems Journal.

[9]  Yier Jin,et al.  Security Challenges in CPS and IoT: From End-Node to the System , 2016, 2016 IEEE Computer Society Annual Symposium on VLSI (ISVLSI).

[10]  Christof Störmann,et al.  Cyber-Critical Infrastructure Protection Using Real-Time Payload-Based Anomaly Detection , 2009, CRITIS.

[11]  Leandros A. Maglaras,et al.  Intrusion detection in SCADA systems using machine learning techniques , 2014, 2014 Science and Information Conference.

[12]  Ronald M. van der Knijff,et al.  Control systems/SCADA forensics, what's the difference? , 2014, Digit. Investig..

[13]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[14]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[15]  Ramesh Karri,et al.  Cybersecurity for Control Systems: A Process-Aware Perspective , 2016, IEEE Design & Test.

[16]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[17]  Paul Honeine,et al.  ${l_p}$-norms in One-Class Classification for Intrusion Detection in SCADA Systems , 2014, IEEE Transactions on Industrial Informatics.

[18]  G. Mercier,et al.  Support vector machines for hyperspectral image classification with spectral-based kernels , 2003, IGARSS 2003. 2003 IEEE International Geoscience and Remote Sensing Symposium. Proceedings (IEEE Cat. No.03CH37477).

[19]  Stuart E. Madnick,et al.  A Systems Theoretic Approach to the Security Threats in Cyber Physical Systems Applied to Stuxnet , 2018, IEEE Transactions on Dependable and Secure Computing.

[20]  Didier Stricker,et al.  Visual Computing as a Key Enabling Technology for Industrie 4.0 and Industrial Internet , 2015, IEEE Computer Graphics and Applications.

[21]  Christoph H. Lampert Kernel Methods in Computer Vision , 2009, Found. Trends Comput. Graph. Vis..

[22]  Zahir Tari,et al.  An Efficient Data-Driven Clustering Technique to Detect Attacks in SCADA Systems , 2016, IEEE Transactions on Information Forensics and Security.

[23]  S. Sastry,et al.  SCADA-specific Intrusion Detection / Prevention Systems : A Survey and Taxonomy , 2010 .

[24]  Hartmut König,et al.  Potentials of Using One-Class SVM for Detecting Protocol-Specific Anomalies in Industrial Networks , 2015, 2015 IEEE Symposium Series on Computational Intelligence.

[25]  Guido Smits,et al.  Improved SVM regression using mixtures of kernels , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[26]  Adriano Valenzano,et al.  Review of Security Issues in Industrial Networks , 2013, IEEE Transactions on Industrial Informatics.

[27]  Kagermann Henning Recommendations for implementing the strategic initiative INDUSTRIE 4.0 , 2013 .

[28]  Naixue Xiong,et al.  Design and Analysis of Multimodel-Based Anomaly Intrusion Detection Systems in Industrial Process Automation , 2015, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[29]  Moses Schwartz,et al.  Emerging Techniques for Field Device Security , 2014, IEEE Security & Privacy.

[30]  Taeshik Shon,et al.  Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC 61850 , 2014, Multimedia Tools and Applications.

[31]  Lisandro Zambenedetti Granville,et al.  A One-Class NIDS for SDN-Based SCADA Systems , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[32]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[33]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[34]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[35]  G. Manimaran,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems , 2008, IEEE Transactions on Power Systems.

[36]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[37]  Lin Li,et al.  Industrial communication intrusion detection algorithm based on improved one-class SVM , 2015, 2015 World Congress on Industrial Control Systems Security (WCICSS).

[38]  Taeshik Shon,et al.  A novel vulnerability analysis approach to generate fuzzing test case in industrial control systems , 2016, 2016 IEEE Information Technology, Networking, Electronic and Automation Control Conference.

[39]  J. Pahasa,et al.  PSO BASED KERNEL PRINCIPAL COMPONENT ANALYSIS AND MULTI-CLASS SUPPORT VECTOR MACHINE FOR POWER QUALITY PROBLEM CLASSIFICATION , 2011 .

[40]  Ming Wan,et al.  Content-based deep communication control for networked control system , 2017, Telecommun. Syst..

[41]  Shang Wen-l,et al.  Modbus / TCP Communication Anomaly Detection Algorithm Based on PSO-SVM , 2014 .

[42]  Huy Kang Kim,et al.  A behavior-based intrusion detection technique for smart grid infrastructure , 2015, 2015 IEEE Eindhoven PowerTech.

[43]  Mo-Yuen Chow,et al.  Networked Control System: Overview and Research Trends , 2010, IEEE Transactions on Industrial Electronics.

[44]  Heiko Hoffmann,et al.  Kernel PCA for novelty detection , 2007, Pattern Recognit..

[45]  Piroska Haller,et al.  Data clustering-based anomaly detection in industrial control systems , 2014, 2014 IEEE 10th International Conference on Intelligent Computer Communication and Processing (ICCP).

[46]  Lin Li,et al.  Intrusion detection algorithm based on OCSVM in industrial control system , 2016, Secur. Commun. Networks.

[47]  Milos Manic,et al.  Autonomic Intelligent Cyber-Sensor to Support Industrial Control Network Awareness , 2014, IEEE Transactions on Industrial Informatics.

[48]  Min Wei,et al.  Intrusion detection scheme using traffic prediction for wireless industrial networks , 2012, Journal of Communications and Networks.

[49]  Hsiao-Hwa Chen,et al.  Intrusion Detection in Cyber-Physical Systems: Techniques and Challenges , 2014, IEEE Systems Journal.

[50]  Leandros A. Maglaras,et al.  Integrated OCSVM mechanism for intrusion detection in SCADA systems , 2014 .