Time is of the Essence: Machine Learning-Based Intrusion Detection in Industrial Time Series Data

The Industrial Internet of Things drastically increases connectivity of devices in industrial applications. In addition to the benefits in efficiency, scalability and ease of use, this creates novel attack surfaces. Historically, industrial networks and protocols do not contain means of security, such as authentication and encryption, that are made necessary by this development. Thus, industrial IT-security is needed. In this work, emulated industrial network data is transformed into a time series and analysed with three different algorithms. The data contains labeled attacks, so the performance can be evaluated. Matrix Profiles perform well with almost no parameterisation needed. Seasonal Autoregressive Integrated Moving Average performs well in the presence of noise, requiring parameterisation effort. Long Short Term Memory-based neural networks perform mediocre while requiring a high training-and parameterisation effort.

[1]  Jürgen Schmidhuber,et al.  Learning to Forget: Continual Prediction with LSTM , 2000, Neural Computation.

[2]  Eamonn J. Keogh,et al.  Matrix Profile V: A Generic Technique to Incorporate Domain Knowledge into Motif Discovery , 2017, KDD.

[3]  Georg Carle,et al.  Traffic Anomaly Detection Using K-Means Clustering , 2007 .

[4]  José M. Fernandez,et al.  Providing SCADA Network Data Sets for Intrusion Detection Research , 2016, CSET @ USENIX Security Symposium.

[5]  Paul W. Oman,et al.  Intrusion Detection and Event Monitoring in SCADA Networks , 2007, Critical Infrastructure Protection.

[6]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[7]  Aiko Pras,et al.  Anomaly Characterization in Flow-Based Traffic Time Series , 2008, IPOM.

[8]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[9]  Gerhard Nahler,et al.  Pearson Correlation Coefficient , 2020, Definitions.

[10]  Ravishankar K. Iyer,et al.  Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol , 2013, CSIIRW '13.

[11]  Hans D. Schotten,et al.  A question of context: Enhancing intrusion detection by providing context information , 2017, 2017 Internet of Things Business Models, Users, and Networks.

[12]  Hans D. Schotten,et al.  Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set , 2018, ARES.

[13]  Simin Nadjm-Tehrani,et al.  Timing-Based Anomaly Detection in SCADA Networks , 2017, CRITIS.

[14]  TWO-WEEK Loan COpy,et al.  University of California , 1886, The American journal of dental science.

[15]  K. McLaughlin,et al.  Multiattribute SCADA-Specific Intrusion Detection System for Power Networks , 2014, IEEE Transactions on Power Delivery.

[16]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[17]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[18]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[19]  Nhien-An Le-Khac,et al.  Collective Anomaly Detection Based on Long Short-Term Memory Recurrent Neural Networks , 2016, FDSE.

[20]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[21]  Eamonn J. Keogh,et al.  Matrix Profile I: All Pairs Similarity Joins for Time Series: A Unifying View That Includes Motifs, Discords and Shapelets , 2016, 2016 IEEE 16th International Conference on Data Mining (ICDM).

[22]  Hans D. Schotten,et al.  Highly Scalable and Flexible Model for Effective Aggregation of Context-based Data in Generic IIoT Scenarios , 2017, ZEUS.

[23]  Charu C. Aggarwal,et al.  Outlier Detection for Temporal Data: A Survey , 2014, IEEE Transactions on Knowledge and Data Engineering.

[24]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[25]  Pavel Filonov,et al.  Multivariate Industrial Time Series with Cyber-Attack Simulation: Fault Detection Using an LSTM-based Predictive Data Model , 2016, ArXiv.

[26]  Igor Nai Fovino,et al.  State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept , 2009, CRITIS.

[27]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[28]  Mehmet Celenk,et al.  Anomaly prediction in network traffic using adaptive Wiener filtering and ARMA modeling , 2008, 2008 IEEE International Conference on Systems, Man and Cybernetics.

[29]  James Won-Ki Hong,et al.  A flow-based method for abnormal network traffic detection , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[30]  M. Milvich,et al.  Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System (SCADA IDS) , 2008, 2008 IEEE Conference on Technologies for Homeland Security.

[31]  Hans D. Schotten,et al.  Two decades of SCADA exploitation: A brief history , 2017, 2017 IEEE Conference on Application, Information and Network Security (AINS).

[32]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[33]  Jie Liu,et al.  Fast approximate correlation for massive time-series data , 2010, SIGMOD Conference.

[34]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[35]  Eamonn J. Keogh,et al.  Matrix Profile VI: Meaningful Multidimensional Motif Discovery , 2017, 2017 IEEE International Conference on Data Mining (ICDM).

[36]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[37]  Ali A. Ghorbani,et al.  A detailed analysis of the KDD CUP 99 data set , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.