A Comparison of Unsupervised Learning Algorithms for Intrusion Detection in IEC 104 SCADA Protocol

Anwar, Mahwish; Borg, Anton; Lundberg, Lars

doi:10.1109/icmlc54886.2021.9737267

Cited by 2 publications

(9 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The supervised and semi-supervised machine learning methods for IEC 104 SCADA protocol outperformed signature-based intrusion detection, and unsupervised learning (Egger et al 2020). Later, systematic performance evaluation of IEC 104 anomaly detection with unsupervised learning approaches was accomplished in Anwar et al (2021). Both studies (Egger et al 2020;Anwar et al 2021), utilised the same IEC 104 dataset.…”

Section: Anomaly Detection In Scada Communication Networkmentioning

confidence: 99%

“…The learning algorithm is also an acknowledged choice for intrusion detection in the SCADA network (Rakas et al 2020). Furthermore, recent works on standard SCADA-specific protocol (IEC 104) relayed the algorithm's stable performance for detecting different attacks (Egger et al 2020;Anwar et al 2021). Egger et al (2020) compared intrusion detection of the signature-based method with machine learning methods.…”

Section: Introductionmentioning

confidence: 99%

“…Supervised and semisupervised (with one-class SVM) learning performed better intrusion detection, while Snort signature-based gave worse (Egger et al 2020). The same protocol dataset is systematically evaluated with other learning algorithms in Anwar et al (2021). Mahwish et al evaluated the SCADA network intrusion detection ability of distance-based, density-based, and kernel-based learning methods in an unsupervised setting for IEC 104 communication protocol.…”

Section: Introductionmentioning

confidence: 99%

“…The comparison of detection methods revealed that on average one-class SVM method performs steadily for the given SCADA protocol data in reference to other candidate learning methods. In the current work, we draw a comparison with study (Anwar et al 2021). Realising the predictable and steady performance of one-class SVM for SCADA protocol and its ability to segregate communication network data, we intend to amplify the outlier detection capability of one-class SVM for the IEC 104 protocol.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Improving anomaly detection in SCADA network communication with attribute extension

2022

Self Cite

View full text Add to dashboard Cite

Network anomaly detection for critical infrastructure supervisory control and data acquisition (SCADA) systems is the first line of defense against cyber-attacks. Often hybrid methods, such as machine learning with signature-based intrusion detection methods, are employed to improve the detection results. Here an attempt is made to enhance the support vector-based outlier detection method by leveraging behavioural attribute extension of the network nodes. The network nodes are modeled as graph vertices to construct related attributes that enhance network characterisation and potentially improve unsupervised anomaly detection ability for SCADA network. IEC 104 SCADA protocol communication data with good domain fidelity is utilised for empirical testing. The results demonstrate that the proposed approach achieves significant improvements over the baseline approach (average $$F_{1}$$ F 1 score increased from 0.6 to 0.9, and Matthews correlation coefficient (MCC) from 0.3 to 0.8). The achieved outcome also surpasses the unsupervised scores of related literature. For critical networks, the identification of attacks is indispensable. The result shows an insignificant missed-alert rate ($$0.3\%$$ 0.3 % on average), the lowest among related works. The gathered results show that the proposed approach can expose rouge SCADA nodes reasonably and assist in further pruning the identified unusual instances.

show abstract

Section: Anomaly Detection In Scada Communication Networkmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Improving anomaly detection in SCADA network communication with attribute extension

2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the area of statistically based anomaly detection on IEC-104, the work in [38] presents a 3-value detection method that independently compares the number of packets transmitted in three consecutive time windows against a statistical profile and reports anomalies when a deviation from the specified range is detected. To address the problem of missing labeled data, the work of [39] explores the use of unsupervised machine learning on IEC-104, in particular, one-class support vector machines, isolation forest, histogram-based outlier detection, and k-nearest neighbor are investigated.…”

Section: Related Workmentioning

confidence: 99%

On specification-based cyber-attack detection in smart grids

et al. 2022

View full text Add to dashboard Cite

The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.

show abstract

A Comparison of Unsupervised Learning Algorithms for Intrusion Detection in IEC 104 SCADA Protocol

Cited by 2 publications

References 11 publications

Improving anomaly detection in SCADA network communication with attribute extension

Improving anomaly detection in SCADA network communication with attribute extension

On specification-based cyber-attack detection in smart grids

Contact Info

Product

Resources

About