A Review of Anomaly Detection Strategies to Detect Threats to Cyber-Physical Systems
Nicholas Jeffrey,
Qing Tan,
José R. Villar
Abstract:Cyber-Physical Systems (CPS) are integrated systems that combine software and physical components. CPS has experienced rapid growth over the past decade in fields as disparate as telemedicine, smart manufacturing, autonomous vehicles, the Internet of Things, industrial control systems, smart power grids, remote laboratory environments, and many more. With the widespread integration of Cyber-Physical Systems (CPS) in various aspects of contemporary society, the frequency of malicious assaults carried out by adv… Show more
“…This paper proposes a novel Ensemble Learning-Based Hybrid Anomaly Detection Method comprised of signature-based detection for known threats, threshold-based metrics for the immutable physical characteristics of a CPS, combined with an ensemble-based learning model for behaviour-based anomaly detection, with the goal of improved predictive performance over those of the existing anomaly detection methods, which is demonstrated using two public research datasets (Edge-IIoTset2023 and CICIoT2023). This paper builds upon previous works [14][15][16] by the authors of this paper, furthering the development of a generalizable framework for threat detection in CPS environments that can be applied in a broad variety of CPS environments through the use of EL to overcome weaknesses in existing threat detection models.…”
Section: Introductionmentioning
confidence: 94%
“…While anomaly detection is a common area of study in ML, there has been limited attention given to threat detection to CPS environments, and less still in the specific area of EL as a strategy for improving accuracy in threat detection to CPSs. Interested readers on this topic may find this review paper [15] worth reading.…”
The swift embrace of Industry 4.0 paradigms has led to the growing convergence of Information Technology (IT) networks and Operational Technology (OT) networks. Traditionally isolated on air-gapped and fully trusted networks, OT networks are now becoming more interconnected with IT networks due to the advancement and applications of IoT. This expanded attack surface has led to vulnerabilities in Cyber–Physical Systems (CPSs), resulting in increasingly frequent compromises with substantial economic and life safety repercussions. The existing methods for the anomaly detection of security threats typically use simple threshold-based strategies or apply Machine Learning (ML) algorithms to historical data for the prediction of future anomalies. However, due to the high levels of heterogeneity across different CPS environments, minimizing the opportunities for transfer learning, and the scarcity of real-world data for training, the existing ML-based anomaly detection techniques suffer from a poor predictive performance. This paper introduces a hybrid anomaly detection approach designed to identify threats to CPSs by combining the signature-based anomaly detection typically utilized in IT networks, the threshold-based anomaly detection typically utilized in OT networks, and behavioural-based anomaly detection using Ensemble Learning (EL), which leverages the strengths of multiple ML algorithms against the same dataset to increase the accuracy. Multiple public research datasets were used to validate the proposed approach, with the hybrid methodology employing a divide-and-conquer strategy to offload the detection of certain cyber threats to computationally inexpensive signature-based and threshold-based methods using domain knowledge to minimize the size of the behavioural-based data needed for ML model training, thus achieving a higher accuracy over a reduced timeframe. The experimental results showed accuracy improvements of 4–7% over those of the conventional ML classifiers in performing anomaly detection across multiple datasets, which is particularly important to the operators of CPS environments due to the high financial and life safety costs associated with interruptions to system availability.
“…This paper proposes a novel Ensemble Learning-Based Hybrid Anomaly Detection Method comprised of signature-based detection for known threats, threshold-based metrics for the immutable physical characteristics of a CPS, combined with an ensemble-based learning model for behaviour-based anomaly detection, with the goal of improved predictive performance over those of the existing anomaly detection methods, which is demonstrated using two public research datasets (Edge-IIoTset2023 and CICIoT2023). This paper builds upon previous works [14][15][16] by the authors of this paper, furthering the development of a generalizable framework for threat detection in CPS environments that can be applied in a broad variety of CPS environments through the use of EL to overcome weaknesses in existing threat detection models.…”
Section: Introductionmentioning
confidence: 94%
“…While anomaly detection is a common area of study in ML, there has been limited attention given to threat detection to CPS environments, and less still in the specific area of EL as a strategy for improving accuracy in threat detection to CPSs. Interested readers on this topic may find this review paper [15] worth reading.…”
The swift embrace of Industry 4.0 paradigms has led to the growing convergence of Information Technology (IT) networks and Operational Technology (OT) networks. Traditionally isolated on air-gapped and fully trusted networks, OT networks are now becoming more interconnected with IT networks due to the advancement and applications of IoT. This expanded attack surface has led to vulnerabilities in Cyber–Physical Systems (CPSs), resulting in increasingly frequent compromises with substantial economic and life safety repercussions. The existing methods for the anomaly detection of security threats typically use simple threshold-based strategies or apply Machine Learning (ML) algorithms to historical data for the prediction of future anomalies. However, due to the high levels of heterogeneity across different CPS environments, minimizing the opportunities for transfer learning, and the scarcity of real-world data for training, the existing ML-based anomaly detection techniques suffer from a poor predictive performance. This paper introduces a hybrid anomaly detection approach designed to identify threats to CPSs by combining the signature-based anomaly detection typically utilized in IT networks, the threshold-based anomaly detection typically utilized in OT networks, and behavioural-based anomaly detection using Ensemble Learning (EL), which leverages the strengths of multiple ML algorithms against the same dataset to increase the accuracy. Multiple public research datasets were used to validate the proposed approach, with the hybrid methodology employing a divide-and-conquer strategy to offload the detection of certain cyber threats to computationally inexpensive signature-based and threshold-based methods using domain knowledge to minimize the size of the behavioural-based data needed for ML model training, thus achieving a higher accuracy over a reduced timeframe. The experimental results showed accuracy improvements of 4–7% over those of the conventional ML classifiers in performing anomaly detection across multiple datasets, which is particularly important to the operators of CPS environments due to the high financial and life safety costs associated with interruptions to system availability.
“…Anomaly detection in multivariate time series data is crucial for various applications, from network intrusion detection in cybersecurity to identifying faulty equipment in industrial settings [31,32,33,34,35]. Unlike univariate time series that analyze a single variable over time, multivariate time series deal with multiple interrelated variables [36,37,38,39,40,41,42], providing a richer picture of the underlying processes [43,44,45,46,47].…”
Background and Motivation:The ever-expanding Internet of Things (IoT) landscape presents a double-edged sword. While it fosters interconnectedness, the vast amount of data generated by IoT devices creates a larger attack surface for cybercriminals. Intrusions in these environments can have severe consequences. To combat this growing threat, robust intrusion detection systems (IDS) are crucial. The data comprised by this attack is multivariate, highly complex, non-stationary, and nonlinear. To extract the complex patterns from this complex data, we require the most robust, optimized tools. Methods: Machine learning (ML) and deep learning (DL) have emerged as powerful tools for IDSs, offering high accuracy in detecting and preventing security breaches. This research delves into anomaly detection, a technique that identifies deviations from normal system behavior, potentially indicating attacks. Given the complexity of anomaly data, we explore methods to improve detection performance. Proposed Approach: This research investigates the design and evaluation of a novel IDS. We leverage and optimize supervised ML methods like tree-based Support Vector Machines (SVM), ensemble methods, and neural networks (NN) alongside the cutting-edge DL approach of long short-term memory (LSTM) and vision transformers (ViT). We optimized the hyperparameters of these algorithms using a robust Bayesian optimization approach. Results: The implemented ML models achieved impressive training accuracy, with Random Forest and Ensemble Bagged Tree surpassing 99.90% of accuracy, an AUC of 1.00, an F1-score, and a balanced Matthews Correlation Coefficient (MCC) of 99.78%. While the initial deep learning LSTM model yielded an accuracy of 99.97%, the proposed ViT architecture significantly boosted performance with 100% of all metrics, along with a validation accuracy of 78.70% and perfect training accuracy. Conclusion: Our findings demonstrate the potential of the proposed methods for enhanced attack and intrusion detection. This improved detection capability can be instrumental in safeguarding system integrity, identifying fraudulent activity, and optimizing system performance in IoT networks.
“…To mitigate the weaknesses of individual detection methods, many cybersecurity professionals and teams should follow the same path of hybrid method detection that combines several detection techniques. Hybrid systems leverage signature-based, anomaly-based, and behaviour-based detection strengths to enhance robustness and accuracy Jeffrey et al (2023). For instance, a hybrid system might use signatory-based detection systems for known threats, anomalous intrusion systems to uncover peculiar traffic patterns and user activity-monitoring intrusion systems.…”
Section: Limitations Strengths and Weakness Of Cyber-attacksmentioning
In today's digital landscape, cybersecurity has become a critical concern due to the increasing sophistication of cyber threats. Traditional cybersecurity measures are often inadequate against evolving attacks, necessitating the development of comprehensive and adaptive threat mitigation frameworks. This study aims to address this gap by proposing a robust cybersecurity framework that integrates advanced technologies such as artificial intelligence (AI), machine learning (ML), and blockchain to enhance threat detection, response, and recovery capabilities. The framework adopts a layered defense mechanism, real-time monitoring, and proactive threat hunting to provide a holistic approach to cybersecurity. By examining current methodologies and identifying their limitations, this research highlights the necessity for enhanced threat mitigation strategies. Through a mixed-methods approach involving online surveys and literature review, the study develops a flexible, scalable, and adaptive framework capable of countering sophisticated cyber threats. Key recommendations include adopting advanced technologies, continuous training, enhancing threat intelligence sharing, implementing a layered defense strategy, and conducting regular security audits. This comprehensive framework aims to improve organizational resilience, ensuring the safety and integrity of digital environments in the face of an ever-evolving cyber threat landscape.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.