Automated detection-in-depth in industrial control systems

Jadidi, Zahra; Foo, Ernest; Hussain, Mukhtar; Fidge, Colin

doi:10.1007/s00170-021-08001-6

Cited by 13 publications

(15 citation statements)

References 45 publications

(64 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In formulas (3) and ( 4), X, Y ∈ fA, B, Cg, X ≠ Y, I R * ABC,X , and I R * ABC,Y are the averages of vectors I R * ABC,X and I R * ABC,Y , respectively. If none of the column vectors I A , I B , and I C has the same value, the value of I R * ABC will be an integer [9]. Equation ( 4) can be simplified as…”

Section: Anomaly Data Collection Detection Model Using Tmentioning

confidence: 99%

“…In equations ( 9) and (10), n is the degree of freedom of the t distribution. The t distribution probability density function is used to determine the thresholds for hypothesis testing of the t statistics shown in Figure 2; i.e., t α ðN − 2Þ is the threshold with significance level equal to α and degrees of freedom equal to N − 2, which can be derived from equation (9). ð +∞…”

Section: Anomaly Data Collection Detection Model Using Tmentioning

confidence: 99%

See 1 more Smart Citation

Operational Status Monitoring and Fault Diagnosis System of Transformer Equipment

Yuan

Zhang

2022

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

In order for valuable distribution transformer data to provide a potential solution for monitoring abnormal conditions, the authors propose a data-driven abnormal state monitoring data acquisition algorithm for distribution network transformers. The algorithm can alert operators and maintenance personnel of abnormal conditions in a timely manner. In the proposed algorithm, the Spearman rank correlation coefficient is used to display the correlation between phase currents, and its t statistic is used to determine whether there is an abnormality in the determined data collection based on hypothesis testing. Finally, the effectiveness of the proposed algorithm is verified by using the actual data collected from the power grid, and the characteristics of normal and abnormal conditions are analyzed separately. Sensitivity analyses were performed for different significance levels and sampling rates to consider their impact on monitoring results. The application results show that the power grid recovered a total of 12.98 million yuan from 136 households with a power consumption of 17.57 GWh, proving the practicability of the algorithm. Conclusion. The application in the actual power system is given, and the feasibility of the algorithm is proved.

show abstract

Section: Anomaly Data Collection Detection Model Using Tmentioning

confidence: 99%

Section: Anomaly Data Collection Detection Model Using Tmentioning

confidence: 99%

Operational Status Monitoring and Fault Diagnosis System of Transformer Equipment

Yuan

Zhang

2022

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

show abstract

“…Jadidi et al [29] proposed a multi-layer anomaly detector known as AFAD. The system was made up of two main parts: a lightweight network-based anomaly detector using hierarchical cluster analysis on Netflow data and a physical anomaly detector using an Autoregressive Integrated Moving Average (ARIMA)/Generalized AutoRegressive Conditional Heteroskedasticity (GARCH) predictor for time-series forecasting of sensor readings.…”

Section: Related Workmentioning

confidence: 99%

Anomaly Detection for a Water Treatment System Based on One-Class Neural Network

2022

View full text Add to dashboard Cite

The prevalence of Internet-of-Things (IoT) technologies and the ubiquity of networked sensors and actuators in many industrial control systems (ICS) have led to the exposure of critical infrastructure in our society to malicious activities and cyber threats. Programmable logic controllers (PLCs) are embedded devices that automate ICS processes. PLCs, which serve as the heart of ICS, are vulnerable to attacks and system malfunctions like other embedded devices. Because PLCs are widely used to control ICS physical processes, attacks against PLCs can cause irreparable damage to enterprises and even loss of life. However, due to the unique and proprietary architecture of PLCs, it is not easy to apply traditional tools and techniques for PLC protection. This work presents an unsupervised learning approach for anomaly detection in ICS based on neural networks with one class objective function and additional regularization term. This technique combines the abilities of neural networks to learn complex relationships with a one-class objective function and a regularization term for separating normal conditions from anomalous operations. The newly introduced regularization term provides a model-tuning mechanism based on specific industrial requirements and performance metrics of interest (i.e., precision or recall). The model was evaluated on a recent real-world ICS dataset: the Secure Water Treatment (SWaT) dataset. The proposed technique's performance is compared with previous work, showing improvements in terms of scalability and attack detection capability, proving that the proposed technique is suitable for use in real ICS scenarios. The proposed method with the regularization term demonstrated superior recall values in 15 out of the 36 attack scenarios in the SWaT dataset, which is the largest of any published methods in the literature. A qualitative analysis of the proposed technique on the SWaT security showdown event data further proves the technique's high anomaly detection ability on real-time injected attacks.INDEX TERMS Anomaly detection, artificial neural networks, cyber-physical system, cybersecurity, industrial control systems.

show abstract

“…Other automated solutions have utilised the MITRE framework to perform threat hunting and detect APTs. For instance, [2] and [24] employed MITRE ATT&CK for Enterprise to detect threats. Proposal [24] further used statistical analysis based on MITRE ATT&CK to learn APT TTPs to predict the future techniques that the adversary may perform.…”

Section: Related Workmentioning

confidence: 99%

“…An ICS adversary often practices different actions to exploit these vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks and launch a targeted attack against ICS networks. Many organisations use cyber threat hunting to detect hidden intrusions before they cause a significant breach proactively [2]. Hunting aims to detect threat actors early in the cyber kill chain by searching for signs of an intrusion and then providing hunting strategies for future use [3].…”

Section: Introductionmentioning

confidence: 99%

Design and Development of Automated Threat Hunting in Industrial Control Systems

Arafune¹,

Sidharth²,

Luigi³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Traditional industrial systems, e.g., power plants, water treatment plants, etc., were built to operate highly isolated and controlled capacity. Recently, Industrial Control Systems (ICSs) have been exposed to the Internet for ease of access and adaptation to advanced technologies. However, it creates security vulnerabilities. Attackers often exploit these vulnerabilities to launch an attack on ICSs. Towards this, threat hunting is performed to proactively monitor the security of ICS networks and protect them against threats that could make the systems malfunction. A threat hunter manually identifies threats and provides a hypothesis based on the available threat intelligence. In this paper, we motivate the gap in lacking research in the automation of threat hunting in ICS networks. We propose an automated extraction of threat intelligence and the generation and validation of a hypothesis. We present an automated threat hunting framework based on threat intelligence provided by the ICS MITRE ATT&CK framework to automate the tasks. Unlike the existing hunting solutions which are cloud-based, costly and prone to human errors, our solution is a central and opensource implemented using different open-source technologies, e.g., Elasticsearch, Conpot, Metasploit, Web Single Page Application (SPA), and a machine learning analyser. Our results demonstrate that the proposed threat hunting solution can identify the network's attacks and alert a threat hunter with a hypothesis generated based on the techniques, tactics, and procedures (TTPs) from ICS MITRE ATT&CK. Then, a machine learning classifier automatically predicts the future actions of the attack.

show abstract

Automated detection-in-depth in industrial control systems

Cited by 13 publications

References 45 publications

Operational Status Monitoring and Fault Diagnosis System of Transformer Equipment

Operational Status Monitoring and Fault Diagnosis System of Transformer Equipment

Anomaly Detection for a Water Treatment System Based on One-Class Neural Network

Design and Development of Automated Threat Hunting in Industrial Control Systems

Contact Info

Product

Resources

About