Double Behavior Characteristics for One-Class Classification Anomaly Detection in Networked Control Systems

Abstract: Abstract-Due to the growing dependencies of information network technology, networked control systems are undergoing a severe blow of cyberattacks, and simply modeling cyberattacks is inadequate and impractical for the detection requirements, because of various vulnerabilities in these systems and the diversities of cyberattacks. Actually, a feasible viewpoint is to identify misbehaviors by constructing a normal model of industrial communication behaviors. However, one of the chief difficulties is how to compl… Show more

“…Actually, the basic industrial control operations of existing DCS (Distributed Control System), SCADA (Supervisory Control And Data Acquisition), and PLC (Programmable Logic Controller) range over two aspects: function control and data acquisition [8,15]. As an essential link in industrial process automation, function control always performs a series of well-organized and synergetic operations in industrial production and manufacture.…”

“…In the device-oriented cases, trusted computing for industrial embedded devices [16] is a burgeoning security technology to provide system integrity check and data confidentiality protection. In the network-oriented cases, industrial firewall [11,17] and intrusion detection [15,18,19] are the typical applications in industrial control networks to improve the communication security. However, because we have not understood the boundary conditions between the availability and security of industrial control systems, the cases on trusted computing and industrial firewall may result in the processing delay or transmission delay in industrial process automation.…”

“…Furthermore, the normal models or profiles are built from multivariate training data, and the corresponding anomaly detection is realized by using the mechanism of classification or optimization. Actually, the computational intelligence techniques have been attracting great interests of both industry and academia, and many computational intelligence approaches have been researched, mainly including SVM (Support Vector Method) [15,24,25], neural network [26], decision trees [27], genetic algorithm [27,28], and clustering technique [29]. Although the computational intelligence-based techniques have the relatively high computational overhead, they can achieve better performance in detection, tolerance, and generality [14].…”

“…Although the computational intelligence-based techniques have the relatively high computational overhead, they can achieve better performance in detection, tolerance, and generality [14]. Additionally, these approaches can not only detect known attacks with high detection efficiency, but also have a better function in identifying new intrusion modes [15]. It is worth mentioning that our approach belongs to the computational intelligence ones.…”

“…Step 1 (function code sequence preprocessing). Like our prior work in [15], in order to associate time characteristics with function control activities, we first parse the captured function control packets in depth and obtain the function code sequence = 1 2 3 ⋅ ⋅ ⋅ in every interval (here, is the serial number of every function code in ). The function code sequence set = { 1 , 2 , ⋅ ⋅ ⋅ , } in the interval ( = ∑ =1 ) can consist of all function code sequences ( = 1, ⋅ ⋅ ⋅ , ), and all sequence dimensions in can separate from each other because of the different in each sequence.…”

Function-Aware Anomaly Detection Based on Wavelet Neural Network for Industrial Control Communication

“…Actually, the basic industrial control operations of existing DCS (Distributed Control System), SCADA (Supervisory Control And Data Acquisition), and PLC (Programmable Logic Controller) range over two aspects: function control and data acquisition [8,15]. As an essential link in industrial process automation, function control always performs a series of well-organized and synergetic operations in industrial production and manufacture.…”

“…In the device-oriented cases, trusted computing for industrial embedded devices [16] is a burgeoning security technology to provide system integrity check and data confidentiality protection. In the network-oriented cases, industrial firewall [11,17] and intrusion detection [15,18,19] are the typical applications in industrial control networks to improve the communication security. However, because we have not understood the boundary conditions between the availability and security of industrial control systems, the cases on trusted computing and industrial firewall may result in the processing delay or transmission delay in industrial process automation.…”

“…Furthermore, the normal models or profiles are built from multivariate training data, and the corresponding anomaly detection is realized by using the mechanism of classification or optimization. Actually, the computational intelligence techniques have been attracting great interests of both industry and academia, and many computational intelligence approaches have been researched, mainly including SVM (Support Vector Method) [15,24,25], neural network [26], decision trees [27], genetic algorithm [27,28], and clustering technique [29]. Although the computational intelligence-based techniques have the relatively high computational overhead, they can achieve better performance in detection, tolerance, and generality [14].…”

“…Although the computational intelligence-based techniques have the relatively high computational overhead, they can achieve better performance in detection, tolerance, and generality [14]. Additionally, these approaches can not only detect known attacks with high detection efficiency, but also have a better function in identifying new intrusion modes [15]. It is worth mentioning that our approach belongs to the computational intelligence ones.…”

“…Step 1 (function code sequence preprocessing). Like our prior work in [15], in order to associate time characteristics with function control activities, we first parse the captured function control packets in depth and obtain the function code sequence = 1 2 3 ⋅ ⋅ ⋅ in every interval (here, is the serial number of every function code in ). The function code sequence set = { 1 , 2 , ⋅ ⋅ ⋅ , } in the interval ( = ∑ =1 ) can consist of all function code sequences ( = 1, ⋅ ⋅ ⋅ , ), and all sequence dimensions in can separate from each other because of the different in each sequence.…”

Function-Aware Anomaly Detection Based on Wavelet Neural Network for Industrial Control Communication

Survey on Building Block Technologies

Engineering Edge Security in Industrial Control Systems