Evaluation of Anomaly Detection techniques for SCADA communication resilience

Shirazi, Syed Noorulhassan; Gouglidis, Antonios; Syeda, Kanza Noor; Simpson, Steven; Mauthe, Andreas; Stephanakis, Ioannis M.; Hutchison, David

doi:10.1109/rweek.2016.7573322

Cited by 40 publications

(26 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…But, their ability in detecting anomalies is still considerably lower than ours. The other four models have relatively poor performance mainly [52], but we notice that the precision, recall and F1-score do not match for the PCA-SVD model). We also depict the detected ratio (recall) of anomalous packages in each attack type by all models in Table V.…”

Section: Comparison With Other Anomaly Detection Modelsmentioning

confidence: 87%

“…Furthermore, we also compare the results with two unsupervised models (where training dataset contains anomalies but whether a package is normal or abnormal is not labelled) which are a Gaussian Mixture Model (GMM) and a Principal Component Analysis with Singular Value Decomposition model (PCA-SVD) that are directly taken from [52] since the authors have already used them for anomaly detection on the same gas pipeline dataset.…”

Section: Comparison With Other Anomaly Detection Modelsmentioning

confidence: 99%

See 1 more Smart Citation

Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

Feng

Chana

2017

2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

165

View full text Add to dashboard Cite

We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) networkbased softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current stateof-the-art techniques.

show abstract

Section: Comparison With Other Anomaly Detection Modelsmentioning

confidence: 87%

Section: Comparison With Other Anomaly Detection Modelsmentioning

confidence: 99%

Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

Feng

Chana

2017

2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

165

View full text Add to dashboard Cite

show abstract

“…Researchers in [4][5][6][7][8][9] find interesting functional and algorithmic solutions for the resilience of SCADA system that has suffered from a cyberattack. In [5], the authors consider three types of FDI (Fault Data Integrity) attacks on SCADA ( Fig.1): 1) on a separate sensor; 2) on a communication channel; 3) on a real-time database, and suggest the ways to enhance the SCADA resilience by creating a protective system of cyber-physical (CP) agents.…”

Section: Scada Cyber Resiliencementioning

confidence: 99%

“…Therefore, the requirements for processing the data subject to cyberattacks are increasing. For example, in [8] the authors consider new algorithms for solving the cyber resilience problem:  A resilience control algorithm that provides protection at the level of control system by increasing the application security;  Algorithms for resistance to intrusion and detection of anomalies that can classify measurements and commands into good and bad in the sense of their application;  Protection algorithms, that take into account the attacker's knowledge about the network functioning;  Smart Grid control algorithms that are capable to maintain the system within stability limits during an emergency (the most critical to cyberattacks).…”

Section: Scada Cyber Resiliencementioning

confidence: 99%

Cyber Resilience of SCADA at the Level of Energy Facilities

Kolosok

Korkina

2018

Proceedings of the VTH International Workshop "Critical Infrastructures: Contingency Management, Intelligent, Agent-Based, Clou

View full text Add to dashboard Cite

SCADA systems are widespread in the energy industry: the automated dispatch control of electric power systems is supported by SCADA along with the automatic control. Today, the consequences of cyberattacks on the information subsystem of the control system are especially dangerous. SCADA, being an information-technical system that plays the most important role in the control system of a power facility, should be resilient to different cyber threats.

show abstract

“…Methods of machine learning usually reduce the problem of ICS intrusion detection to one of standard tasks of machine learning, namely, classification, clustering, or detection of anomalies. The results of applying some classical machine learning algorithms (K-means, Naive Bayesian, GMM, PCA-SVD) are presented in [9] using the example of the Gas Pipeline dataset. Fully connected evolutionary based neural networks are used in [10] to detect anomalies.…”

Section: Introductionmentioning

confidence: 99%

Applying methods of machine learning in the task of intrusion detection based on the analysis of industrial process state and ICS networking

Sokolov¹,

Pyatnitsky²,

Alabugin³

2019

FME Transactions

View full text Add to dashboard Cite

Modern industrial control systems (ICS) are increasingly becoming targets of cyber attacks. Traditional security tools based on a signature approach are not always able to detect a new attack, the signature of which has not yet been described. In particular, this occurs during targeted attacks on industrial facilities. Cyber attacks can cause anomalies in the operation of an industrial control system and process equipment under its control. Therefore, to detect attacks, it is advisable to use an approach based on the detection of anomalies. A reasonable way to implement this approach is to use machine learning techniques. The paper deals with the most common methods of machine learning (decision tree algorithms, linear algorithms, support vector machine) and neural networks. To assess their applicability in the problem of detection of ICS anomalies, the Additional Tennessee Eastman Process Simulation Data for Anomaly Detection Evaluation and Gas Pipeline datasets were used.

show abstract

Evaluation of Anomaly Detection techniques for SCADA communication resilience

Cited by 40 publications

References 11 publications

Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

Cyber Resilience of SCADA at the Level of Energy Facilities

Applying methods of machine learning in the task of intrusion detection based on the analysis of industrial process state and ICS networking

Contact Info

Product

Resources

About