Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

Feng, Chengjian; Li, Tingting; Chana, Deeph

doi:10.1109/dsn.2017.34

Cited by 182 publications

(126 citation statements)

References 38 publications

Supporting

Mentioning

105

Contrasting

Unclassified

Order By: Relevance

“…Anomalies in the data are detected with a plethora of different approaches. Schneider et al use autoencoders to detect anomalies in cyber-physical system networks [25], Goh et al and Feng et al use neural networks for the detection [12,14]. One class support vector machines are presented by Maglaras et al as a machine learning algorithm to detect novel and unknown attacks [21].…”

Section: Anomaly Detection In Time Seriesmentioning

confidence: 99%

Security in Process: Visually Supported Triage Analysis in Industrial Process Data

Lohfink

Antón

Schotten

et al. 2020

IEEE Trans. Visual. Comput. Graphics

View full text Add to dashboard Cite

Fig. 1. Overview of our visualization system: To support triage analysis in OT-networks, our visualization combines sensor readings with results from an anomaly detection algorithm. Spiral plots encode readings and detection results in color and line thickness respectively. An overview of the complete time frame is provided in a time slider and anomalies are highlighted.Abstract-Operation technology networks, i.e. hard-and software used for monitoring and controlling physical/industrial processes, have been considered immune to cyber attacks for a long time. A recent increase of attacks in these networks proves this assumption wrong. Several technical constraints lead to approaches to detect attacks on industrial processes using available sensor data. This setting differs fundamentally from anomaly detection in IT-network traffic and requires new visualization approaches adapted to the common periodical behavior in OT-network data. We present a tailored visualization system that utilizes inherent features of measurements from industrial processes to full capacity to provide insight into the data and support triage analysis by laymen and experts. The novel combination of spiral plots with results from anomaly detection was implemented in an interactive system. The capabilities of our system are demonstrated using sensor and actuator data from a real-world water treatment process with introduced attacks. Exemplary analysis strategies are presented. Finally, we evaluate effectiveness and usability of our system and perform an expert evaluation.

show abstract

Section: Anomaly Detection In Time Seriesmentioning

confidence: 99%

Security in Process: Visually Supported Triage Analysis in Industrial Process Data

Lohfink

Antón

Schotten

et al. 2020

IEEE Trans. Visual. Comput. Graphics

View full text Add to dashboard Cite

show abstract

“…Alves et al goes on to propose and develop an architecture with ML embedded as an Intrusion Prevention System (IPS) on a PLC. Feng et al (2017) applies a type of Recurrent Neural Network (RNN) called Long Short-Term Memory (LSTM) to ICS traffic using Modbus, to learn packet sequences of ICS traffic and provide an intrusion detection system (IDS). LSTM incorporates inter-packet dependency, therefore provides a temporal context, and the network traffic is between controllers and devices (e.g., actuators and sensors), rather than solely PLC programming request messages.…”

Section: Machine Learningmentioning

confidence: 99%

“…This raises the possibility that the maintainer might trigger activity which has adverse effects; it is desirable to mitigate this risk through monitoring and alerts. There have been a number of efforts to identify anomalous activity using machine learning of network traffic, for example Dada et al (2017), Feng et al (2017) and Wang et al (2017). This approach has been applied primarily to common and open protocols, often for intrusion detection, but the authors believe it is equally applicable to proprietary and niche industrial protocols such as used in ICS, and for another purpose: maintenance supervision.…”

Section: Introductionmentioning

confidence: 99%

Industrial Control System Defence: Debugging ICS Maintenance Network Traffic

Smith

Wedgbury

Biondi

et al. 2019

Electronic Workshops in Computing

View full text Add to dashboard Cite

Industrial Control System (ICS) third-party maintenance introduces security risk into an organisation, as access is granted for performance of named maintenance tasks on industrial equipment, but there is currently no fine-grained way to monitor the activity. This paper applies Machine Learning to ICS network traffic, in order to alert operational staff to unauthorised activity. The work describes a method for identifying deviations, by characterising network traffic purpose, and applying software to dissect, learn and monitor maintenance traffic, then presenting results in a chart.

show abstract

“…Veracini et al [11] presented an anomaly detection strategy for hyperspectral imagery based on a fully unsupervised Gaussian mixture learning. Feng et al [12] outlined an anomaly detection method for industrial control systems that combines the analysis of network package contents and their time-series structure. Kumar [13] applied parallel and distributed anomaly detection algorithms to detect sophisticated cyberattacks on large-scale networks.…”

Section: Anomaly Detectionmentioning

confidence: 99%

A New Anomaly Detection System for School Electricity Consumption Data

Cui

Wang

2017

Information

View full text Add to dashboard Cite

Anomaly detection has been widely used in a variety of research and application domains, such as network intrusion detection, insurance/credit card fraud detection, health-care informatics, industrial damage detection, image processing and novel topic detection in text mining. In this paper, we focus on remote facilities management that identifies anomalous events in buildings by detecting anomalies in building electricity consumption data. We investigated five models within electricity consumption data from different schools to detect anomalies in the data. Furthermore, we proposed a hybrid model that combines polynomial regression and Gaussian distribution, which detects anomalies in the data with 0 false negative and an average precision higher than 91%. Based on the proposed model, we developed a data detection and visualization system for a facilities management company to detect and visualize anomalies in school electricity consumption data. The system is tested and evaluated by facilities managers. According to the evaluation, our system has improved the efficiency of facilities managers to identify anomalies in the data.

show abstract

Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

Cited by 182 publications

References 38 publications

Security in Process: Visually Supported Triage Analysis in Industrial Process Data

Security in Process: Visually Supported Triage Analysis in Industrial Process Data

Industrial Control System Defence: Debugging ICS Maintenance Network Traffic

A New Anomaly Detection System for School Electricity Consumption Data

Contact Info

Product

Resources

About