Network anomaly detection for railway critical infrastructure based on autoregressive fractional integrated moving average

Abstract: The article proposes a novel two-stage network traffic anomaly detection method for the railway transportation critical infrastructure monitored using wireless sensor networks (WSN). The first step of the proposed solution is to find and eliminate any outlying observations in the analyzed parameters of the WSN traffic using a simple and fast one-dimensional quartile criterion. In the second step, the remaining data is used to estimate autoregressive fractional integrated moving average (ARFIMA) statistical mod… Show more

“…Information-Centric: If we examine the information used for the detection, then IDS systems can be further categorized into Host-based Intrusion Detection (HID) and Networkbased Intrusion Detection (NID). Host-based methods detect intrusions by examining data gathered from hosts, such as device memory, application logs [62,90,94,123,132,138,141], the change of system configuration [79], Network-based methods collect data from either a network, a hub or a router and detect anomalies at the source, destination, protocol and payload from network data [9,31,51,63,72,88,111,113,122]. Analysis-Centric: This category focuses on different analysis techniques for detecting outliers.…”

“…This system needs to be monitored at real-time. In [9], the traffic control data gathered from WSN (Wireless Sensor Network) is modeled using ARFIMA (Autoregressive Fractional Integrated Moving Average) technique, which analyzes the deviation between parameters of the network traffic and creates a statistical model for the system. The MLE (Maximum Likelihood Estimation) algorithm is used to detect the anomaly in this control system.…”

“…However, the physical testbed does not scale enough to verify the system, as the physical testbed scale down the real control system. According to Table 2 column feasibility, only four (4) out of fifty (50) approaches have deployed in the field [9,74,106,133]. Twelve (12) papers are tested on SCADA-specific testbed or implemented as a testing prototype, whereas the rest are evaluated using various machine learning framework (e.g., MATLAB [100], WEKA [101], ACCORD [111]) or a generic network simulator (e.g., hardware in the loop testbed [90]).…”

“…Thus, a single point of failure could easily stop the whole security system. For distributed solutions-SCADA DIDS, e.g., [9], [31], [32], [39], [62], [63], [72], [93], [113], [131], and [141], the validation of security and system resilience is a complex task. The formal method, which is used to design the critical system, could also be used to verify the security system (e.g., using the recovery model [18]) and further develop an optimization solution from security and resilience perspectives.…”

A Taxonomy of Supervised Learning for IDSs in SCADA Environments

“…Information-Centric: If we examine the information used for the detection, then IDS systems can be further categorized into Host-based Intrusion Detection (HID) and Networkbased Intrusion Detection (NID). Host-based methods detect intrusions by examining data gathered from hosts, such as device memory, application logs [62,90,94,123,132,138,141], the change of system configuration [79], Network-based methods collect data from either a network, a hub or a router and detect anomalies at the source, destination, protocol and payload from network data [9,31,51,63,72,88,111,113,122]. Analysis-Centric: This category focuses on different analysis techniques for detecting outliers.…”

“…This system needs to be monitored at real-time. In [9], the traffic control data gathered from WSN (Wireless Sensor Network) is modeled using ARFIMA (Autoregressive Fractional Integrated Moving Average) technique, which analyzes the deviation between parameters of the network traffic and creates a statistical model for the system. The MLE (Maximum Likelihood Estimation) algorithm is used to detect the anomaly in this control system.…”

“…However, the physical testbed does not scale enough to verify the system, as the physical testbed scale down the real control system. According to Table 2 column feasibility, only four (4) out of fifty (50) approaches have deployed in the field [9,74,106,133]. Twelve (12) papers are tested on SCADA-specific testbed or implemented as a testing prototype, whereas the rest are evaluated using various machine learning framework (e.g., MATLAB [100], WEKA [101], ACCORD [111]) or a generic network simulator (e.g., hardware in the loop testbed [90]).…”

“…Thus, a single point of failure could easily stop the whole security system. For distributed solutions-SCADA DIDS, e.g., [9], [31], [32], [39], [62], [63], [72], [93], [113], [131], and [141], the validation of security and system resilience is a complex task. The formal method, which is used to design the critical system, could also be used to verify the security system (e.g., using the recovery model [18]) and further develop an optimization solution from security and resilience perspectives.…”

A Taxonomy of Supervised Learning for IDSs in SCADA Environments

“…The article by Andrysiak et al entitled "Network anomaly detection for railway critical infrastructure based on autoregressive fractional integrated moving average" [19] proposes a novel two-stage network traffic anomaly detection method for the railway transportation critical infrastructure monitored using wireless sensor networks.…”

A brief overview of intelligent mobility management for future wireless mobile networks

Survey on Building Block Technologies