Skip to main content

Advertisement

SpringerLink
Log in

Automated detection-in-depth in industrial control systems

  • ORIGINAL ARTICLE
  • Published:
The International Journal of Advanced Manufacturing Technology Aims and scope Submit manuscript

Abstract

Legacy industrial control systems (ICSs) are not designed to be exposed to the Internet and linking them to corporate networks has introduced a large number of cyber security vulnerabilities. Due to the distributed nature of ICS devices, a detection-in-depth strategy is required to simultaneously monitor the behaviour of multiple sources of ICS data. While a detection-in-depth method leads to detecting attacks, like flooding attacks in earlier phases before the attacker can reach the end target, most research papers have focused on anomaly detection based on a single source of ICS data. Here, we present a detection-in-depth method for an ICS network. The new method is called automated flooding attack detection (AFAD) which consists of three stages: data acquisition, pre-processing, and a flooding anomaly detector. Data acquisition includes data collection from different sources like programmable logic controller (PLC) logs and network traffic. We then generate NetFlow data to provide light-weight anomaly detection in ICS networks. NetFlow-based analysis has been used as a scalable method for anomaly detection in high-speed networks. It only analyses packet headers, and it is an efficient method for detecting flooding attacks like denial of service attacks, and its performance is not affected by encrypted data. However, it has not been sufficiently studied in industrial control systems. Besides NetFlow data, ICS device logs are a rich source of information that can be used to detect abnormal behaviour. Both NetFlow traffic and log data are processed in our pre-processing stage. The third stage of AFAD is anomaly detection which consists of two parallel machine learning analysis methods, which respectively analyse the behaviours of device logs and NetFlow records. Due to the lack of enough labelled training datasets in most environments, an unsupervised predictor and an unsupervised clustering method are respectively used in the anomaly detection stage. We validated our approach using traffic captured in a factory automation dataset, Modbus dataset, and SWAT dataset. These datasets contain physical and network level normal and abnormal data. The performance of AFAD was compared with single-layer anomaly detection and with other studies. Results showed the high precision of AFAD in detecting flooding attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. SANS Institute: Reading Room - Industrial Control Systems / SCADA, https://www.sans.org/readingroom/whitepapers/ICS/secure-architecture-industrial-control-systems-36327

  2. Team UICER (2016) Recommended practice: improving industrial control systems cyber security with defense-in-depth strategies. Retrieved from: www.ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

  3. Hu Y, Yang A, Li H, Sun L, Sun Y (2018) A survey of intrusion detection on industrial control systems. International Journal of Distributed Sensor Networks, pp 1–14

  4. Dong R, Wu D, Zhang Q, Zhang T (2018) Traffic characteristic map-based intrusion detection model for industrial Internet. International Journal of Network Security, pp 359–370

  5. Hussain M, Foo E, Suriadi S (2019) An improved industrial control system device logs processing method for process-based anomaly detection. In: Frontiers of Information Technology, IEEE

  6. Jadidi Z, Muthukkumarasamy V, Sithirasenan E, Singh K (2016) Intelligent sampling using an optimized neural network. Journal of Networks 11(1):16

    Article  Google Scholar 

  7. Jadidi Z, Muthukkumarasamy V, Sithirasenan E, Singh K (2015) Flow-based anomaly detection using semisupervised learning. In: 2015 9th International Conference on Signal Processing and Communication Systems (ICSPCS) (pp. 1–5). IEEE

  8. Hofstede R, Jonker M, Sperotto A, Pras A (2017) Flow-based web application brute-force attack and compromise detection. Journal of network and systems management 25(4):735–758

    Article  Google Scholar 

  9. Hofstede R, Pras A, Sperotto A, Rodosek GD (2018) Flow-based compromise detection: lessons learned. IEEE security & privacy 16(1):82–89

    Article  Google Scholar 

  10. Sperotto A, Pras A (2011) Flow-based intrusion detection. In: 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops (pp. 958-963). IEEE

  11. Babu CN, Reddy BE (2014) A moving-average filter based hybrid ARIMA–ANN model for forecasting time series data. Applied Soft Computing 23:27–38

    Article  Google Scholar 

  12. Myers D, Suriadi S, Radke K, Foo E (2018) Anomaly detection for industrial control systems using process mining. Computers & Security 78:103–125

    Article  Google Scholar 

  13. Frazão I, Abreu PH, Cruz T, Araújo H, Simões P (2018) Denial of service attacks: detecting the frailties of machine learning algorithms in the classification process. In: International Conference on Critical Information Infrastructures Security (pp. 230–235). Springer, Cham

  14. Goh J, Adepu S, Junejo KN, Mathur AA (2017) Dataset to support research in the design of secure water treatment systems. In: International Conference on Critical Information Infrastructures Security. pp 88–99

  15. Colelli R, Panzieri S, Pascucci F (2018) Exploiting system model for securing CPS: the anomaly based IDS perspective. In: 2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETFA) (Vol. 1, pp. 1171–1174). IEEE

  16. Zhang F, Kodituwakku HADE, Hines JW, Coble J (2019) Multilayer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data. IEEE Transactions on Industrial Informatics 15(7):4362– 4369

    Article  Google Scholar 

  17. Wang Q, Chen H, Li Y, Vucetic B (2019) Recent advances in machine learning-based anomaly detection for industrial control networks. In: 2019 1st International Conference on Industrial Artificial Intelligence (IAI) (pp. 1-6). IEEE

  18. Xiao L, Li Y, Liu G, Li Q, Zhuang W (2015) Spoofing detection with reinforcement learning in wireless networks, in 015 IEEE Global Communications Conference (GLOBECOM). IEEE, pp 1–5

  19. Xiao L, Li Y, Han G, Liu G, Zhuang W (2016) Phy-layer spoofing detection with reinforcement learning in wireless networks. IEEE Transactions on Vehicular Technology 65(12):10 037–10 047

    Article  Google Scholar 

  20. Choi W, Joo K, Jo HJ, Park MC, Lee DH (2018) Voltageids: low-level communication characteristics for automotive intrusion detection system. IEEE Transactions on Information Forensics and Security 13(8):2114–2129

    Article  Google Scholar 

  21. Sestito GS, Turcato AC, Dias AL, Rocha MS, da Silva MM, Ferrari P, Brandao D (2018) A method for anomalies detection in real-time ethernet data traffic applied to profinet. IEEE Transactions on Industrial Informatics 14(5):2171–2180

    Article  Google Scholar 

  22. Hadeli H, Schierholz R, Braendle M, Tuduce C (2009) Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. In: IEEE Conference on Emerging Technologies & Factory Automation. IEEE, 2009, pp 1–8

  23. Ahmed CM, Zhou J, Mathur A P (2018) Noise matters: using sensor and process noise fingerprint to detect stealthy cyber attacks and authenticate sensors in CPS. In: Proceedings of the 34th Annual Computer Security Applications Conference ACM, pp 566–581

  24. Yang J, Zhou C, Yang S, Xu H, Hu B (2018) Anomaly detection based on zone partition for security protection of industrial cyber-physical systems. IEEE Trans Ind Electron 65(5):4257–4267

    Article  Google Scholar 

  25. Markman C, Wool A, Cardenas A (2017) A new burst-DFA model for SCADA anomaly detection. In: Workshop on Cyber-Physical Systems Security and PrivaCy - CPS ’17

  26. Kreimel P, Tavolato P (2019) Neural net-based anomaly detection system in substation networks. In: 6th International Symposium for ICS & SCADA Cyber Security Research, 2019(6), pp 41– 48

  27. Liu J, Guo J, Orlik P, Shibata M, Nakahara D, Mii S, Takac M (2018) Anomaly detection in manufacturing systems using structured neural networks. In: 13th World Congress on Intelligent Control and Automation (WCICA)

  28. Kind A, Stoecklin MP, Dimitropoulos X (2009) Histogram-based traffic anomaly detection. IEEE Trans. Netw. Serv. Manag. 6(2):110–121

    Article  Google Scholar 

  29. Karasaridis A, Meier-Hellstern K, Hoein D (2006) Detection of DNS anomalies using flow data analysis, Global Telecommunications Conference, 2006. GLOBECOM’06

  30. Li B, Springer J, Bebis G, Gunes MH (2013) A survey of network flow applications. Journal of Network and Computer Applications 36(2):567–581

    Article  Google Scholar 

  31. Caliński T, Harabasz J (1974) A dendrite method for cluster analysis. Communications in Statistics-theory and Methods 3(1):1–27

    Article  MathSciNet  Google Scholar 

  32. Cha SH, Srihari SN (2002) On measuring the distance between histograms. Pattern Recognit. 35(6):1355–1370

    Article  Google Scholar 

  33. Claise B, Trammell B, Aitken P (2013) Specification of the IP flow information export (IPFIX) protocol for the exchange of flow information. RFC 7011 (Internet Standard). http://www.ietf.org/rfc/rfc7011.txt

  34. Piskac P, Novotny J (2011) Using of time characteristics in data flow for traffic classification. In: Proceedings of the 5th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2011. Lecture Notes in Computer Science, vol. 6734, pp 173–176. Springer, Berlin

  35. Rousseeuw JPJ (1989) A graphical aid to the interpretation and validation of cluster analysis. Journal of Computational Application Math

  36. Chen C, Hu J, Meng Q, Zhang Y (2011) Short-time traffic flow prediction with ARIMA-GARCH model. In: 2011 IEEE Intelligent Vehicles Symposium (IV) (pp. 607–612). IEEE

  37. Ding C, Duan J, Zhang Y, Wu X, Yu G (2017) Using an ARIMA-GARCH modeling approach to improve subway short-term ridership forecasting accounting for dynamic volatility. IEEE Transactions on Intelligent Transportation Systems 19(4):1054–1064

    Article  Google Scholar 

  38. Doherty KAJ, Adams RG, Davey N (2007) Unsupervised learning with normalised data and non-Euclidean norms. Applied Soft Computing 7(1):203–210

    Article  Google Scholar 

  39. Shalyga D, Filonov P, Lavrentyev A (2018) Anomaly detection for water treatment system based on neural network with automatic architecture optimization. Retrieved from: https://arxiv.org/abs/1807.07282

  40. Ding D, Han Q L, Xiang Y, Ge X, Zhang XM (2018) A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing 275:1674–1683

    Article  Google Scholar 

  41. Jadidi Z (2015) Flow-based anomaly detection in high-speed networks

  42. Lin X, Huang Y (2021) Short-term high-speed traffic flow prediction based on ARIMA-GARCH-m Model. Wirel Pers Commun, pp 1–10

  43. Hao W, Yang T, Yang Q (2021) Hybrid statistical-machine learning for real-time anomaly setection in industrial cyber-physical systems. IEEE Transactions on Automation Science and Engineering

  44. Ren W, Yardley T, Nahrstedt K (2018) Edmand: edge-based multi-level anomaly detection for scada networks. In: 2018 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm) (pp. 1-7). IEEE

  45. Khan IA, Pi D, Khan ZU, Hussain Y, Nawaz A (2019) HML-IDS: A hybrid-multilevel anomaly prediction approach for intrusion detection in SCADA systems. IEEE Access 7:89507– 89521

    Article  Google Scholar 

  46. David J, Thomas C (2019) Efficient DDoS flood attack detection using dynamic thresholding on flow-based network traffic. Computers & Security 82:284–295

    Article  Google Scholar 

  47. Khosravi M, Ladani BT (2020) Alerts correlation and causal analysis for APT based cyber attack detection. IEEE Access 162642–162656:8

    Google Scholar 

  48. Shi D, Guo Z, Johansson KH, Shi L (2017) Causality countermeasures for anomaly detection in cyber-physical systems. IEEE Trans on Automatic Control 63(2):386–401

    Article  MathSciNet  Google Scholar 

  49. Haylett G, Jadidi Z, Thanh KN (2021) System-Wide Anomaly Detection of Industrial Control Systems via Deep Learning and Correlation Analysis. In: IFIP International Conference on Artificial Intelligence Applications and Innovations (pp. 362–373). Springer, Cham

Download references

Acknowledgements

The authors acknowledge the support of the Commonwealth of Australia and Cybersecurity Research Centre Limited.

Funding

The research was supported by Commonwealth of Australia and Cybersecurity Research Centre.

Author information

Authors and Affiliations

  1. Cyber Security Cooperative Research Centre, Queensland University of Technology (QUT), Queensland, Australia

    Zahra Jadidi, Mukhtar Hussain & Colin Fidge

  2. Griffith University, Brisbane, Australia

    Ernest Foo

Authors
  1. Zahra Jadidi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ernest Foo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mukhtar Hussain
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Colin Fidge
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zahra Jadidi.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jadidi, Z., Foo, E., Hussain, M. et al. Automated detection-in-depth in industrial control systems. Int J Adv Manuf Technol 118, 2467–2479 (2022). https://doi.org/10.1007/s00170-021-08001-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00170-021-08001-6

Keywords

Search

Navigation