ABSTRACT
This paper presents a study on detecting cyber attacks on industrial control systems (ICS) using convolutional neural networks. The study was performed on a Secure Water Treatment testbed (SWaT) dataset, which represents a scaled-down version of a real-world industrial water treatment plant. We suggest a method for anomaly detection based on measuring the statistical deviation of the predicted value from the observed value. We applied the proposed method by using a variety of deep neural network architectures including different variants of convolutional and recurrent networks. The test dataset included 36 different cyber attacks. The proposed method successfully detected 31 attacks with three false positives thus improving on previous research based on this dataset. The results of the study show that 1D convolutional networks can be successfully used for anomaly detection in industrial control systems and outperform recurrent networks in this setting. The findings also suggest that 1D convolutional networks are effective at time series prediction tasks which are traditionally considered to be best solved using recurrent neural networks. This observation is a promising one, as 1D convolutional neural networks are simpler, smaller, and faster than the recurrent neural networks.
- Justin M Beaver, Raymond C Borges-Hink, and Mark A Buckner. 2013. An evaluation of machine learning methods to detect malicious SCADA communications. In Machine Learning and Applications (ICMLA), 2013 12th International Conference on, Vol. 2. IEEE, 54--59. Google ScholarDigital Library
- Kyunghyun Cho, Bart Van Merriënboer, Caglar Gulcehre, Dzmitry Bahdanau, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. 2014. Learning phrase representations using RNN encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078 (2014).Google Scholar
- ForeignPolicy. 2017. Cyberattack Targets Safety System at Saudi Aramco. (2017). http://foreignpolicy.com/2017/12/21/ cyber-attack-targets-safety-system-at-saudi-aramco/ Last accessed March 2018.Google Scholar
- Wei Gao, Thomas Morris, Bradley Reaves, and Drew Richey. 2010. On SCADA control system command and response injection and intrusion detection. In eCrime Researchers Summit (eCrime), 2010. IEEE, 1--9.Google Scholar
- Hamid Reza Ghaeini and Nils Ole Tippenhauer. 2016. Hamids: Hierarchical monitoring intrusion detection system for industrial control systems. In Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. ACM, 103--111. Google ScholarDigital Library
- Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. 2016. A dataset to support research in the design of secure water treatment systems. In International Conference on Critical Information Infrastructures Security. Springer, 88--99.Google Scholar
- Jonathan Goh, Sridhar Adepu, Marcus Tan, and Zi Shan Lee. 2017. Anomaly detection in cyber physical systems using recurrent neural networks. In High Assurance Systems Engineering (HASE), 2017 IEEE 18th International Symposium on. IEEE, 140--145.Google ScholarCross Ref
- Ian Goodfellow, Yoshua Bengio, Aaron Courville, and Yoshua Bengio. 2016. Deep learning. Vol. 1. MIT press Cambridge. Google ScholarDigital Library
- Google. 2016. TensorFlow, An open-source machine learning framework for everyone. (2016). https://www.tensorflow.org/ Last accessed March 2018.Google Scholar
- Klaus Greff, Rupesh K Srivastava, Jan Koutník, Bas R Steunebrink, and Jürgen Schmidhuber. 2017. LSTM: A search space odyssey. IEEE transactions on neural networks and learning systems 28, 10 (2017), 2222--2232.Google Scholar
- Song Han, Miao Xie, Hsiao-Hwa Chen, and Yun Ling. 2014. Intrusion detection in cyber-physical systems: Techniques and challenges. IEEE systems journal 8, 4 (2014), 1052--1062.Google Scholar
- Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2015. Deep Residual Learning for Image Recognition. CoRR abs/1512.03385 (2015). http://arxiv.org/ abs/1512.03385Google Scholar
- Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Identity Mappings in Deep Residual Networks. CoRR abs/1603.05027 (2016). http: //arxiv.org/abs/1603.05027Google Scholar
- Burak Himmetoglu. 2017. Time series classification with Tensorflow. (2017). https://github.com/healthDataScience/deep-learning-HAR/blob/master/ HAR-CNN-Inception.ipynb Last accessed March 2018.Google Scholar
- Raymond C Borges Hink, Justin M Beaver, Mark A Buckner, Tommy Morris, Uttam Adhikari, and Shengyi Pan. 2014. Machine learning for power system disturbance and cyber-attack discrimination. In Resilient Control Systems (ISRCS), 2014 7th International Symposium on. IEEE, 1--8.Google ScholarCross Ref
- Geoffrey E Hinton and Terrence Joseph Sejnowski. 1999. Unsupervised learning: foundations of neural computation. MIT press. Google ScholarDigital Library
- Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long short-term memory. Neural computation 9, 8 (1997), 1735--1780. Google ScholarDigital Library
- Turker Ince, Serkan Kiranyaz, Levent Eren, Murat Askar, and Moncef Gabbouj. 2016. Real-time motor fault detection by 1-D convolutional neural networks. IEEE Transactions on Industrial Electronics 63, 11 (2016), 7067--7075.Google ScholarCross Ref
- Jun Inoue, Yoriyuki Yamagata, Yuqi Chen, Christopher M Poskitt, and Jun Sun. 2017. Anomaly detection for a water treatment system using unsupervised machine learning. arXiv preprint arXiv:1709.05342 (2017).Google Scholar
- Sergey Ioffe and Christian Szegedy. 2015. Batch Normalization: Accelerating Deep Network Training by Reducing Internal Covariate Shift. In Proceedings of the 32Nd International Conference on International Conference on Machine Learning - Volume 37 (ICML'15). JMLR.org, 448--456. http://dl.acm.org/citation.cfm?id= 3045118.3045167 Google ScholarDigital Library
- Li Jing, Yichen Shen, Tena Dubček, John Peurifoy, Scott Skirlo, Yann LeCun, Max Tegmark, and Marin Soljai. 2016. Tunable efficient unitary neural networks (EUNN) and their application to RNNs. arXiv preprint arXiv:1612.05231 (2016).Google Scholar
- Austin Jones, Zhaodan Kong, and Calin Belta. 2014. Anomaly detection in cyberphysical systems: A formal methods approach. In Decision and Control (CDC), 2014 IEEE 53rd Annual Conference on. IEEE, 848--853.Google Scholar
- Rafal Jozefowicz, Wojciech Zaremba, and Ilya Sutskever. 2015. An empirical exploration of recurrent network architectures. In International Conference on Machine Learning. 2342--2350. Google ScholarDigital Library
- Diederik P Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014).Google Scholar
- Quoc V Le, Navdeep Jaitly, and Geoffrey E Hinton. 2015. A simple way to initialize recurrent networks of rectified linear units. arXiv preprint arXiv:1504.00941 (2015).Google Scholar
- Yann LeCun, Yoshua Bengio, and others. 1995. Convolutional networks for images, speech, and time series. The handbook of brain theory and neural networks 3361, 10 (1995), 1995.Google Scholar
- Yann LeCun, Bernhard E Boser, John S Denker, Donnie Henderson, Richard E Howard, Wayne E Hubbard, and Lawrence D Jackel. 1990. Handwritten digit recognition with a back-propagation network. In Advances in neural information processing systems. 396--404. Google ScholarDigital Library
- Qin Lin, Sridhar Adepu, Sicco Verwer, and Aditya Mathur. 2018. TABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems. (2018). Google ScholarDigital Library
- Ondrej Linda, Todd Vollmer, and Milos Manic. 2009. Neural network based intrusion detection system for critical infrastructures. In Neural Networks, 2009. IJCNN 2009. International Joint Conference on. IEEE, 1827--1834. Google ScholarDigital Library
- Zachary C Lipton, John Berkowitz, and Charles Elkan. 2015. A critical review of recurrent neural networks for sequence learning. arXiv preprint arXiv:1506.00019 (2015).Google Scholar
- Leandros Maglaras, Helge Janicke, Jianmin Jiang, and Andrew Crampton. 2016. Novel Intrusion Detection Mechanism with Low Overhead for SCADA Systems. Security Solutions and Applied Cryptography in Smart Grid Communications (2016), 160.Google Scholar
- Pankaj Malhotra, Lovekesh Vig, Gautam Shroff, and Puneet Agarwal. 2015. Long short term memory networks for anomaly detection in time series. In Proceedings. Presses universitaires de Louvain, 89.Google Scholar
- Robert Mitchell and Ing-Ray Chen. 2014. A survey of intrusion detection techniques for cyber-physical systems. ACM Computing Surveys (CSUR) 46, 4 (2014), 55. Google ScholarDigital Library
- Ewan S Page. 1954. Continuous inspection schemes. Biometrika 41, 1/2 (1954), 100--115.Google ScholarCross Ref
- Fabio Pasqualetti, Florian Dörfler, and Francesco Bullo. 2011. Cyber-physical attacks in power networks: Models, fundamental limitations and monitor design. In Decision and Control and European Control Conference (CDC-ECC), 2011 50th IEEE Conference on. IEEE, 2195--2201.Google ScholarCross Ref
- Mike Schuster and Kuldip K Paliwal. 1997. Bidirectional recurrent neural networks. IEEE Transactions on Signal Processing 45, 11 (1997), 2673--2681. Google ScholarDigital Library
- Karen Simonyan and Andrew Zisserman. 2014. Very Deep Convolutional Networks for Large-Scale Image Recognition. CoRR abs/1409.1556 (2014). http: //arxiv.org/abs/1409.1556Google Scholar
- Nitish Srivastava, Geoffrey Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan Salakhutdinov. 2014. Dropout: A Simple Way to Prevent Neural Networks from Overfitting. J. Mach. Learn. Res. 15, 1 (Jan. 2014), 1929--1958. http://dl.acm.org/ citation.cfm?id=2627435.2670313 Google ScholarDigital Library
- Nitish Srivastava, Elman Mansimov, and Ruslan Salakhutdinov. 2015. Unsupervised Learning of Video Representations using LSTMs. CoRR abs/1502.04681 (2015). http://arxiv.org/abs/1502.04681Google Scholar
- Keith A. Stouffer, Joseph A. Falco, and Karen A. Scarfone. 2011. SP 800--82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations Such As Programmable Logic Controllers (PLC). Technical Report. Gaithersburg, MD, United States. Google ScholarDigital Library
- Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Sermanet, Scott E. Reed, Dragomir Anguelov, Dumitru Erhan, Vincent Vanhoucke, and Andrew Rabinovich. 2014. Going Deeper with Convolutions. CoRR abs/1409.4842 (2014). http://arxiv.org/abs/1409.4842Google Scholar
- André Teixeira, Daniel Pérez, Henrik Sandberg, and Karl Henrik Johansson. 2012. Attack models and scenarios for networked control systems. In Proceedings of the 1st international conference on High Confidence Networked Systems. ACM, 55--64. Google ScholarDigital Library
- Aaron Van Den Oord, Sander Dieleman, Heiga Zen, Karen Simonyan, Oriol Vinyals, Alex Graves, Nal Kalchbrenner, Andrew Senior, and Koray Kavukcuoglu. 2016. Wavenet: A generative model for raw audio. arXiv preprint arXiv:1609.03499 (2016).Google Scholar
- Ronald J Williams and David Zipser. 1989. A learning algorithm for continually running fully recurrent neural networks. Neural computation 1, 2 (1989), 270--280. Google ScholarDigital Library
- Wired. 2016. INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID. (2016). https://www.wired.com/2016/03/ inside-cunning-unprecedented-hack-ukraines-power-grid/ Last accessed March 2018.Google Scholar
- Scott Wisdom, Thomas Powers, John Hershey, Jonathan Le Roux, and Les Atlas. 2016. Full-capacity unitary recurrent neural networks. In Advances in Neural Information Processing Systems. 4880--4888. Google ScholarDigital Library
- Saizheng Zhang, Yuhuai Wu, Tong Che, Zhouhan Lin, Roland Memisevic, Ruslan R Salakhutdinov, and Yoshua Bengio. 2016. Architectural complexity measures of recurrent neural networks. In Advances in Neural Information Processing Systems. 1822--1830. Google ScholarDigital Library
- Yichi Zhang, Lingfeng Wang, Weiqing Sun, Robert C Green, and Mansoor Alam. 2011. Artificial immune system based intrusion detection in a distributed hierarchical network architecture of smart grid. In Power and Energy Society General Meeting, 2011 IEEE. IEEE, 1--8.Google ScholarCross Ref
- Yichi Zhang, Lingfeng Wang, Weiqing Sun, Robert C Green II, and Mansoor Alam. 2011. Distributed intrusion detection system in a multi-layer network architecture of smart grids. IEEE Transactions on Smart Grid 2, 4 (2011), 796--808.Google ScholarCross Ref
Index Terms
- Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks
Recommendations
Poisoning attacks on cyber attack detectors for industrial control systems
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied ComputingRecently, neural network (NN)-based methods, including autoencoders, have been proposed for the detection of cyber attacks targeting industrial control systems (ICSs). Such detectors are often retrained, using data collected during system operation, to ...
Detecting Anomalies in Cyber-Physical Systems Using Graph Neural Networks
AbstractApplication of convolutional graph neural networks for detecting anomalies in cyber-physical systems is proposed. The graph model reflecting the dynamics of variation in the state of devices is developed, and the algorithm for preprocessing the ...
Practical Evaluation of Poisoning Attacks on Online Anomaly Detectors in Industrial Control Systems
AbstractRecently, neural networks (NNs) have been proposed for the detection of cyber attacks targeting industrial control systems (ICSs). Such detectors are often retrained, using data collected during system operation, to cope with the ...
Comments