Nuclear Engineering and Technology

Korean Nuclear Society (한국원자력학회)
권호 표지
DOI QR코드

DOI QR Code

A new perspective towards the development of robust data-driven intrusion detection for industrial control systems

  • Ayodeji, Abiodun (Fundamental Science on Nuclear Safety and Simulation Technology Laboratory Harbin Engineering University) ;
  • Liu, Yong-kuo (Fundamental Science on Nuclear Safety and Simulation Technology Laboratory Harbin Engineering University) ;
  • Chao, Nan (Fundamental Science on Nuclear Safety and Simulation Technology Laboratory Harbin Engineering University) ;
  • Yang, Li-qun (Fundamental Science on Nuclear Safety and Simulation Technology Laboratory Harbin Engineering University)
  • Received : 2020.01.16
  • Accepted : 2020.05.11
  • Published : 2020.12.25
Download PDF
⟨ Previous Next ⟩

Abstract

Most of the machine learning-based intrusion detection tools developed for Industrial Control Systems (ICS) are trained on network packet captures, and they rely on monitoring network layer traffic alone for intrusion detection. This approach produces weak intrusion detection systems, as ICS cyber-attacks have a real and significant impact on the process variables. A limited number of researchers consider integrating process measurements. However, in complex systems, process variable changes could result from different combinations of abnormal occurrences. This paper examines recent advances in intrusion detection algorithms, their limitations, challenges and the status of their application in critical infrastructures. We also introduce the discussion on the similarities and conflicts observed in the development of machine learning tools and techniques for fault diagnosis and cybersecurity in the protection of complex systems and the need to establish a clear difference between them. As a case study, we discuss special characteristics in nuclear power control systems and the factors that constraint the direct integration of security algorithms. Moreover, we discuss data reliability issues and present references and direct URL to recent open-source data repositories to aid researchers in developing data-driven ICS intrusion detection systems.

Keywords

Acknowledgement

This work was supported by the project of State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment (No.KA2019.418), the Foundation of Science and Technology on Reactor System Design Technology Laboratory (HT-KFKT-14-2017003), the technical support project for Suzhou Nuclear Power Research Institute (SNPI) (No. 029-GN-B-2018-C45-P.0.99-00003), and the project of the Research Institute of Nuclear Power Operation (No. RIN180149-SCCG.

References

  1. J.P. Farwell, R. Rohozinski, Stuxnet and the future of cyber war, Survival 53 (2011) 23-40.
  2. B. Kesler, The Vulnerability of Nuclear Facilities to Cyber Attack; Strategic Insights: Spring 2010, Strategic Insights, Spring, 2011, p. 2011.
  3. J. Stamp, et al., Common Vulnerabilities in Critical Infrastructure Control Systems. SAND2003-1772C, Sandia National Laboratories, 2003.
  4. O. Gonda, Understanding the Threat to SCADA Networks, Network Security, 2014, pp. 17-18, 2014.
  5. A. Rezai, et al., Key management issue in SCADA networks: a review. Engineering science and technology, Int. J. 20 (2017) 354-363.
  6. D.E. Mann, S.M. Christey, Towards a Common Enumeration of Vulnerabilities, 1999.
  7. P. Mell, T. Grance, ICAT Metabase CVE Vulnerability Search Engine, National Institute of Standards and Technology, 2002.
  8. P. Mell, T. Grance, Use of the Common Vulnerabilities and Exposures (Cve) Vulnerability Naming Scheme, NATIONAL INST OF STANDARDS AND TECHNOLOGY GAITHERSBURG MD COMPUTER SECURITY DIV, 2002.
  9. S. Nazir, et al., Assessing and augmenting SCADA cyber security: a survey of techniques, Comput. Secur. 70 (2017) 436-454.
  10. A. Carcano, et al., Scada malware, a proof of concept, in: International Workshop on Critical Information Infrastructures Security, 2008.
  11. A.A. Akinola, et al., Cyber-security evaluation for a hypothetical nuclear power plant using the attack tree method, J. Phys. Secur. 8 (2015) 19-36.
  12. T. Cruz, et al., A cybersecurity detection framework for supervisory control and data acquisition systems, IEEE Trans. Indust. Inf. 12 (2016) 2236-2246.
  13. A. Scott, Tactical Data Diodes in Industrial Automation and Control Systems, SANS Institute InfoSec Reading Room, 2015, pp. 1-32.
  14. M.R. Gauthama Raman, et al., An efficient intrusion detection system based on hypergraph - genetic algorithm for parameter optimization and feature selection in support vector machine, Knowl. Base Syst. 134 (2017) 1-12.
  15. S. Mukkamala, et al., Intrusion detection using an ensemble of intelligent paradigms, J. Netw. Comput. Appl. 28 (2005) 167-182.
  16. L.A. Maglaras, J. Jiang, A novel intrusion detection method based on OCSVM and K-means recursive clustering, ICST Trans. Secur. Saf. 2 (2015) e5.
  17. A. Almalawi, et al., An Unsupervised Anomaly-Based Detection Approach for Integrity Attacks on SCADA Systems. Computers & Security, vol. 46, 2014, pp. 94-110.
  18. J. Hu, et al., A simple and efficient hidden Markov model scheme for hostbased anomaly intrusion detection, IEEE network 23 (2009) 42-47.
  19. W. Hu, et al., Online adaboost-based parameterized methods for dynamic distributed network intrusion detection, IEEE Trans. Cybern. 44 (2013) 66-82.
  20. R.A.R. Ashfaq, et al., Fuzziness based semi-supervised learning approach for intrusion detection system, Inf. Sci. 378 (2017) 484-497.
  21. S. Elhag, et al., On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on Intrusion Detection Systems, Expert Syst. Appl. 42 (2015) 193-202.
  22. L. Zhou, et al., Automatic fine-grained access control in SCADA by machine learning, Future Generat. Comput. Syst. 93 (2019) 548-559.
  23. T. Alves, et al., Embedding encryption and machine learning intrusion prevention systems on programmable logic controllers, IEEE Embedded Syst. Lett. 10 (2018) 99-102.
  24. P. Nader, et al., ${l_p} $-norms in one-class classification for intrusion detection in SCADA systems, IEEE Trans. Indust. Inf. 10 (2014) 2308-2317.
  25. H. Hota, A.K. Shrivas, Data mining approach for developing various models based on types of attack and feature selection as intrusion detection systems (IDS), in: Intelligent Computing, Networking, and Informatics, Springer, New Delhi, 2014, pp. 845-851.
  26. G. Kumar, K. Kumar, Design of an evolutionary approach for intrusion detection, Sci. World J. 2013 (2013), https://doi.org/10.1155/2013/962185.
  27. A.A. Aburomman, M.B.I. Reaz, A survey of intrusion detection systems based on ensemble and hybrid classifiers, Comput. Secur. 65 (2017) 135-152.
  28. A. Ayodeji, et al., Knowledge base operator support system for nuclear power plant fault diagnosis, Prog. Nucl. Energy 105 (2018) 42-50.
  29. W.-C. Lin, et al., CANN: an intrusion detection system based on combining cluster centers and nearest neighbors, Knowl. Base Syst. 78 (2015) 13-21.
  30. A. Ayodeji, Y.-k. Liu, Support vector ensemble for incipient fault diagnosis in nuclear plant components, Nucl. Eng. Technol. 50 (2018) 1306-1313.
  31. A. Ayodeji, Y.-k. Liu, SVR optimization with soft computing algorithms for incipient SGTR diagnosis, Ann. Nucl. Energy 121 (2018) 89-100.
  32. A.L. Buczak, E. Guven, A survey of data mining and machine learning methods for cyber security intrusion detection, IEEE Commun. Surv. Tutorials 18 (2015) 1153-1176.
  33. S.X. Wu, W. Banzhaf, The use of computational intelligence in intrusion detection systems: a review, Appl. Soft Comput. 10 (2010) 1-35.
  34. J. Nivethan, M. Papa, A SCADA intrusion detection framework that incorporates process semantics, in: Proceedings of the 11th Annual Cyber and Information Security Research Conference, 2016.
  35. O. Linda, et al., Neural network based intrusion detection system for critical infrastructures, in: 2009 International Joint Conference on Neural Networks, 2009.
  36. O. Linda, et al., Towards resilient critical infrastructures: application of type-2 fuzzy logic in embedded network security cyber sensor, in: 2011 4th International Symposium on Resilient Control Systems, 2011.
  37. T.T. Nguyen, G.J. Armitage, A survey of techniques for internet traffic classification using machine learning, IEEE Commun. Surv. Tutorials 10 (2008) 56-76.
  38. W. Li, et al., False sequential logic attack on SCADA system and its physical impact analysis, Comput. Secur. 58 (2016) 149-159.
  39. A. Robles-Durazno, et al., A supervised energy monitoring-based machine learning approach for anomaly detection in a clean water supply system, in: 2018 International Conference on Cyber Security and Protection of Digital Services. Glasgow, UK,June 11-12, 2018.
  40. D. Hadziosmanovic, et al., Through the eye of the PLC: semantic security monitoring for industrial processes, in: Proceedings of the 30th Annual Computer Security Applications Conference. New Orleans, USA,December 8-12, 2014.
  41. I.N. Fovino, et al., Modbus/DNP3 state-based intrusion detection system, in: 2010 24th IEEE International Conference on Advanced Information Networking and Applications, 2010.
  42. X. Jie, et al., Anomaly behavior detection and reliability assessment of control systems based on association rules, Int. J. Critical Infrastruct. Protect. 22 (2018) 90-99.
  43. M. Krotofil, et al., The process matters: ensuring data veracity in cyberphysical systems, in: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. Singapore,April 14-17, 2015.
  44. F. Zhang, et al., Multi-layer data-driven cyber-attack detection system for industrial control systems based on network, system and process data, IEEE Trans. Indust. Inf. 15 (2019) 4362-4369, https://doi.org/10.1109/TII.2019.2891261.
  45. T. Morris, W. Gao, Industrial control system traffic data sets for intrusion detection research, in: International Conference on Critical Infrastructure Protection, 2014.
  46. J. Jabez, B. Muthukumar, Intrusion detection system (IDS): anomaly detection using outlier detection approach, Procedia Comput. Sci. 48 (2015) 338-346.
  47. G. Kim, et al., A novel hybrid intrusion detection method integrating anomaly detection with misuse detection, Expert Syst. Appl. 41 (2014) 1690-1700.
  48. A.-H. Muna, et al., Identification of malicious activities in industrial internet of things based on deep learning models, J. Inf. Secur. Appl. 41 (2018) 1-11.
  49. S. Potluri, C. Diedrich, Deep feature extraction for multi-class intrusion detection in industrial control systems, Int. J. Comput. Theory Eng. 9 (2017) 374-379.
  50. G. Creech, Developing a High-Accuracy Cross Platform Host-Based Intrusion Detection System Capable of Reliably Detecting Zero-Day Attacks, University of New South Wales, Canberra, Australia, 2014.
  51. G. Creech, J. Hu, Generation of a new IDS test dataset: time to retire the KDD collection, in: 2013 IEEE Wireless Communications and Networking Conference (WCNC), 2013.
  52. B. Borisaniya, D. Patel, Evaluation of modified vector space representation using adfa-ld and adfa-wd datasets, J. Inf. Secur. 6 (2015) 250.
  53. I. Frazao, et al., Denial of service attacks: detecting the frailties of machine ~ learning algorithms in the classification process, in: International Conference on Critical Information Infrastructures Security. Kaunas, Lithuania,September 24-26, 2018.
  54. P. Nader, et al., Detection of cyberattacks in a water distribution system using machine learning techniques, in: 2016 Sixth International Conference on Digital Information Processing and Communications (ICDIPC), 2016.
  55. J. Yeckle, S. Abdelwahed, An evaluation of selection method in the classification of scada datasets based on the characteristics of the data and priority of performance, in: Proceedings of the International Conference on Compute and Data Analysis. Florida, USA,May 19-23, 2017.
  56. I.P. Turnipseed, A New Scada Dataset for Intrusion Detection Research, Mississippi State University, 2015.
  57. M. Keshk, et al., Privacy preservation intrusion detection technique for SCADA systems, in: 2017 Military Communications and Information Systems Conference (MilCIS), IEEE, 2017.
  58. R.C.B. Hink, et al., Machine learning for power system disturbance and cyberattack discrimination, in: 2014 7th International Symposium on Resilient Control Systems (ISRCS), 2014.
  59. M. Kravchik, A. Shabtai, Detecting cyber attacks in industrial control systems using convolutional neural networks, in: Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy. Toronto, ON, Canada,October 19, 2018.
  60. J. Goh, et al., Anomaly detection in cyber physical systems using recurrent neural networks, in: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE). Singapore,January 12-14, 2017.
  61. N. Erez, A. Wool, Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems, Int. J. Critical Infrastruct. Protect. 10 (2015) 59-70.
  62. D.I. Urbina, et al., in: Attacking Fieldbus Communications in ICS: Applications to the SWaT Testbed, SG-CRC, 2016.
  63. M. Ring et al., A Survey of Network-Based Intrusion Detection Data Sets. Arxiv Version (2019) arXiv:1903.02460vol. 2.
  64. A. Shiravi, et al., Toward developing a systematic approach to generate benchmark datasets for intrusion detection, Comput. Secur. 31 (2012) 357-374.
  65. Caida, Center for applied internet data analysis, Available from: http://www.caida.org/data2019 [cited 2019 07/08]. [Dataset].
  66. Unibs, Anonymized traces collected by U. Brescia Ground Truth (GT) software suite, Available from: http://netweb.ing.unibs.it/~ntw/tools/traces/2011 July 13, 2011 [cited 2019 07/08]. [Dataset].
  67. UMass, UMass trace repository, Available from: http://traces.cs.umass.edu/index.php/Main/HomePage2018 [cited 2019 07/08]. [Dataset].
  68. Nfnsm, Network forensic and network security monitoring PCAP repository, Available from: https://www.netresec.com/?page=PcapFiles2019 [cited 2019 07/08]. [Dataset].
  69. A.H.L. Iman Sharafaldin, Ali A. Ghorbani, A realistic cyber defense dataset: canadian institute for cybersecurity network traffic and log files, Available from: https://registry.opendata.aws/cse-cic-ids2018/2018 [Dataset].
  70. G. Grinstein, Internet exploration shootout (IES), Dataset Available from: http://ivpr.cs.uml.edu/shootout/network.html2001 [cited 2019 07/08]. [Dataset].
  71. U.o.N, Mexico, sequence-based Intrusion detection [cited 2019 07/08]; Available from: https://www.cs.unm.edu/~immsec/systemcalls.htm, 2019.
  72. I. Sharafaldin, et al., Toward generating a new intrusion detection dataset and intrusion traffic characterization, ICISSP (2018).
  73. D.a.G. Dua, C, UCI Machine Learning Repository. http://archive.ics.uci.edu/ml, 2019 [cited 2019 20/06].
  74. S. Hettich, S. Bay, The UCI KDD Archive, vol. 152, University of California. Department of Information and Computer Science, Irvine, CA, 1999. https://www.digitalbond.com/2019.
  75. M. Tavallaee, et al., A detailed analysis of the KDD CUP 99 data set, in: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009.
  76. N. Moustafa, J. Slay, UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set), in: 2015 Military Communications and Information Systems Conference (MilCIS), 2015.
  77. N. Moustafa, J. Slay, The evaluation of Network Anomaly Detection Systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set, Inf. Secur. J. A Glob. Perspect. 25 (2016) 18-31.
  78. J. McHugh, Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory, ACM Trans. Inf. Syst. Secur. 3 (2000) 262-294.
  79. P.S. Adhikari U, T. Morris, R. Borges, J. Beaver, ORNL industrial control system (ICS) cyber attack datasets, Available from: https://sites.google.com/a/uah.edu/tommy-morris-uah/ics-data-sets2018 [cited 2019 07-09].
  80. A.S. Laboratory, CTF-WP industrial control traffic, Available from: http://www.icsmaster.org/archives/ics/7412018 [cited 2019 07/09].
  81. S. Adepu, iTrust-SWaT Dataset, Available from: https://itrust.sutd.edu.sg/itrust-labs_datasets/ [cited 2019 07-11].
  82. T.I.C.s, Conference, 4SICS repositories, Available from: https://www.netresec.com/?page=PCAP4SICS2019 [cited 2019 07/08].
  83. D. Peterson, PCAP Files from the SCADA security scientific symposium 2015 (S4x15). Available from:: https://www.digitalbond.com/2019 [cited 2019 07/08].
  84. A. Lemay, J.M. Fernandez, Providing {SCADA} network data sets for intrusion detection research, in: 9th Workshop on Cyber Security Experimentation and Test ({CSET} 16), 2016 dataset available from: https://github.com/antoinelemay/Modbus_dataset.
  85. J. Smith, A collection of ICS/SCADA PCAPs, Available from: https://github.com/automayt/ICS-pcap2019 [cited 2019 07/08].
  86. Darpa, DARPA intrusion detection evaluation on LLDOS and Windows NT, Available from: http://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusiondetection-scenario-specific-datasets2000.
  87. L.B.N.L.a. Icsi, LBNL/ICSI enterprise tracing project, Available from: https://www.icir.org/enterprise-tracing/download.html2005.
  88. D. Zhou, et al., A survey on network data collection, J. Netw. Comput. Appl. 116 (2018) 9-23.
  89. M. Hall, et al., The WEKA data mining software: an update, ACM SIGKDD explorations newsletter 11 (2009) 10-18.
  90. M. Graczyk, et al., Comparative analysis of premises valuation models using KEEL, RapidMiner, and WEKA, in: International Conference on Computational Collective Intelligence, 2009.
  91. P. Mell, et al., An Overview of Issues in Testing Intrusion Detection Systems, 2003.
  92. T. Alves, T. Morris, OpenPLC: an IEC 61,131e3 compliant open source industrial controller for cyber security research, Comput. Secur. 78 (2018) 364-379.
  93. H. Holm, et al., A survey of industrial control system testbeds, in: Nordic Conference on Secure IT Systems, 2015.

Cited by

  1. Intrusion Detection in Critical Infrastructures: A Literature Review vol.4, pp.3, 2020, https://doi.org/10.3390/smartcities4030061
  2. Emergency control of cyber-physical systems in the technological environment vol.839, pp.4, 2020, https://doi.org/10.1088/1755-1315/839/4/042084