Anomaly Detection Approach in Industrial Control Systems Based on Measurement Data
<p>Basic CNN structure.</p> "> Figure 2
<p>LSTM cell.</p> "> Figure 3
<p>Functional diagram of BiLSTM.</p> "> Figure 4
<p>Model structure diagram.</p> "> Figure 5
<p>Algorithm flow chart.</p> "> Figure 6
<p>Model convergence performance during the training phase.</p> "> Figure 7
<p>ROC curve.</p> "> Figure 8
<p>KS curve.</p> ">
Abstract
:1. Introduction
2. Related Works
- (I)
- An industrial control anomaly detection method based on protocol feature rules [12], which analyzes the protocol specification under normal conditions and establishes detection rules to detect anomalies that do not conform to the specification [13]. For example, Nasr et al. analyzed the alarm properties of SCADA to achieve anomaly detection in smart grids through statistical methods [14]. The disadvantage of this approach is that it is not sensitive enough to the sequence of attack events and internal relationships.
- (II)
- An industrial control anomaly detection method based on the system behavior state [15], which statistically analyzes the parameters of the industrial control system and establishes the normal behavior profile of the system for anomaly detection. Khalili et al. analyzed the information for a normal state from historical data and used the Apriori algorithm to implement anomaly detection [16]. Kwon et al. analyzed the communication behavior and protocol characteristics of smart substations and proposed a behavior-based anomaly detection method [17]. The disadvantage of this approach is that it cannot detect potential attack operations that exploit system vulnerabilities or masquerade as normal behavior.
- (III)
- Embedded machine learning-based industrial control anomaly detection method [18]. Machine learning methods are widely used in the fields of data mining and target detection [19]. Now that embedded machine learning methods are rapidly developing in industrial automation, researchers are trying to use their methods to mine communication data and build models for anomaly detection. Yap et al. [20] used tiny machine learning (TinyML) on an embedded system to identify data out of the expected range in the system in order to enable anomaly detection in industrial equipment. Narjes et al. [21] used a sparse autoencoder (SAE) network for anomaly detection of air conveyors in railroads and were able to effectively detect failures due to air leakage problems. Matteo et al. [22] designed machine learning algorithms executed on microprocessors, deployed on distributed sensors for the Internet of Things, capable of detecting anomalies in the status of bearings and proactively shutting down abnormal machines. This method may have disadvantages such as reduced efficiency in handling large-scale data, inability to solve the imbalance of sample distribution and easy to fall into local optimum, and its algorithm detection accuracy still has much room for improvement.
3. Methodology
3.1. 1D Convolutional Neural Network
3.2. Bidirectional Long Short-Term Memory Network
3.3. Particle Swarm Optimization
3.4. Other Methods
4. Proposed Model
4.1. Algorithm Overview
4.2. Model Structure and Algorithm Flow
Algorithm 1 PSO-1DCNN-BiLSTM Algorithm. |
Input: train_data; test_data; batch size; evaluation function: test(); particle swarm size: N; the maximum number of iterations: T; search dimension: D; number of pre-training cycles: K; Total number of iterations: epochs |
Output: model file |
1: Initialize particles |
2: for t = 1, 2, …, T do |
3: for i = 1, 2, …, N do |
4: for k = 1, 2, …, K do |
5: for m = 1, 2, …, M do |
6: Give the value of the particle to the hyperparameter |
7: for f = 3, 7, 11 do//f indicates the filter size |
8: Extract the features//See Equations (1)–(3) |
9: end for |
10: Get the one-dimensional array//See Equation (16) |
11: Extract the features//See Equations (5)–(13) |
12: Use Linear()//See Equation (4) |
13: Implement gradient descent//See Equations (18)–(20) |
14: Update model |
15: end for |
16: end for |
17: Use test() to get the evaluation value |
18: Update the global historical best parameter |
19: end for |
20: Update particles//See Equations (14) and (15) |
21: end for |
22: Input the final global best parameter to the model |
23: for epoch = 1 → epoch do |
24: Iterative training with samples taken according to batch_size |
25: end for |
26: return model//Output model file |
5. Experiments and Results
5.1. Experimental Setup
5.2. Dataset Description
5.3. Performance Metrics
5.4. Results and Discussion
6. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Cao, Y.; Zhang, L.; Zhao, X.; Jin, K.; Chen, Z. An Intrusion Detection Method for Industrial Control System Based on Machine Learning. Information 2022, 13, 322. [Google Scholar] [CrossRef]
- Daniela, T. Communication security in SCADA pipeline monitoring systems. In Proceedings of the 2011 RoEduNet International Conference 10th Edition: Networking in Education and Research, Iasi, Romania, 23–25 June 2011; pp. 1–5. [Google Scholar]
- Hu, Y.; Yang, A.; Li, H.; Sun, Y.; Sun, L. A survey of intrusion detection on industrial control systems. Int. J. Distrib. Sens. Netw. 2018, 14, 1–13. [Google Scholar] [CrossRef]
- Alladi, T.; Chamola, V.; Zeadally, S. Industrial Control Systems: Cyberattack trends and countermeasures. Comput. Commun. 2020, 155, 1–8. [Google Scholar] [CrossRef]
- Ren, Y.; Zhu, F.; Qi, J.; Wang, J.; Sangaiah, A.K. Identity Management and Access Control Based on Blockchain under Edge Computing for the Industrial Internet of Things. Appl. Sci. 2019, 9, 2058. [Google Scholar] [CrossRef]
- Puthal, D.; Nepal, S.; Ranjan, R.; Chen, J. Threats to networking cloud and edge datacenters in the Internet of Things. IEEE Cloud Comput. 2016, 3, 64–71. [Google Scholar] [CrossRef]
- Khan, R.; Maynard, P.; McLaughlin, K.; Laverty, D.; Sezer, S. Threat analysis of blackenergy malware for synchrophasor based real-time control and monitoring in smart grid. In Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research, Belfast, UK, 23–25 August 2016; pp. 53–63. [Google Scholar]
- Alimi, O.A.; Ouahada, K.; Abu-Mahfouz, A.M.; Rimer, S.; Alimi, K.O.A. A Review of Research Works on Supervised Learning Algorithms for SCADA Intrusion Detection and Classification. Sustainability 2021, 13, 9597. [Google Scholar] [CrossRef]
- Gautam, M.K.; Pati, A.; Mishra, S.K.; Appasani, B.; Kabalci, E.; Bizon, N.; Thounthong, P. A Comprehensive Review of the Evolution of Networked Control System Technology and Its Future Potentials. Sustainability 2021, 13, 2962. [Google Scholar] [CrossRef]
- Pliatsios, D.; Sarigiannidis, P.; Lagkas, T.; Sarigiannidis, A.G. A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics. IEEE Commun. Surv. Tutor. 2020, 22, 1942–1976. [Google Scholar] [CrossRef]
- Rubio, J.E.; Alcaraz, C.; Roman, R.; Lopez, J. Current cyber-defense trends in industrial control systems. Comput. Secur. 2019, 87, 101561. [Google Scholar] [CrossRef]
- Zhou, X.; Peng, T. Application of multi-sensor fuzzy information fusion algorithm in industrial safety monitoring system. Saf. Sci. 2020, 122, 104531. [Google Scholar] [CrossRef]
- Al-Garadi, M.A.; Mohamed, A.; Al-Ali, A.; Du, X.; Guizani, M. A Survey of Machine and Deep Learning Methods for Internet of Things (IoT) Security. arXiv 2018, arXiv:1807.11023. [Google Scholar] [CrossRef]
- Homoliak, I.; Toffalini, F.; Guarnizo, J.; Elovici, Y.; Ochoa, M. Insight into insiders and it: A survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput. Surv. 2019, 52, 30. [Google Scholar] [CrossRef]
- Ayodeji, A.; Liu, Y.K.; Chao, N.; Yang, L.Q. A new perspective towards the development of robust data-driven intrusion detection for industrial control systems. Nucl. Eng. Technol. 2020, 52, 2687–2698. [Google Scholar] [CrossRef]
- Anton, S.D.D.; Sinha, S.; Schotten, H.D. Anomaly-based Intrusion Detection in Industrial Data with SVM and Random Forests. In Proceedings of the 2019 International Conference on Software, Telecommunications and Computer Networks (SoftCOM), Split, Croatia, 19–21 September 2019; pp. 1–6. [Google Scholar]
- Radoglou-Grammatikis, P.I.; Sarigiannidis, P.G. Securing the Smart Grid: A Comprehensive Compilation of Intrusion Detection and Prevention Systems. IEEE Access 2019, 7, 46595–46620. [Google Scholar] [CrossRef]
- Brandalero, M.; Ali, M.; Le Jeune, L.; Hernandez, H.G.M.; Veleski, M.; da Silva, B.; Lemeire, J.; Van Beeck, K.; Touhafi, A.; Goedemé, T.; et al. AITIA: Embedded AI Techniques for Embedded Industrial Applications. In Proceedings of the 2020 International Conference on Omni-Layer Intelligent Systems (COINS), Barcelona, Spain, 31 August–2 September 2020; pp. 1–7. [Google Scholar]
- Azeroual, O.; Nikiforova, A. Apache Spark and MLlib-Based Intrusion Detection System or How the Big Data Technologies Can Secure the Data. Information 2022, 13, 58. [Google Scholar] [CrossRef]
- Siang, Y.Y.; Ahamd, M.R.; Abidin, M.S.Z. Anomaly detection based on tiny machine learning: A review. Open Int. J. Inform. 2021, 9, 67–78. [Google Scholar]
- Davari, N.; Veloso, B.; Ribeiro, R.P.; Pereira, P.M.; Gama, J. Predictive maintenance based on anomaly detection using deep learning for air production unit in the railway industry. In Proceedings of the 2021 IEEE 8th International Conference on Data Science and Advanced Analytics (DSAA), Porto, Portugal, 6–9 October 2021; pp. 1–10. [Google Scholar]
- Bertocco, M.; Fort, A.; Landi, E.; Mugnaini, M.; Parri, L.; Peruzzi, G.; Pozzebon, A. Roller Bearing Failures Classification with Low Computational Cost Embedded Machine Learning. In Proceedings of the 2022 IEEE International Workshop on Metrology for Automotive (MetroAutomotive), Modena, Italy, 4–6 July 2022; pp. 12–17. [Google Scholar]
- Kavitha, M.; Srinivas, P.; Kalyampudi, P.L.; Srinivasulu, S. Machine Learning Techniques for Anomaly Detection in Smart Healthcare. In Proceedings of the 2021 Third International Conference on Inventive Research in Computing Applications (ICIRCA), Coimbatore, India, 2–4 September 2021; pp. 1350–1356. [Google Scholar]
- Mokhtari, S.; Abbaspour, A.; Yen, K.; Sargolzaei, A. A Machine Learning Approach for Anomaly Detection in Industrial Control Systems Based on Measurement Data. Electronics 2021, 10, 407. [Google Scholar] [CrossRef]
- Yairi, I.E.; Takahashi, H.; Watanabe, T.; Nagamine, K.; Fukushima, Y.; Matsuo, Y.; Iwasawa, Y. Estimating Spatiotemporal Information from Behavioral Sensing Data of Wheelchair Users by Machine Learning Technologies. Information 2019, 10, 114. [Google Scholar] [CrossRef]
- Huang, S.; Tang, J.; Dai, J.; Wang, Y. Signal status recognition based on 1DCNN and its feature extraction mechanism analysis. Sensors 2019, 19, 2018. [Google Scholar] [CrossRef] [PubMed]
- Liu, G.; Guo, J. Bidirectional LSTM with attention mechanism and convolutional layer for text classification. Neurocomputing 2019, 337, 325–338. [Google Scholar] [CrossRef]
- Xie, Z.; Jin, L.; Luo, X.; Sun, Z.; Liu, M. RNN for repetitive motion generation of redundant robot manipulators: An orthogonal projection-based scheme. IEEE Trans. Neural Netw. Learn. Syst. 2020, 33, 615–628. [Google Scholar] [CrossRef] [PubMed]
- Yang, G.; Xu, H.Z. A Residual BiLSTM Model for Named Entity Recognition. IEEE Access 2020, 8, 227710–227718. [Google Scholar] [CrossRef]
- Luo, X.; Yuan, Y.; Chen, S.; Zeng, N.; Wang, Z. Position-transitional particle swarm optimization-incorporated latent factor analysis. IEEE Trans. Knowl. Data Eng. 2020, 34, 3958–3970. [Google Scholar] [CrossRef]
- Ferrag, M.A.; Maglaras, L.; Moschoyiannis, S.; Janicke, H. Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study. J. Inf. Secur. Appl. 2020, 50, 102419. [Google Scholar] [CrossRef]
Method | Accuracy | Kappa | Recall | Precision | F1 | G-mean | AUC |
---|---|---|---|---|---|---|---|
TCN | 0.806 | 0.827 | 0.971 | 0.851 | 0.907 | 0.703 | 0.740 |
LSTM | 0.694 | 0.746 | 0.953 | 0.783 | 0.860 | 0.614 | 0.743 |
1DCNN | 0.779 | 0.795 | 0.966 | 0.836 | 0.897 | 0.680 | 0.756 |
BiLSTM | 0.816 | 0.819 | 0.979 | 0.851 | 0.911 | 0.710 | 0.723 |
1DCNN-BiLSTM | 0.897 | 0.902 | 0.977 | 0.928 | 0.943 | 0.867 | 0.865 |
PSO-1DCNN-BiLSTM | 0.921 | 0.919 | 0.978 | 0.948 | 0.954 | 0.896 | 0.931 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Zhao, X.; Zhang, L.; Cao, Y.; Jin, K.; Hou, Y. Anomaly Detection Approach in Industrial Control Systems Based on Measurement Data. Information 2022, 13, 450. https://doi.org/10.3390/info13100450
Zhao X, Zhang L, Cao Y, Jin K, Hou Y. Anomaly Detection Approach in Industrial Control Systems Based on Measurement Data. Information. 2022; 13(10):450. https://doi.org/10.3390/info13100450
Chicago/Turabian StyleZhao, Xiaosong, Lei Zhang, Yixin Cao, Kai Jin, and Yupeng Hou. 2022. "Anomaly Detection Approach in Industrial Control Systems Based on Measurement Data" Information 13, no. 10: 450. https://doi.org/10.3390/info13100450
APA StyleZhao, X., Zhang, L., Cao, Y., Jin, K., & Hou, Y. (2022). Anomaly Detection Approach in Industrial Control Systems Based on Measurement Data. Information, 13(10), 450. https://doi.org/10.3390/info13100450