Skip to main content
SpringerLink
Log in

Can Industrial Intrusion Detection Be SIMPLE?

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13556))

Included in the following conference series:

Abstract

Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Implementation available at: https://github.com/fkie-cad/ipal_ids_framework.

  2. 2.

    Implementation available at: https://github.com/fkie-cad/ipal_ids_framework.

References

  1. Abdelaty, M.F., et al.: DAICS: a deep learning solution for anomaly detection in industrial control systems. IEEE Trans. Emerg. Topics Comput. (2021)

    Google Scholar 

  2. Ahmed, C., et al.: NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems. In: ACM ASIACCS (2018)

    Google Scholar 

  3. Ahmed, C., et al.: WADI: a water distribution testbed for research in the design of secure cyber physical systems. In: CySWATER (2017)

    Google Scholar 

  4. Ahmed, C., et al.: Noise matters: Using sensor and process noise fingerprint to detect stealthy cyber attacks and authenticate sensors in CPS. In: ACSAC (2018)

    Google Scholar 

  5. Alabugin, S.K., et al.: Applying of generative adversarial networks for anomaly detection in industrial control systems. In: GloSIC (2020)

    Google Scholar 

  6. Alabugin, S.K., et al.: Applying of recurrent neural networks for industrial processes anomaly detection. In: IEEE USBEREIT (2021)

    Google Scholar 

  7. Alladi, T., et al.: Industrial control systems: cyberattack trends and countermeasures. Computer Communications 155 (2020)

    Google Scholar 

  8. Anton, S.D.D., et al.: Using temporal and topological features for intrusion detection in operational networks. In: ARES (2019)

    Google Scholar 

  9. Anton, S.D.D., et al.: Security in process: detecting attacks in industrial process data. In: CECC (2019)

    Google Scholar 

  10. Anton, S.D.D., et al.: Intrusion detection in binary process data: introducing the hamming-distance to matrix profiles. In: IEEE WoWMoM (2020)

    Google Scholar 

  11. Aoudi, W., et al.: Truth will out: departure-based process-level detection of stealthy attacks on control systems. In: ACM CCS (2018)

    Google Scholar 

  12. Audibert, J., et al.: USAD: unsupervised anomaly detection on multivariate time series. In: ACM SIGKDD (2020)

    Google Scholar 

  13. Bae, S., et al.: Research on improvement of anomaly detection performance in industrial control systems. In: WISA (2021)

    Google Scholar 

  14. Cao, D., et al.: Self-Adaption AAE-GAN for aluminum electrolytic cell anomaly detection. IEEE Access 9 (2021)

    Google Scholar 

  15. Castellanos, J.H., et al.: A modular hybrid learning approach for black-box security testing of CPS. In: ACNS (2019)

    Google Scholar 

  16. Chen, X., et al.: DAEMON: unsupervised anomaly detection and interpretation for multivariate time series. In: IEEE ICDE (2021)

    Google Scholar 

  17. Chen, Z., et al.: Learning graph structures with transformer for multivariate time series anomaly detection in IoT. IEEE IoT-J (2021)

    Google Scholar 

  18. Clotet, X., et al.: A real-time anomaly-based IDS for cyber-attack detection at the industrial process level of critical infrastructures. IJCIP 23, 11–20 (2018)

    Google Scholar 

  19. Conti, M., et al.: A survey on industrial control system testbeds and datasets for security research. IEEE Commun. Surv. Tutor. 23(4), 2248–2294 (2021)

    Google Scholar 

  20. Dai, E., et al.: Graph-augmented normalizing flows for anomaly detection of multiple time series. In: ICLR (2022)

    Google Scholar 

  21. Demertzis, K., et al.: Variational restricted boltzmann machines to automated anomaly detection. Neural Comput. Appl., 1–14 (2022)

    Google Scholar 

  22. Deng, A., et al.: Graph neural network-based anomaly detection in multivariate time series. In: AAAI (2021)

    Google Scholar 

  23. Ding, D., et al.: A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing 275, 1674–1683 (2018)

    Google Scholar 

  24. Dutta, A.K., et al.: CatchAll: A Robust Multivariate Intrusion Detection System for Cyber-Physical Systems Using Low Rank Matrix. In: CPSIoTSec (2021)

    Google Scholar 

  25. Elnour, M., et al.: A dual-isolation-forests-based attack detection framework for industrial control systems. IEEE Access 8, 36639–36651 (2020)

    Google Scholar 

  26. Elnour, M., et al.: Hybrid attack detection framework for industrial control systems using 1d-convolutional neural network and isolation forest. In: CCTA (2020)

    Google Scholar 

  27. Erba, A., et al.: No Need to Know Physics: Resilience of Process-Based Model-Free Anomaly Detection for Industrial Control Systems. arXiv:2012.03586 (2020)

  28. Etalle, S.: From intrusion detection to software design. In: ESORICS (2017)

    Google Scholar 

  29. Faber, K., et al.: Ensemble neuroevolution-based approach for multivariate time series anomaly detection. Entropy 23(11), 1466 (2021)

    Google Scholar 

  30. Fährmann, D., et al.: Lightweight long short-term memory variational auto-encoder for multivariate time series anomaly detection in industrial control systems. Sensors 22(8), 2886 (2022)

    Google Scholar 

  31. Faramondi, L., et al.: A hardware-in-the-loop water distribution testbed dataset for cyber-physical security testing. IEEE Access 9, 122385–122396 (2021)

    Google Scholar 

  32. Farsi, H., et al.: A novel online state-based anomaly detection system for process control networks. IJCIP 27, 100323 (2019)

    Google Scholar 

  33. Feng, C., et al.: A systematic framework to generate invariants for anomaly detection in industrial control systems. In: NDSS (2019)

    Google Scholar 

  34. Feng, C., et al.: Time series anomaly detection for cyber-physical systems via neural system identification and bayesian filtering. In: ACM SIGKDD (2021)

    Google Scholar 

  35. Francisquini, R., et al.: Community-based anomaly detection using spectral graph filtering. Appl. Soft Comput. 118, 108489 (2022)

    Google Scholar 

  36. Gauthama Raman, M., et al.: Deep autoencoders as anomaly detectors: method and case study in a distributed water treatment plant. Comput. Secur. 99, 102055 (2020)

    Google Scholar 

  37. Giraldo, J., et al.: A survey of physics-based attack detection in cyber-physical systems. ACM Comput. Surv. 51(4), 1–36 (2018)

    Google Scholar 

  38. Goh, J., et al.: A dataset to support research in the design of secure water treatment systems. In: CRITIS (2016)

    Google Scholar 

  39. Goh, J., et al.: Anomaly detection in cyber physical systems using recurrent neural networks. In: IEEE HASE (2017)

    Google Scholar 

  40. Gong, S., et al.: A prediction-augmented AutoEncoder for multivariate time series anomaly detection. In: ICONIP (2021)

    Google Scholar 

  41. Guo, Y., et al.: Unsupervised anomaly detection in IoT systems for smart cities. IEEE TNSE 7(4), 2231–2242 (2020)

    Google Scholar 

  42. Hwang, C., et al.: E-SFD: explainable sensor fault detection in the ICS anomaly detection system. IEEE Access 9, 140470–140486 (2021)

    Google Scholar 

  43. Inoue, J., et al.: Anomaly detection for a water treatment system using unsupervised machine learning. In: DMCIS (2017)

    Google Scholar 

  44. Intrator, Y., et al.: MDGAN: boosting anomaly detection using multi-discriminator generative adversarial networks. arXiv:1810.05221 (2018)

  45. Kim, D., et al.: Stacked-autoencoder based anomaly detection with industrial control system. In: SNPD (2021)

    Google Scholar 

  46. Kim, J., et al.: Anomaly detection for industrial control systems using sequence-to-sequence neural networks. In: CyberICPS (2020)

    Google Scholar 

  47. Kim, S., et al.: APAD: autoencoder-based payload anomaly detection for industrial IoE. Appl. Soft Comput. 88, 106017 (2020)

    Google Scholar 

  48. Kim, Y., et al.: Anomaly detection using clustered deep one-class classification. In: AsiaJCIS (2020)

    Google Scholar 

  49. Kravchik, M., et al.: Detecting cyber attacks in industrial control systems using convolutional neural networks. In: CPS-SPC (2018)

    Google Scholar 

  50. Kravchik, M., et al.: Efficient cyber attack detection in industrial control systems using lightweight neural networks and PCA. IEEE TDSC (2021)

    Google Scholar 

  51. Kus, D., et al.: A False Sense of Security? ACM CPSS, revisiting the state of machine learning-based industrial intrusion detection. In (2022)

    Google Scholar 

  52. Kwon, H.Y., et al.: Advanced intrusion detection combining signature-based and behavior-based detection methods. Electronics 11(6), 867 (2022)

    Google Scholar 

  53. Lavrova, D., et al.: Using GRU neural network for cyber-attack detection in automated process control systems. In: IEEE BlackSeaCom (2019)

    Google Scholar 

  54. Lee, C.K., et al.: Studies on the GAN-based anomaly detection methods for the time series data. IEEE Access 9, 73201–73215 (2021)

    Google Scholar 

  55. Li, D., et al.: Anomaly detection with generative adversarial networks for multivariate time series. In: KDD BigMine (2018)

    Google Scholar 

  56. Li, D., et al.: MAD-GAN: multivariate anomaly detection for time series data with generative adversarial networks. In: ICANN (2019)

    Google Scholar 

  57. Lin, Q., et al.: TABOR: a graphical model-based approach for anomaly detection in industrial control systems. In: ACM ASIACCS (2018)

    Google Scholar 

  58. Macas, M., et al.: An unsupervised framework for anomaly detection in a water treatment system. In: IEEE ICMLA (2019)

    Google Scholar 

  59. Margolin, J.: Outdated Computer System Exploited in Water Treatment Plant Hack (2021), www.abc7news.com/story/10328196/, accessed: 2022–04-24

  60. Maru, C., et al.: Collective anomaly detection for multivariate data using generative adversarial networks. In: CSCI (2020)

    Google Scholar 

  61. Mokhtari, S., et al.: Measurement data intrusion detection in industrial control systems based on unsupervised learning. AIMS-ACI 1(1) (2021)

    Google Scholar 

  62. Naito, S., et al.: Anomaly Detection for Multivariate Time Series on Large-Scale Fluid Handling Plant Using Two-Stage Autoencoder. In: ICDMW (2021)

    Google Scholar 

  63. Nedeljkovic, D.M., et al.: Detection of cyber-attacks in systems with distributed control based on support vector regression. TELFOR J. 12(2), 104–109 (2020)

    Google Scholar 

  64. Neshenko, N., et al.: A behavioral-based forensic investigation approach for analyzing attacks on water plants using GANs. FSI Digital Investigation 37 (2021)

    Google Scholar 

  65. Oliveira, N., et al.: Anomaly detection in cyber-physical systems: reconstruction of a prediction error feature space. In: SINCONF (2021)

    Google Scholar 

  66. Perales Gomez, A.L., et al.: MADICS: a methodology for anomaly detection in industrial control systems. Symmetry 12(10), 1583 (2020)

    Google Scholar 

  67. Pranavan, T., et al.: Contrastive predictive coding for anomaly detection in multi-variate time series data. arXiv:2202.03639 (2022)

  68. Pyatnisky, I., et al.: Assessment of the applicability of autoencoders in the problem of detecting anomalies in the work of industrial control Systems. In: GloSIC (2020)

    Google Scholar 

  69. Ray, S., et al.: Learning graph neural networks for multivariate time series anomaly detection. arXiv:2111.08082 (2021)

  70. Schneider, T., et al.: Detecting anomalies within time series using local neural transformations. arXiv:2202.03944 (2022)

  71. Shalyga, D., et al.: Anomaly detection for water treatment system based on neural network with automatic architecture optimization. arXiv:1807.07282 (2018)

  72. Shin, H., et al.: HAI 1.0: HIL-based Augmented ICS Security Dataset. CSET (2020)

    Google Scholar 

  73. Tuli, S., et al.: TranAD: deep transformer networks for anomaly detection in multivariate time series data. In: VLDB (2022)

    Google Scholar 

  74. Umer, M.A., et al.: Generating invariants using design and data-centric approaches for distributed attack detection. IJCIP 28, 100341 (2020)

    Google Scholar 

  75. Wang, C., et al.: Anomaly detection for industrial control system based on autoencoder neural network. In: WCMC 2020 (2020)

    Google Scholar 

  76. Wolsing, K., et al.: IPAL: breaking up silos of protocol-dependent and domain-specific industrial intrusion detection systems. In: Proceedings of RAID (2022)

    Google Scholar 

  77. Xiao, Q., et al.: Memory-augmented adversarial autoencoders for multivariate time-series anomaly detection with deep reconstruction and prediction. arXiv:2110.08306 (2021)

  78. Xie, X., et al.: Multivariate abnormal detection for industrial control systems using 1D CNN and GRU. IEEE Access 8, 88348–88359 (2020)

    Google Scholar 

  79. Xu, Q., et al.: Digital twin-based anomaly detection in cyber-physical systems. In: IEEE ICST (2021)

    Google Scholar 

  80. Yan, T., et al.: TFDPM: attack detection for cyber-physical systems with diffusion probabilistic models. arXiv:2112.10774 (2021)

  81. Yang, L., et al.: Iterative bilinear temporal-spectral fusion for unsupervised representation learning in time series. arXiv:2202.04770 (2022)

  82. Yoong, C.H., et al.: Deriving invariant checkers for critical infrastructure using axiomatic design principles. Cybersecurity 4, 1–24 (2021)

    Google Scholar 

  83. Zhang, K., et al.: Federated variational learning for anomaly detection in multivariate time series. In: IEEE IPCCC (2021)

    Google Scholar 

Download references

Acknowledgements

Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC- 2023 Internet of Production – 390621612.

Author information

Authors and Affiliations

  1. Cyber Analysis and Defense, Fraunhofer FKIE, Bonn, Germany

    Konrad Wolsing, Eric Wagner & Martin Henze

  2. Communication and Distributed Systems, RWTH Aachen University, Aachen, Germany

    Konrad Wolsing, Lea Thiemt, Christian van Sloun, Eric Wagner & Klaus Wehrle

  3. Security and Privacy in Industrial Cooperation, RWTH Aachen University, Aachen, Germany

    Martin Henze

Authors
  1. Konrad Wolsing
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lea Thiemt
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christian van Sloun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eric Wagner
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Klaus Wehrle
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Martin Henze
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Konrad Wolsing .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Appendix

Appendix

To better understand the SIMPLE IIDSs mechanics, we take a detailed look at their detection phase. We occasionally see alerts stretching significantly further (with interruptions) than the actual attack. In Fig. 6a, the MinMax IIDS raises an alarm throughout the ICS’s recovery phase since the process values still deviate from their normal values and fluctuate until stabilizing. The Gradient IIDS reveals another phenomenon in Fig. 6b, leading to supposedly false alerts inherent to its design. As it indicates in- or declines, its alerts are short, which results in a poor performance w.r.t. to metrics evaluating the attack coverage. While this method is precise in finding the actual beginnings and endings of attacks, it often raises an alarm shortly after an attack when the process quickly returns to normal operation. Finally, in Fig. 6c, we observe effects that can occur after the actual attack ended (or where datasets are not precisely labeled). All of these effects result in insufficient attack coverage and false alarms, such that the good performance of IIDSs is not captured well by the available metrics.

Fig. 6.
figure 6

IIDS performance metrics can show a skewed picture when to be detected physical anomalies (green) are misaligned with the actual attack timing (red). (Color figure online)

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wolsing, K., Thiemt, L., Sloun, C.v., Wagner, E., Wehrle, K., Henze, M. (2022). Can Industrial Intrusion Detection Be SIMPLE?. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17143-7_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17142-0

  • Online ISBN: 978-3-031-17143-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation