Abstract
Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Implementation available at: https://github.com/fkie-cad/ipal_ids_framework.
- 2.
Implementation available at: https://github.com/fkie-cad/ipal_ids_framework.
References
Abdelaty, M.F., et al.: DAICS: a deep learning solution for anomaly detection in industrial control systems. IEEE Trans. Emerg. Topics Comput. (2021)
Ahmed, C., et al.: NoisePrint: attack detection using sensor and process noise fingerprint in cyber physical systems. In: ACM ASIACCS (2018)
Ahmed, C., et al.: WADI: a water distribution testbed for research in the design of secure cyber physical systems. In: CySWATER (2017)
Ahmed, C., et al.: Noise matters: Using sensor and process noise fingerprint to detect stealthy cyber attacks and authenticate sensors in CPS. In: ACSAC (2018)
Alabugin, S.K., et al.: Applying of generative adversarial networks for anomaly detection in industrial control systems. In: GloSIC (2020)
Alabugin, S.K., et al.: Applying of recurrent neural networks for industrial processes anomaly detection. In: IEEE USBEREIT (2021)
Alladi, T., et al.: Industrial control systems: cyberattack trends and countermeasures. Computer Communications 155 (2020)
Anton, S.D.D., et al.: Using temporal and topological features for intrusion detection in operational networks. In: ARES (2019)
Anton, S.D.D., et al.: Security in process: detecting attacks in industrial process data. In: CECC (2019)
Anton, S.D.D., et al.: Intrusion detection in binary process data: introducing the hamming-distance to matrix profiles. In: IEEE WoWMoM (2020)
Aoudi, W., et al.: Truth will out: departure-based process-level detection of stealthy attacks on control systems. In: ACM CCS (2018)
Audibert, J., et al.: USAD: unsupervised anomaly detection on multivariate time series. In: ACM SIGKDD (2020)
Bae, S., et al.: Research on improvement of anomaly detection performance in industrial control systems. In: WISA (2021)
Cao, D., et al.: Self-Adaption AAE-GAN for aluminum electrolytic cell anomaly detection. IEEE Access 9 (2021)
Castellanos, J.H., et al.: A modular hybrid learning approach for black-box security testing of CPS. In: ACNS (2019)
Chen, X., et al.: DAEMON: unsupervised anomaly detection and interpretation for multivariate time series. In: IEEE ICDE (2021)
Chen, Z., et al.: Learning graph structures with transformer for multivariate time series anomaly detection in IoT. IEEE IoT-J (2021)
Clotet, X., et al.: A real-time anomaly-based IDS for cyber-attack detection at the industrial process level of critical infrastructures. IJCIP 23, 11–20 (2018)
Conti, M., et al.: A survey on industrial control system testbeds and datasets for security research. IEEE Commun. Surv. Tutor. 23(4), 2248–2294 (2021)
Dai, E., et al.: Graph-augmented normalizing flows for anomaly detection of multiple time series. In: ICLR (2022)
Demertzis, K., et al.: Variational restricted boltzmann machines to automated anomaly detection. Neural Comput. Appl., 1–14 (2022)
Deng, A., et al.: Graph neural network-based anomaly detection in multivariate time series. In: AAAI (2021)
Ding, D., et al.: A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing 275, 1674–1683 (2018)
Dutta, A.K., et al.: CatchAll: A Robust Multivariate Intrusion Detection System for Cyber-Physical Systems Using Low Rank Matrix. In: CPSIoTSec (2021)
Elnour, M., et al.: A dual-isolation-forests-based attack detection framework for industrial control systems. IEEE Access 8, 36639–36651 (2020)
Elnour, M., et al.: Hybrid attack detection framework for industrial control systems using 1d-convolutional neural network and isolation forest. In: CCTA (2020)
Erba, A., et al.: No Need to Know Physics: Resilience of Process-Based Model-Free Anomaly Detection for Industrial Control Systems. arXiv:2012.03586 (2020)
Etalle, S.: From intrusion detection to software design. In: ESORICS (2017)
Faber, K., et al.: Ensemble neuroevolution-based approach for multivariate time series anomaly detection. Entropy 23(11), 1466 (2021)
Fährmann, D., et al.: Lightweight long short-term memory variational auto-encoder for multivariate time series anomaly detection in industrial control systems. Sensors 22(8), 2886 (2022)
Faramondi, L., et al.: A hardware-in-the-loop water distribution testbed dataset for cyber-physical security testing. IEEE Access 9, 122385–122396 (2021)
Farsi, H., et al.: A novel online state-based anomaly detection system for process control networks. IJCIP 27, 100323 (2019)
Feng, C., et al.: A systematic framework to generate invariants for anomaly detection in industrial control systems. In: NDSS (2019)
Feng, C., et al.: Time series anomaly detection for cyber-physical systems via neural system identification and bayesian filtering. In: ACM SIGKDD (2021)
Francisquini, R., et al.: Community-based anomaly detection using spectral graph filtering. Appl. Soft Comput. 118, 108489 (2022)
Gauthama Raman, M., et al.: Deep autoencoders as anomaly detectors: method and case study in a distributed water treatment plant. Comput. Secur. 99, 102055 (2020)
Giraldo, J., et al.: A survey of physics-based attack detection in cyber-physical systems. ACM Comput. Surv. 51(4), 1–36 (2018)
Goh, J., et al.: A dataset to support research in the design of secure water treatment systems. In: CRITIS (2016)
Goh, J., et al.: Anomaly detection in cyber physical systems using recurrent neural networks. In: IEEE HASE (2017)
Gong, S., et al.: A prediction-augmented AutoEncoder for multivariate time series anomaly detection. In: ICONIP (2021)
Guo, Y., et al.: Unsupervised anomaly detection in IoT systems for smart cities. IEEE TNSE 7(4), 2231–2242 (2020)
Hwang, C., et al.: E-SFD: explainable sensor fault detection in the ICS anomaly detection system. IEEE Access 9, 140470–140486 (2021)
Inoue, J., et al.: Anomaly detection for a water treatment system using unsupervised machine learning. In: DMCIS (2017)
Intrator, Y., et al.: MDGAN: boosting anomaly detection using multi-discriminator generative adversarial networks. arXiv:1810.05221 (2018)
Kim, D., et al.: Stacked-autoencoder based anomaly detection with industrial control system. In: SNPD (2021)
Kim, J., et al.: Anomaly detection for industrial control systems using sequence-to-sequence neural networks. In: CyberICPS (2020)
Kim, S., et al.: APAD: autoencoder-based payload anomaly detection for industrial IoE. Appl. Soft Comput. 88, 106017 (2020)
Kim, Y., et al.: Anomaly detection using clustered deep one-class classification. In: AsiaJCIS (2020)
Kravchik, M., et al.: Detecting cyber attacks in industrial control systems using convolutional neural networks. In: CPS-SPC (2018)
Kravchik, M., et al.: Efficient cyber attack detection in industrial control systems using lightweight neural networks and PCA. IEEE TDSC (2021)
Kus, D., et al.: A False Sense of Security? ACM CPSS, revisiting the state of machine learning-based industrial intrusion detection. In (2022)
Kwon, H.Y., et al.: Advanced intrusion detection combining signature-based and behavior-based detection methods. Electronics 11(6), 867 (2022)
Lavrova, D., et al.: Using GRU neural network for cyber-attack detection in automated process control systems. In: IEEE BlackSeaCom (2019)
Lee, C.K., et al.: Studies on the GAN-based anomaly detection methods for the time series data. IEEE Access 9, 73201–73215 (2021)
Li, D., et al.: Anomaly detection with generative adversarial networks for multivariate time series. In: KDD BigMine (2018)
Li, D., et al.: MAD-GAN: multivariate anomaly detection for time series data with generative adversarial networks. In: ICANN (2019)
Lin, Q., et al.: TABOR: a graphical model-based approach for anomaly detection in industrial control systems. In: ACM ASIACCS (2018)
Macas, M., et al.: An unsupervised framework for anomaly detection in a water treatment system. In: IEEE ICMLA (2019)
Margolin, J.: Outdated Computer System Exploited in Water Treatment Plant Hack (2021), www.abc7news.com/story/10328196/, accessed: 2022–04-24
Maru, C., et al.: Collective anomaly detection for multivariate data using generative adversarial networks. In: CSCI (2020)
Mokhtari, S., et al.: Measurement data intrusion detection in industrial control systems based on unsupervised learning. AIMS-ACI 1(1) (2021)
Naito, S., et al.: Anomaly Detection for Multivariate Time Series on Large-Scale Fluid Handling Plant Using Two-Stage Autoencoder. In: ICDMW (2021)
Nedeljkovic, D.M., et al.: Detection of cyber-attacks in systems with distributed control based on support vector regression. TELFOR J. 12(2), 104–109 (2020)
Neshenko, N., et al.: A behavioral-based forensic investigation approach for analyzing attacks on water plants using GANs. FSI Digital Investigation 37 (2021)
Oliveira, N., et al.: Anomaly detection in cyber-physical systems: reconstruction of a prediction error feature space. In: SINCONF (2021)
Perales Gomez, A.L., et al.: MADICS: a methodology for anomaly detection in industrial control systems. Symmetry 12(10), 1583 (2020)
Pranavan, T., et al.: Contrastive predictive coding for anomaly detection in multi-variate time series data. arXiv:2202.03639 (2022)
Pyatnisky, I., et al.: Assessment of the applicability of autoencoders in the problem of detecting anomalies in the work of industrial control Systems. In: GloSIC (2020)
Ray, S., et al.: Learning graph neural networks for multivariate time series anomaly detection. arXiv:2111.08082 (2021)
Schneider, T., et al.: Detecting anomalies within time series using local neural transformations. arXiv:2202.03944 (2022)
Shalyga, D., et al.: Anomaly detection for water treatment system based on neural network with automatic architecture optimization. arXiv:1807.07282 (2018)
Shin, H., et al.: HAI 1.0: HIL-based Augmented ICS Security Dataset. CSET (2020)
Tuli, S., et al.: TranAD: deep transformer networks for anomaly detection in multivariate time series data. In: VLDB (2022)
Umer, M.A., et al.: Generating invariants using design and data-centric approaches for distributed attack detection. IJCIP 28, 100341 (2020)
Wang, C., et al.: Anomaly detection for industrial control system based on autoencoder neural network. In: WCMC 2020 (2020)
Wolsing, K., et al.: IPAL: breaking up silos of protocol-dependent and domain-specific industrial intrusion detection systems. In: Proceedings of RAID (2022)
Xiao, Q., et al.: Memory-augmented adversarial autoencoders for multivariate time-series anomaly detection with deep reconstruction and prediction. arXiv:2110.08306 (2021)
Xie, X., et al.: Multivariate abnormal detection for industrial control systems using 1D CNN and GRU. IEEE Access 8, 88348–88359 (2020)
Xu, Q., et al.: Digital twin-based anomaly detection in cyber-physical systems. In: IEEE ICST (2021)
Yan, T., et al.: TFDPM: attack detection for cyber-physical systems with diffusion probabilistic models. arXiv:2112.10774 (2021)
Yang, L., et al.: Iterative bilinear temporal-spectral fusion for unsupervised representation learning in time series. arXiv:2202.04770 (2022)
Yoong, C.H., et al.: Deriving invariant checkers for critical infrastructure using axiomatic design principles. Cybersecurity 4, 1–24 (2021)
Zhang, K., et al.: Federated variational learning for anomaly detection in multivariate time series. In: IEEE IPCCC (2021)
Acknowledgements
Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC- 2023 Internet of Production – 390621612.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
To better understand the SIMPLE IIDSs mechanics, we take a detailed look at their detection phase. We occasionally see alerts stretching significantly further (with interruptions) than the actual attack. In Fig. 6a, the MinMax IIDS raises an alarm throughout the ICS’s recovery phase since the process values still deviate from their normal values and fluctuate until stabilizing. The Gradient IIDS reveals another phenomenon in Fig. 6b, leading to supposedly false alerts inherent to its design. As it indicates in- or declines, its alerts are short, which results in a poor performance w.r.t. to metrics evaluating the attack coverage. While this method is precise in finding the actual beginnings and endings of attacks, it often raises an alarm shortly after an attack when the process quickly returns to normal operation. Finally, in Fig. 6c, we observe effects that can occur after the actual attack ended (or where datasets are not precisely labeled). All of these effects result in insufficient attack coverage and false alarms, such that the good performance of IIDSs is not captured well by the available metrics.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wolsing, K., Thiemt, L., Sloun, C.v., Wagner, E., Wehrle, K., Henze, M. (2022). Can Industrial Intrusion Detection Be SIMPLE?. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_28
Download citation
DOI: https://doi.org/10.1007/978-3-031-17143-7_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17142-0
Online ISBN: 978-3-031-17143-7
eBook Packages: Computer ScienceComputer Science (R0)