Abstract
The critical infrastructure’s (CI) environment is complex and dynamic in nature. The normal behaviour of physical devices changes due to time-dependent operational features and infrastructure component needs. The sensors capturing the changed device behaviour generates measurements in a different operating range due to the time dependent variation in the normal behaviour. Such normal variation in the sensors measurements are called operational drift (OD). The state-of-the-art process-level intrusion detection systems (IDSs) are based on offline training, which leads to repeated false alarms for the ODs. Frequently retraining the offline-based IDS model may be a solution, but it’s costly and challenging. To overcome the limitation of offline training, we propose an online learning-based IDS named RemOD. Instead of retraining the entire model, RemOD can adapt the ODs to update itself in online fashion. Updating the RemOD for ODs significantly reduces the false alarms in such dynamic environments. We validate the proposed method on two benchmark datasets: SWaT (dynamic environment) and C-town (stationary environment). On SWaT dataset, RemOD generates 6.88 times lower false alarms than the baseline methods such as PASAD.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
More features overhead the computation cost. We will include the others feature by implementing using self-balancing multi-dimensional tree as future work.
References
Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper. Symantec Corp. Secu. Resp. 5(6), 29 (2011)
Lee, R.M., Assante, M.J., Conway, T.: German steel mill cyber attack. Ind. Control Syst. 30, 62 (2014)
Johnson, B., Caban, D., Krotofil, M., Scali, D., Brubaker, N., Glyer, C.: Attackers deploy new ICS attack framework “triton” and cause operational disruption to critical infrastructure. Threat Research Blog (2017)
Defense Use Case. Analysis of the cyber attack on the Ukrainian power grid. Electricity Information Sharing and Analysis Center (E-ISAC) (2016)
Cardenas, A., et al.: Attacks against process control systems: risk assessment, detection, and response. In: ACM Symposium on Information, Computer and Communications Security, pp. 355–366. ACM (2011)
Maurya, V., Agarwal, R., Kumar, S., Shukla, S.K.: Epasad: ellipsoid decision boundary based process-aware stealthy attack detector. arXiv preprint arXiv:2204.04154 (2022)
Wissam Aoudi, Mikel Iturbe, and Magnus Almgren. Truth will out: Departure-based process-level detection of stealthy attacks on control systems. In Conference on Computer and Communications Security, pages 817–831. ACM, 2018
Chen, Y., Poskitt, C.M., Sun, J.: Learning from mutants: using code mutation to learn and monitor invariants of a cyber-physical system. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 648–660. IEEE (2018)
Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the plc: semantic security monitoring for industrial processes. In: Annual Computer Security Applications Conference, pp. 126–135. ACM (2014)
Gauthama Raman, M.R., Ahmed, C.M., Mathur, A.: Machine learning for intrusion detection in industrial control systems: challenges and lessons from experimental evaluation. Cybersecurity 4(1), 1–12 (2021)
Mathur, A.P., Tippenhauer, N.O.: Swat: a water treatment testbed for research and training on ics security. In: 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater), pp. 31–36. IEEE (2016)
Taormina, R., et al.: Battle of the attack detection algorithms: disclosing cyber attacks on water distribution networks. J. Water Resour. Plann. Manage. 144(8), 04018048 (2018)
Wand, M.P., Jones, M.C.: Kernel smoothing. Chapman and Hall/CRC (1994)
Silverman, B.W.: Density Estimation for Statistics and Data Analysis. Routledge (2018)
Ramlau-Hansen, H.: The choice of a kernel function in the graduation of counting process intensities. Scand. Actuar. J. 1983(3), 165–182 (1983)
Otneim, H., Tjøstheim, D.: The locally gaussian density estimator for multivariate data. Stat. Comput. 27(6), 1595–1616 (2017)
Golyandina, N., Zhigljavsky, A.: Singular Spectrum Analysis for time series. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-34913-3
Taormina, R., Galelli, S., Tippenhauer, N.O., Salomons, E., Ostfeld, A.: Characterizing cyber-physical attacks on water distribution systems. J. Water Resour. Plann. Manage. 143(5), 04017009 (2017)
Guan, Y., Ghorbani, A.A., Belacel, N.: Y-means: a clustering method for intrusion detection. In: CCECE 2003-Canadian Conference on Electrical and Computer Engineering. Toward a Caring and Humane Technology (Cat. No. 03CH37436), vol. 2, pp. 1083–1086. IEEE (2003)
Hansen, P., Mladenović, N.: J-means: a new local search heuristic for minimum sum of squares clustering. Pattern Recogn. 34(2), 405–413 (2001)
Nader, P., Honeine, P., Beauseroy, P.: \(l_p\)-norms in one-class classification for intrusion detection in scada systems. IEEE Trans. Industr. Inf. 10(4), 2308–2317 (2014)
Lichman, M., et al.: UCI machine learning repository (2013)
Gao, X., Hou, J.: An improved SVM integrated GS-PCA fault diagnosis approach of tennessee eastman process. Neurocomputing 174, 906–911 (2016)
Zhu, J., Ge, Z., Song, Z.: Distributed parallel PCA for modeling and monitoring of large-scale plant-wide processes with big data. IEEE Trans. Industr. Inf. 13(4), 1877–1885 (2017)
Filonov, P., Kitashov, F., Lavrentyev, A.: RNN-based early cyber-attack detection for the tennessee eastman process. arXiv preprint arXiv:1709.02232 (2017)
Abokifa, A.A., Haddad, K., Lo, C.S., Biswas, P.: Detection of cyber physical attacks on water distribution systems via principal component analysis and artificial neural networks. In: World Environmental and Water Resources Congress 2017, pp. 676–691 (2017)
Chandy, S.E., Rasekh, A., Barker, Z.A., Ehsan Shafiee, M.: Cyberattack detection using deep generative models with variational inference. J. Water Resour. Plann. Manag. 145(2), 04018093 (2018)
Li, D., Chen, D., Jin, B., Shi, L., Goh, J., Ng, S.-K.: MAD-GAN: multivariate anomaly detection for time series data with generative adversarial networks. In: Tetko, I.V., Kůrková, V., Karpov, P., Theis, F. (eds.) ICANN 2019. LNCS, vol. 11730, pp. 703–716. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30490-4_56
Downs, J.J., Vogel, E.F.: A plant-wide industrial process control problem. Comput. Chem. Eng. 17(3), 245–255 (1993)
Abokifa, A.A., Haddad, K., Lo,, C., Biswas, P.: Real-time identification of cyber-physical attacks on water distribution systems via machine learning-based anomaly detection techniques. J. Water Resour. Plann. Manage. 145(1), 04018089 (2018)
Acknowledgement
We thank to the C3iHub (Technology Innovation Hub on Cyber Security and Cyber Security for Cyber-Physical Systems) at IIT Kanpur for partially funding this research project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Maurya, V., Rani, N., Shukla, S.K. (2022). RemOD: Operational Drift-Adaptive Intrusion Detection. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2022. Lecture Notes in Computer Science, vol 13783. Springer, Cham. https://doi.org/10.1007/978-3-031-22829-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-22829-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22828-5
Online ISBN: 978-3-031-22829-2
eBook Packages: Computer ScienceComputer Science (R0)