Abstract
Industrial Intrusion Detection Systems (IIDSs) play a critical role in safeguarding Industrial Control Systems (ICSs) against targeted cyberattacks. Unsupervised anomaly detectors, capable of learning the expected behavior of physical processes, have proven effective in detecting even novel cyberattacks. While offering decent attack detection, these systems, however, still suffer from too many False-Positive Alarms (FPAs) that operators need to investigate, eventually leading to alarm fatigue. To address this issue, in this paper, we challenge the notion of relying on a single IIDS and explore the benefits of combining multiple IIDSs. To this end, we examine the concept of ensemble learning, where a collection of classifiers (IIDSs in our case) are combined to optimize attack detection and reduce FPAs. While training ensembles for supervised classifiers is relatively straightforward, retaining the unsupervised nature of IIDSs proves challenging. In that regard, novel time-aware ensemble methods that incorporate temporal correlations between alerts and transfer-learning to best utilize the scarce training data constitute viable solutions. By combining diverse IIDSs, the detection performance can be improved beyond the individual approaches with close to no FPAs, resulting in a promising path for strengthening ICS cybersecurity.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The results for a second dataset (WADI) are compiled in Appendix A.
References
Ahmed, C., Palleti, V.R., Mathur, A.P.: WADI: a water distribution testbed for research in the design of secure cyber physical systems. In: CySWATER (2017)
Ahmed, C.M., Raman, M.R.G., Mathur, A.P.: Challenges in machine learning based approaches for real-time anomaly detection in industrial control systems. In: ACM CPSS (2020)
Al-Abassi, A., et al.: An ensemble deep learning-based cyber-attack detection in industrial control system. IEEE Access 8, 83965–83973 (2020)
Alladi, T., Chamola, V., Zeadally, S.: Industrial control systems: cyberattack trends and countermeasures. Comput. Commun. 155, 1–8 (2020)
Aoudi, W., Iturbe, M., Almgren, M.: Truth will out: departure-based process-level detection of stealthy attacks on control systems. In: ACM CCS (2018)
Bader, L., et al.: Comprehensively analyzing the impact of cyberattacks on power grids. In: IEEE EuroS &P (2023)
Balaji, M., et al.: Super detector: an ensemble approach for anomaly detection in industrial control systems. In: Percia David, D., Mermoud, A., Maillart, T. (eds.) CRITIS. LNCS, vol. 13139, pp. 24–43. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-93200-8_2
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1–58 (2009)
Chen, X., et al.: Ensemble learning methods for power system cyber-attack detection. In: IEEE ICCCBDA (2018)
Conti, M., Donadel, D., Turrin, F.: A survey on industrial control system testbeds and datasets for security research. IEEE Commun. Surv. Tutor. 23(4), 2248–2294 (2021)
Ding, D., et al.: A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing 275, 1674–1683 (2018)
Erba, A., Tippenhauer, N.O.: Assessing model-free anomaly detection in industrial control systems against generic concealment attacks. In: ACSAC (2022)
Etalle, S.: From intrusion detection to software design. In: ESORICS, vol. 10492 (2017)
Feng, C., et al.: A systematic framework to generate invariants for anomaly detection in industrial control systems. In: NDSS (2019)
Fraunhofer FKIE-CAD: IPAL - Industrial Intrusion Detection Framework. https://github.com/fkie-cad/ipal_ids_framework (2021)
Gao, J., et al.: Omni SCADA intrusion detection using deep learning algorithms. IEEE Internet Things J. 8(2), 951–961 (2021)
Gensler, A., Sick, B.: Novel criteria to measure performance of time series segmentation techniques. In: KDML (2014)
Giraldo, J., et al.: A survey of physics-based attack detection in cyber-physical systems. ACM Comput. Surv. 51(4), 1–36 (2018)
Goh, J., et al.: A dataset to support research in the design of secure water treatment systems. In: CRITIS (2016)
Hwang, W.S., et al.: Do you know existing accuracy metrics overrate time-series anomaly detections?. In: ACM SAC (2022)
Kavallieratos, G., Katsikas, S.K., Gkioulos, V.: Towards a cyber-physical range. In: CPSS (2019)
Kim, J., Yun, J.H., Kim, H.C.: Anomaly detection for industrial control systems using sequence-to-sequence neural networks. In: CyberICPS (2020)
Kumar, A., Saxena, N., Choi, B.J.: Machine learning algorithm for detection of false data injection attack in power system. In: ICOIN (2021)
Kus, D., et al.: A false sense of security? revisiting the state of machine learning-based industrial intrusion detection. In: ACM CPSS (2022)
Kus, D., et al.: Poster: ensemble learning for industrial intrusion detection. Technical report, RWTH-2022-10809, RWTH Aachen University (2022)
Lee, J.J., et al.: AdaBoost for text detection in natural scene. In: ICDAR (2011)
Li, Y., et al.: Intrusion detection of cyber physical energy system based on multivariate ensemble classification. Energy 218, 119505 (2021)
Liaw, R., et al.: Tune: a research platform for distributed model selection and training. arXiv:1807.05118 (2018)
Lin, Q., et al.: TABOR: a graphical model-based approach for anomaly detection in industrial control systems. In: ACM ASIACCS (2018)
Louk, M.H.L., Tama, B.A.: Exploring ensemble-based class imbalance learners for intrusion detection in industrial control networks. Big Data Cogn. Comput. 5(4), 72 (2021)
Maglaras, L.A., Jiang, J., Cruz, T.J.: Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems. J. Inf. Secur. 30, 15–26 (2016)
Mendes-Moreira, J., et al.: Ensemble approaches for regression: a survey. ACM Comput. Surv. 45(1), 1–40 (2012)
Mitchell, R., Chen, I.R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. 46(4), 1–29 (2014)
Nguyen, D.D., Le, M.T., Cung, T.L.: Improving intrusion detection in SCADA systems using stacking ensemble of tree-based models. Bull. Electr. Eng. Inform. 11(1), 119–127 (2022)
Ponomarev, S., Atkison, T.: Industrial control system network intrusion detection by telemetry analysis. IEEE Trans. Dependable Secure Comput. 13(2), 252–260 (2015)
Radoglou-Grammatikis, P., et al.: DIDEROT: an intrusion detection and prevention system for DNP3-based SCADA systems. In: ARES (2020)
Rokach, L.: Ensemble-based classifiers. Artif. Intell. Rev. 33(1–2), 1–39 (2010)
Sagi, O., Rokach, L.: Ensemble learning: a survey. WIREs Data Min. Knowl. Discov. 8(4), e1249 (2018)
Singh, M., Singh, R., Ross, A.: A comprehensive overview of biometric fusion. Inf. Fusion 52, 187–205 (2019)
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: IEEE SP (2010)
Stallings, W., Brown, L.: Computer Security: Principles and Practice, 4th edn. Pearson (2021)
Teixeira, A., et al.: Attack models and scenarios for networked control systems. In: HiCoNS (2012)
Torrey, L., Shavlik, J.: Transfer Learning, chap. 11. IGI Global (2010)
Upadhyay, D., et al.: Intrusion detection in SCADA based power grids: recursive feature elimination model with majority vote ensemble algorithm. IEEE Trans. Netw. Sci. Eng. 8(3), 2559–2574 (2021)
Wolsing, K., et al.: Artifact: One IDS is not Enough! Exploring Ensemble Learning for Industrial Intrusion Detection. Zenodo (2023)
Wolsing, K., et al.: Can industrial intrusion detection be SIMPLE? In: ESORICS (2022)
Wolsing, K., et al.: IPAL: breaking up silos of protocol-dependent and domain-specific industrial intrusion detection systems. In: RAID (2022)
Yazdinejad, A., et al.: An ensemble deep learning model for cyber threat hunting in industrial internet of things. Digit. Commun. Netw. 9(1), 101–110 (2023)
Zhang, C., Ma, Y.: Ensemble Machine Learning: Methods and Applications, 1st edn. Springer, Cham (2012)
Zhang, D., et al.: A survey on attack detection, estimation and control of industrial cyber-physical systems. ISA Trans. 116, 1–16 (2021)
Zhou, Z.H.: Ensemble Methods: Foundations and Algorithms, 1st edn. CRC Press, Boca Raton (2012)
Zhou, Z.H.: Machine Learning, 1st edn. Springer, Cham (2021)
Acknowledgments
This work is part of the project MUM2 and was funded by the German Federal Ministry of Economic Affairs and Climate Action (BMWK) with contract number 03SX543B managed by the Project Management Jülich (PTJ). Funded by the German Federal Office for Information Security (BSI) under project funding reference number 01MO23016D (5G-Sierra) and by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC-2023 Internet of Production – 390621612. The responsibility for the content of this publication lies with the authors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A WADI Results
A WADI Results
In addition to the results of our experiments from Sect. 3, and Sect. 4, based on the SWaT dataset, we repeated the same analyses for the WADI dataset.
In the baseline results, we observe a similar insufficiency for WADI (cf. Table 5) as previously discussed for SWaT in Sect. 3.1. No single IIDS is capable of detecting all 14 cyberattacks, and there is no single best IIDS for all metrics. MinMax achieves the highest score in two metrics, but Seq2SeqNN detects two more scenarios. In total 13 of WADI’s 14 attacks would be detectable in combination.
We again assess the theoretical and practical potential for an ensemble on WADI as described in Sect. 4.1. Hereby, the eTaF1-optimized ensemble outperforms the best base-IIDS by \(+11.9\%\) points in the eTaF1 score, detects more cyberattacks than any IIDS, and keeps the FPAs comparatively low (cf. upper part of Table 6). The manual voting strategies, however, fall short of this theoretical potential (cf. lower part of Table 6) with the best strategy lacking \(-25\%\) points behind in the eTaF1 score. Nonetheless, the \(\ge \)2-Alerts ensemble indicates all 13 cyberattacks detected by any base-IIDS while maintaining only four FPAs.
Incorporating temporal knowledge (cf. Sect. 5) enhances the optimum by \(+2.5\%\) points in eTaF1 and improves the manual strategies, especially in FPAs (cf. Table 7). We see a substantial improvement in the eTaF1 score of the best manual vote (\(+5.8\%\) points for \(\ge \)5-Alerts), and the \(\ge \)2-Alerts strategy still detects 13 cyberattacks, now with just 2 FPAs, matching the number of FPAs achieved by Opt. Weights. Unfortunately, this great result is not expressed by eTaF1.
These results support the previous conclusion that weight-based ensembles are useful given suitable weights and thresholds, yet finding them remains non-trivial. Lastly, adding time-awareness yielded a significant performance boost.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wolsing, K., Kus, D., Wagner, E., Pennekamp, J., Wehrle, K., Henze, M. (2024). One IDS Is Not Enough! Exploring Ensemble Learning for Industrial Intrusion Detection. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14345. Springer, Cham. https://doi.org/10.1007/978-3-031-51476-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-51476-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51475-3
Online ISBN: 978-3-031-51476-0
eBook Packages: Computer ScienceComputer Science (R0)