ABSTRACT
The recent evolution of edge computing favored the Industrial Internet of Things (IIoT) growth, opening dangerous surfaces of vulnerabilities. In this distributed sensor system scenario, due to the insecure interactions between Information Technology (IT) and Operational Technology (OT) networks, cyber-physical threats could lead to destructive consequences for environments and population safety. To deal with industrial cyber-physical security, modern anomaly detection systems implement innovative Machine Learning (ML) techniques. Unfortunately, current solutions still fail to provide an effective prevention to complex industrial threats.
In this paper, we present KingFisher, an Intrusion Detection System (IDS) framework based on ML. KingFisher is, to the best of our knowledge, the first solution that looks independently at IT and OT traffic, but also from sensors deployed to capture side-channel physical processes data (e.g., vibrations, background noise). Thanks to this feature, KingFisher can detect attacks that other systems would ignore. As our tests report, the correlation of inferred physical processes status with OT-network and IT-network data can give insights into suspicious and anomalous activities targeting industrial networks. For our framework, we use the Variational Autoencoders (VAEs), an unsupervised neural network model, to categorize data without a priori knowledge of the dataset. We evaluate the detection capabilities and performances of KingFisher in a proof of concept simulated industrial scenario under cyber-physical attacks. Our preliminary results show that KingFisher identifies attacks on both network and physical layers.
- Pierre Baldi. 2012. Autoencoders, unsupervised learning, and deep architectures. In Proceedings of ICML workshop on unsupervised and transfer learning. 37--49.Google ScholarDigital Library
- Giuseppe Bernieri, Mauro Conti, and Federico Turrin. 2019. Evaluation of Machine Learning Algorithms for Anomaly Detection in Industrial Networks. In 2019 IEEE International Symposium on Measurements & Networking (M&N). IEEE, 1--6.Google Scholar
- Giuseppe Bernieri, Federica Pascucci, and Javier López. 2017. Network Anomaly Detection in Critical Infrastructure Based on Mininet Network Simulator. In ITASEC. 116--125.Google Scholar
- Hoang Anh Dau, Vic Ciesielski, and Andy Song. 2014. Anomaly detection using replicator neural networks trained on examples of one class. In Asia-Pacific Conference on Simulated Evolution and Learning. Springer, 311--322.Google ScholarDigital Library
- L Dhanabal and SP Shantharajah. 2015. A study on NSL-KDD dataset for intrusion detection system based on classification algorithms. International Journal of Advanced Research in Computer and Communication Engineering 4, 6 (2015), 446--452.Google Scholar
- Simon Duque Anton, Suneetha Kanoor, Daniel Fraunholz, and Hans Schotten. 2018. Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set. 1--9.Google Scholar
- Markus Goldstein and Seiichi Uchida. 2016. A comparative evaluation of unsupervised anomaly detection algorithms for multivariate data. PloS one 11, 4 (2016).Google Scholar
- Samer Jaloudi. 2019. Communication Protocols of an Industrial Internet of Things Environment: A Comparative Study. Future Internet 11, 3 (2019), 66.Google ScholarCross Ref
- Anastasis Keliris, Hossein Salehghaffari, Brian Cairl, Prashanth Krishnamurthy, Michail Maniatakos, and Farshad Khorrami. 2016. Machine learning-based defense against process-aware attacks on industrial control systems. In 2016 IEEE International Test Conference (ITC). IEEE, 1--10.Google ScholarCross Ref
- Diederik P Kingma and Max Welling. 2013. Auto-encoding variational bayes. (2013).Google Scholar
- Leandros A Maglaras and Jianmin Jiang. 2014. Intrusion detection in SCADA systems using machine learning techniques. In 2014 Science and Information Conference. IEEE, 626--631.Google ScholarCross Ref
- Estefanía Etchevés Miciolino, Roberto Setola, Giuseppe Bernieri, Stefano Panzieri, Federica Pascucci, and Marios M Polycarpou. 2017. Fault diagnosis and network anomaly detection in water infrastructures. IEEE Design & Test 34, 4 (2017), 44--51.Google ScholarCross Ref
- IDA Modbus. 2006. Modbus application protocol specification v1.1b. North Grafton, Massachusetts (2006).Google Scholar
- Nozomi Networks. June 2018. Advancing ICS Visibility and Cybersecurity with the Nozomi Networks Solution.Google Scholar
- Vern Paxson. 1999. Bro: a system for detecting network intruders in real-time. Computer networks 31, 23-24 (1999), 2435--2463.Google Scholar
- Roesch and Martin. 1999. Snort: Lightweight intrusion detection for networks.. In Lisa, Vol. 99. 229--238.Google Scholar
- Ben Seri, Gregory Vishnepolsky, and Dor Zusman. 2019. URGENT/11, Critical vulnerabilities to remotely compromise VxWorks, the most popular RTOS. (2019).Google Scholar
- David I Urbina, Jairo A Giraldo, Alvaro A Cardenas, Nils Ole Tippenhauer, Junia Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016. Limiting the impact of stealthy attacks on industrial control systems. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1092--1105.Google ScholarDigital Library
- David Zimmerer, Jens Petersen, Fabian Isensee, and Klaus Maier-Hein. 2019. Context-encoding Variational Autoencoder for Unsupervised Anomaly Detection. In International Conference on Medical Imaging with Deep Learning. London.Google Scholar
Index Terms
- KingFisher: an Industrial Security Framework based on Variational Autoencoders
Recommendations
A False Sense of Security?: Revisiting the State of Machine Learning-Based Industrial Intrusion Detection
CPSS '22: Proceedings of the 8th ACM on Cyber-Physical System Security WorkshopAnomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious ...
Blind Concealment from Reconstruction-based Attack Detectors for Industrial Control Systems via Backdoor Attacks
CPSS '23: Proceedings of the 9th ACM Cyber-Physical System Security WorkshopIndustrial Control Systems (ICS) are responsible for the safety and operations of critical infrastructure such as power grids. Attacks on such systems threaten the well-being of societies, and the lives of human operators, and pose huge financial ...
A Data-Centric Approach to Generate Invariants for a Smart Grid Using Machine Learning
Sat-CPS '22: Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical SystemsCyber-Physical Systems (CPS) have gained popularity due to the increased requirements on their uninterrupted connectivity and process automation. Due to their connectivity over the network including intranet and internet, dependence on sensitive data, ...
Comments