ABSTRACT
Modern attacks on Industrial Control Systems (ICSs) are the result of several colliding circumstances: historically insecure communication protocols, increased ICS connectivity, and the rise of state-sponsored attackers. Extensive research has been conducted on using anomaly detection (AD) to counter this; here, deviations from an ICS's normal operation are monitored to indicate potentially dangerous situations. However, most works either assume an on-site deployment, or focus only on the neural architecture and disregard the deployment environment altogether. For the former, failure to update local AD can result in otherwise preventable attacks going undetected; as for the latter, directly porting these architectures to a cloud deployment can result in stale predictions due to communication delays, timeout-induced gaps in predictions, and surcharges due to bandwidth costs. In this work, we presentCloudPAD, an ICS anomaly detection pipeline that accounts for the issues introduced by an off-premises deployment, which uses theClozeLSTM ---a neural network based on the Long Short-Term Memory (LSTM) architecture---to detect anomalies. We train and test theClozeLSTM on the Secure Water Treatment (SWaT) dataset, and show that it outperforms an advanced attention baseline, with a precision-recall AUC of 0.797 vs. 0.717. We also discuss measures to minimizeCloudPAD 's bandwidth consumption, and show that performance remains competitive with a maximum decrease in PR AUC by 0.01 when running in this mode.
Supplemental Material
- REFERENCES [1] Simon Duque Anton, Daniel Fraunholz, Christoph Lipps, Frederic Pohl, Marc Zimmermann, and Hans D Schotten. 2017. Two decades of SCADA exploitation: A brief history. In 2017 IEEE Conf. Appl. Inf. Netw. Secur. (AINS). IEEE, 98--104.Google Scholar
- Dzmitry Bahdanau, Kyunghyun Cho, and Yoshua Bengio. 2014. Neural machine translation by jointly learning to align and translate. (2014). arXiv:arXiv:1409.0473Google Scholar
- Lukas Biewald. 2020. Experiment Tracking with Weights and Biases. https: //www.wandb.com/Google Scholar
- Kukjin Choi, Jihun Yi, Changhwa Park, and Sungroh Yoon. 2021. Deep Learning for Anomaly Detection in Time-Series Data: Review, Analysis, and Guidelines. IEEE Access 9 (2021), 120043--120065. https://doi.org/10.1109/ACCESS.2021. 3107975Google ScholarCross Ref
- William Falcon and The PyTorch Lightning team. 2019. PyTorch Lightning. https: //doi.org/10.5281/zenodo.3828935Google Scholar
- Nicolas Falliere, Liam O Murchu, and Eric Chien. 2011. W32. stuxnet dossier. White paper, symantec corp., security response 5, 6 (2011), 29.Google Scholar
- Cheng Feng, Tingting Li, and Deeph Chana. 2017. Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks. In 2017 47th Annu. IEEE/IFIP Int. Conf. on Dependable Syst. Netw. (DSN). IEEE, 261--272.Google ScholarCross Ref
- Pavel Filonov, Andrey Lavrentyev, and Artem Vorontsov. 2016. Multivariate industrial time series with cyber-attack simulation: Fault detection using an lstm-based predictive data model. (2016). arXiv:arXiv:1612.06676Google Scholar
- MR Gauthama Raman, Nivethitha Somu, and Aditya P Mathur. 2019. Anomaly detection in critical infrastructure using probabilistic neural network. In Int. Conf. Appl. and Techn. in Inf. Secur. Springer, 129--141.Google ScholarCross Ref
- Amir Gholami, Zhewei Yao, Sehoon Kim, Michael W Mahoney, and Kurt Keutzer. 2021. AI and Memory Wall. https://medium.com/riselab/ai-and-memory-wall2cb4265cb0b8Google Scholar
- Jairo Giraldo, David Urbina, Alvaro Cardenas, Junia Valente, Mustafa Faisal, Justin Ruths, Nils Ole Tippenhauer, Henrik Sandberg, and Richard Candell. 2018. A Survey of Physics-Based Attack Detection in Cyber-Physical Systems. ACM Comput. Surv. 51, 4, Article 76 (jul 2018), 36 pages. https://doi.org/10.1145/ 3203245Google Scholar
- Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. 2016. A dataset to support research in the design of secure water treatment systems. In Int. Conf. on Crit. Inf. Infrastructures Secur. Springer, 88--99.Google Scholar
- Jonathan Goh, Sridhar Adepu, Marcus Tan, and Zi Shan Lee. 2017. Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks. In 2017 IEEE 18th Int. Symp. High Assurance Syst. Eng. (HASE). 140--145. https://doi.org/ 10.1109/HASE.2017.36Google Scholar
- Ian Goodfellow, Yoshua Bengio, and Aaron Courville. 2016. Deep Learning. MIT Press. http://www.deeplearningbook.org.Google ScholarDigital Library
- Will Douglas Heaven. 2021. 2021 was the year of monster AI models. https://www.technologyreview.com/2021/12/21/1042835/2021-was-the-yearof-monster-ai-models/Google Scholar
- Kevin E Hemsley, E Fisher, et al. 2018. History of industrial control system cyber incidents. Technical Report. Idaho National Lab.(INL), Idaho Falls, ID (United States).Google Scholar
- Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long short-term memory. Neural computation 9, 8 (1997), 1735--1780.Google ScholarDigital Library
- Jun Inoue, Yoriyuki Yamagata, Yuqi Chen, Christopher M Poskitt, and Jun Sun. 2017. Anomaly detection for a water treatment system using unsupervised machine learning. In 2017 IEEE Int. Conf. Data Mining Workshops (ICDMW). IEEE, 1058--1065.Google ScholarCross Ref
- Anastasis Keliris and Michail Maniatakos. 2017. Demystifying advanced persistent threats for industrial control systems. Mech. Eng. 139, 03 (2017), S13--S17.Google ScholarCross Ref
- Jonguk Kim, Jeong-Han Yun, and Hyoung Chun Kim. 2019. Anomaly detection for industrial control systems using sequence-to-sequence neural networks. In Comput. Secur. Springer, 3--18.Google Scholar
- SungJin Kim, WooYeon Jo, and Taeshik Shon. 2020. APAD: Autoencoder-based payload anomaly detection for industrial IoE. J. Appl. Soft Comput. 88 (2020), 106017.Google ScholarDigital Library
- Diederik P. Kingma and Jimmy Ba. 2014. Adam: A Method for Stochastic Optimization. (2014). https://doi.org/10.48550/ARXIV.1412.6980 arXiv:arXiv:1412.6980Google Scholar
- Moshe Kravchik, Battista Biggio, and Asaf Shabtai. 2021. Poisoning attacks on cyber attack detectors for industrial control systems. In Proc. 36th Annu. ACM Symp. Appl. Comput. 116--125.Google ScholarDigital Library
- Aditya P. Mathur and Nils Ole Tippenhauer. 2016. SWaT: a water treatment testbed for research and training on ICS security. In 2016 Int. Workshop Cyberphysical Syst. Smart Water Netw. (CySWater). 31--36. https://doi.org/10.1109/ CySWater.2016.7469060Google Scholar
- Gauthama Raman MR, Chuadhry Mujeeb Ahmed, and Aditya Mathur. 2021. Machine learning for intrusion detection in industrial control systems: challenges and lessons from experimental evaluation. J. Cybersecur. 4, 1 (2021), 1--12.Google Scholar
- The pandas development team. 2020. pandas-dev/pandas: Pandas. https://doi. org/10.5281/zenodo.3509134Google Scholar
- Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, Alban Desmaison, Andreas Kopf, Edward Yang, Zachary DeVito, Martin Raison, Alykhan Tejani, Sasank Chilamkurthy, Benoit Steiner, Lu Fang, Junjie Bai, and Soumith Chintala. 2019. PyTorch: An Imperative Style, High-Performance Deep Learning Library. In Advances in Neural Inf. Process. Syst. 32, H. Wallach, H. Larochelle, A. Beygelzimer, F. d'Alché-Buc, E. Fox, and R. Garnett (Eds.). Curran Associates, Inc., 8024--8035. http://papers.neurips.cc/paper/9015-pytorch-an-imperativestyle-high-performance-deep-learning-library.pdfGoogle ScholarDigital Library
- Ángel Luis Perales Gómez, Lorenzo Fernández Maimó, Alberto Huertas Celdrán, and Félix J García Clemente. 2020. MADICS: A Methodology for Anomaly Detection in Industrial Control Systems. J. Symmetry 12, 10 (2020), 1583.Google ScholarCross Ref
- Dmitry Shalyga, Pavel Filonov, and Andrey Lavrentyev. 2018. Anomaly detection for water treatment system based on neural network with automatic architecture optimization. (2018). arXiv:arXiv:1807.07282Google Scholar
- Riccardo Taormina and Stefano Galelli. 2018. Deep-learning approach to the detection and localization of cyber-physical attacks on water distGoogle Scholar
Index Terms
- CloudPAD: Managed Anomaly Detection for ICS
Recommendations
A long short-term memory (LSTM)-based distributed denial of service (DDoS) detection and defense system design in public cloud network environment
AbstractThe fact that cloud systems are under the increasing risks of cyber attacks has made the phenomenon of information security first a need and then a necessity for these systems. Distributed Denial of Service (DDoS) attacks can exploit, ...
Cloud-based multiclass anomaly detection and categorization using ensemble learning
AbstractThe world of the Internet and networking is exposed to many cyber-attacks and threats. Over the years, machine learning models have progressed to be integrated into many scenarios to detect anomalies accurately. This paper proposes a novel ...
CloudShield: Real-time Anomaly Detection in the Cloud
CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and PrivacyIn cloud computing, it is desirable if suspicious activities can be detected by automatic anomaly detection systems. Although anomaly detection has been investigated in the past, it remains unsolved in cloud computing. Challenges are: characterizing the ...
Comments