research-article

GNN-based Advanced Feature Integration for ICS Anomaly Detection

Authors:

Bailing WangAuthors Info & Claims

ACM Transactions on Intelligent Systems and Technology, Volume 14, Issue 6

Article No.: 106, Pages 1 - 32

https://doi.org/10.1145/3620676

Published: 14 November 2023 Publication History

Abstract

Recent adversaries targeting the Industrial Control Systems (ICSs) have started exploiting their sophisticated inherent contextual semantics such as the data associativity among heterogeneous field devices. In light of the subtlety rendered in these semantics, anomalies triggered by such interactions tend to be extremely covert, hence giving rise to extensive challenges in their detection. Driven by the critical demands of securing ICS processes, a Graph-Neural-Network (GNN) based method is presented to tackle these subtle hostilities by leveraging an ICS’s advanced contextual features refined from a universal perspective, rather than exclusively following GNN’s conventional local aggregation paradigm. Specifically, we design and implement the Graph Sample-and-Integrate Network (GSIN), a general chained framework performing node-level anomaly detection via advanced feature integration, which combines a node’s local awareness with the graph’s prominent global properties extracted via process-oriented pooling. The proposed GSIN is evaluated on multiple well-known datasets with different kinds of integration configurations, and results demonstrate its superiority consistently on not only anomaly detection performance (e.g., F1 score and AUPRC) but also runtime efficiency over recent representative baselines.

References

[1]

M. Abdallah, N. An Le Khac, H. Jahromi, and A. Delia Jurcut. 2021. A hybrid CNN-LSTM based approach for anomaly detection systems in SDNs. In Proceedings of the 16th International Conference on Availability, Reliability and Security. 1–7.

Digital Library

[2]

Loai Abedalla, Murad Badarna, Waleed Khalifa, and Malik Yousef. 2019. K–means based one-class svm classifier. In Proceedings of the International Conference on Database and Expert Systems Applications. Springer, 45–53.

[3]

M. AlMedires and M. AlMaiah. 2021. Cybersecurity in industrial control system (ICS). In Proceedings of the 2021 International Conference on Information Technology.

[4]

M. R. Asghar, Q. Hu, and S. Zeadally. 2019. Cybersecurity in industrial control systems: Issues, technologies, and challenges. Computer Networks 165, C (2019), 106946.

Digital Library

[5]

R. R. R. Barbosa, R. Sadre, and A. Pras. 2012. A first look into SCADA network traffic. In Proceedings of the 2012 IEEE Network Operations and Management Symposium. IEEE, 518–521.

[6]

M. Caselli, E. Zambon, and F. Kargl. 2015. Sequence-aware intrusion detection in industrial control systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security. 13–24.

Digital Library

[7]

Lei Chen, Yuan Li, Xingye Deng, Zhaohua Liu, Mingyang Lv, and Hongqiang Zhang. 2022. Dual auto-encoder GAN-based anomaly detection for industrial control system. Applied Sciences 12, 10 (2022), 4986.

[8]

A. Deng and B. Hooi. 2020. Graph neural network-based anomaly detection in multivariate time series. In Proceedings of the AAAI Conference on Artificial Intelligence. 4027–4035.

[9]

Xiaoheng Deng, Jincai Zhu, Xinjun Pei, Lan Zhang, Zhen Ling, and Kaiping Xue. 2022. Flow topology-based graph convolutional network for intrusion detection in label-limited IoT networks. IEEE Transactions on Network and Service Management 20, 1 (2022), 684–696. https://ieeexplore.ieee.org/document/9919790

[10]

A. Dey. 2020. Deep IDS: A deep learning approach for Intrusion detection based on IDS 2018. In Proceedings of the 2020 2nd International Conference on Sustainable Technologies for Industry 4.0. IEEE, 1–5.

[11]

H. S. Dhiman, D. Deb, S. M. Muyeen, and I. Kamwa. 2021. Wind turbine gearbox anomaly detection based on adaptive threshold and twin support vector machines. IEEE Transactions on Energy Conversion 36, 4 (2021), 3462–3469.

[12]

Jian Du, Shanghang Zhang, Guanhang Wu, José M. F. Moura, and Soummya Kar. 2017. Topology adaptive graph convolutional networks. arXiv:1710.10370. Retrieved from https://arxiv.org/abs/1710.10370

[13]

Daniel Fährmann, Naser Damer, Florian Kirchbuchner, and Arjan Kuijper. 2022. Lightweight long short-term memory variational auto-encoder for multivariate time series anomaly detection in industrial control systems. Sensors 22, 8 (2022), 2886.

[14]

Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. 2016. A dataset to support research in the design of secure water treatment systems. In Proceedings of the International Conference on Critical Information Infrastructures Security. Springer, 88–99.

[15]

N. Goldenberg and A. Wool. 2013. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. International journal of critical infrastructure protection 6, 2 (2013), 63–75.

[16]

D. Hadžiosmanović, R. Sommer, E. Zambon, and P. H. Hartel. 2014. Through the eye of the PLC: Semantic security monitoring for industrial processes. In Proceedings of the 30th Annual Computer Security Applications Conference. 126–135.

Digital Library

[17]

W. Hamilton, Z. Ying, and J. Leskovec. 2017. Inductive representation learning on large graphs. Advances in Neural Information Processing Systems 30 (2017), 1025–1035.

[18]

Simon Hawkins, Hongxing He, Graham Williams, and Rohan Baxter. 2002. Outlier detection using replicator neural networks. In Proceedings of the International Conference on Data Warehousing and Knowledge Discovery. Springer, 170–180.

Digital Library

[19]

Z. Hu, Y. Dong, K. Wang, K. W. Chang, and Y. Sun. 2020. Gpt-gnn: Generative pre-training of graph neural networks. In Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1857–1867.

Digital Library

[20]

Paweł Karczmarek, Adam Kiersztyn, and Witold Pedrycz. 2020. n-ary isolation forest: An experimental comparative analysis. In Proceedings of the International Conference on Artificial Intelligence and Soft Computing. Springer, 188–198.

Digital Library

[21]

T. N. Kipf and M. Welling. 2016. Semi-supervised classification with graph convolutional networks. arXiv:1609.02907. Retrieved from https://arxiv.org/abs/1609.02907

[22]

Yezheng Liu, Zhe Li, Chong Zhou, Yuanchun Jiang, Jianshan Sun, Meng Wang, and Xiangnan He. 2019. Generative adversarial active learning for unsupervised outlier detection. IEEE Transactions on Knowledge and Data Engineering 32, 8 (2019), 1517–1528.

[23]

Wai Weng Lo, Siamak Layeghy, Mohanad Sarhan, Marcus Gallagher, and Marius Portmann. 2022. E-graphsage: A graph neural network based intrusion detection system for iot. In Proceedings of the NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1–9.

Digital Library

[24]

S. L(y)u, K. Wang, L. Zhang, and B. Wang. 2022. Global-local integration for GNN-based anomalous device state detection in industrial control systems. Expert Systems with Applications 209 (2022), 118345. https://www.sciencedirect.com/science/article/pii/S0957417422014658?via%3Dihub

[25]

C. Markman, A. Wool, and A. A. Cardenas. 2017. A new burst-DFA model for SCADA anomaly detection. In Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy. 1–12.

Digital Library

[26]

A. Sankar, X. Zhang, and K. C. C. Chang. 2019. Meta-GNN: Metagraph neural network for semi-supervised learning in attributed heterogeneous information networks. In Proceedings of the 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. 137–144.

Digital Library

[27]

L. Shuaiyi, Kai Wang, Liren Zhang, and Bailing Wang. 2023. Process-Oriented heterogeneous graph learning in GNN-Based ICS anomalous pattern recognition. Pattern Recognition 141 (2023), 109661. https://www.sciencedirect.com/science/article/pii/S003132032300362X

Digital Library

[28]

J. Sinha and M. Manollas. 2020. Efficient deep CNN-BILSTM model for network intrusion detection. In Proceedings of the 2020 3rd International Conference on Artificial Intelligence and Pattern Recognition. 223–231.

Digital Library

[29]

H. M. Song and H. K. Kim. 2018. Can network intrusion datasets. http://ocslab.hksecurity.net/Datasets/car-hacking-dataset

[30]

Xiaoling Tao, Yang Peng, Feng Zhao, Peichao Zhao, and Yong Wang. 2018. A parallel algorithm for network traffic anomaly detection based on Isolation Forest. International Journal of Distributed Sensor Networks 14, 11 (2018), 1550147718814471.

[31]

Riccardo Taormina, Stefano Galelli, Nils Ole Tippenhauer, Elad Salomons, Avi Ostfeld, Demetrios G. Eliades, Mohsen Aghashahi, Raanju Sundararajan, Mohsen Pourahmadi, M. Katherine Banks, B. M. Brentan, M. Herrera, Amin Rasekh, Enrique Campbell, I. Montalvo, G. Lima, J. Izquierdo, Kelsey Haddad, Nikolaos Gatsis, Ahmad Taha, Saravanakumar Lakshmanan Somasundaram, D. Ayala-Cabrera, Sarin E. Chandy, Bruce Campbell, Pratim Biswas, Cynthia S. Lo, D. Manzi, E. Luvizotto, Jr, Zachary A. Barker, Marcio Giacomoni, M. Fayzul K. Pasha, M. Ehsan Shafiee, Ahmed A. Abokifa, Mashor Housh, Bijay Kc, and Ziv Ohar. 2018. The battle of the attack detection algorithms: Disclosing cyber attacks on water distribution networks. Journal of Water Resources Planning and Management 144, 8(2018), 04018048. DOI:

[32]

Maurras Ulbricht Togbe, Mariam Barry, Aliou Boly, Yousra Chabchoub, Raja Chiky, Jacob Montiel, and Vinh-Thuy Tran. 2020. Anomaly detection for data streams based on isolation forest using scikit-multiflow. In Proceedings of the International Conference on Computational Science and Its Applications. Springer, 15–30.

Digital Library

[33]

P. Veličković, G. Cucurull, A. Casanova, A. Romero, P. Lio, and Y. Bengio. 2017. Graph attention networks. arXiv:1710.10903. Retrieved from https://arxiv.org/abs/1710.10903

[34]

Y. Wang, J. Zhang, S. Guo, H. Yin, C. Li, and H. Chen. 2021. Decoupling representation learning and classification for gnn-based anomaly detection. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 1239–1248.

Digital Library

[35]

J. Yang, C. Zhou, Y. C. Tian, and S. H. Yang. 2019. A software-defined security approach for securing field zones in industrial control systems. IEEE Access 7 (2019), 87002–87016. https://ieeexplore.ieee.org/document/8744558

[36]

J. Zhang, S. Gan, X. Liu, and P. Zhu. 2016. Intrusion detection in SCADA systems by traffic periodicity and telemetry analysis. In Proceedings of the 2016 IEEE Symposium on Computers and Communication. IEEE, 318–325.

Cited By

Li XPeng JLi WSong ZDu X(2025)Generative adversarial local density-based unsupervised anomaly detectionPLOS ONE10.1371/journal.pone.031572120:1(e0315721)Online publication date: 24-Jan-2025
https://doi.org/10.1371/journal.pone.0315721
Chen LJiang HWang LLi JYu MShen YDu X(2025)Generative adversarial synthetic neighbors-based unsupervised anomaly detectionScientific Reports10.1038/s41598-024-84863-615:1Online publication date: 2-Jan-2025
https://doi.org/10.1038/s41598-024-84863-6
Alrumaih TAlenazi M(2024)CGAAD: Centrality- and Graph-Aware Deep-Learning Model for Detecting Cyberattacks Targeting Industrial Control Systems in Critical InfrastructureIEEE Internet of Things Journal10.1109/JIOT.2024.339069111:13(24162-24182)Online publication date: 1-Jul-2024
https://doi.org/10.1109/JIOT.2024.3390691

Index Terms

GNN-based Advanced Feature Integration for ICS Anomaly Detection

Recommendations

A hybrid behavior- and Bayesian network-based framework for cyber–physical anomaly detection
Abstract
In recent years, the increasing Internet connectivity and heterogeneity of industrial protocols have been raising the number and nature of cyber-attacks against Industrial Control Systems (ICS). Such cyber-attacks may lead to cyber anomalies and ...
Highlights
- Hybrid behavior- and Bayesian network-based cyber–physical anomaly detection.
- Hybrid anomaly detection framework based on both cyber and physical data from ICS.
- Identification of cyber, physical and cyber–physical anomalies in ICS.
Super Detector: An Ensemble Approach for Anomaly Detection in Industrial Control Systems
Critical Information Infrastructures Security
Abstract
Industrial Control Systems encompass supervisory systems (SCADA) and cyber-physical components (sensors/actuators), which are typically deployed in critical infrastructure to control physical processes. Their interconnectedness and controllability ...
Global-local integration for GNN-based anomalous device state detection in industrial control systems
Highlights
- A GNN-based method, named the GLIN, is proposed to detect anomalous ICS devices.
Abstract
Anomaly detection are gaining popularity among the research communities for its essential role in securing Industrial Control Systems (ICS). Over the decades, diverse approaches have been proposed to profile anomalous behaviours ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Intelligent Systems and Technology

ACM Transactions on Intelligent Systems and Technology Volume 14, Issue 6

December 2023

493 pages

ISSN:2157-6904

EISSN:2157-6912

DOI:10.1145/3632517

Editor:
Huan Liu
Arizona State University, USA

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2023

Online AM: 05 September 2023

Accepted: 21 August 2023

Revised: 27 June 2023

Received: 21 November 2022

Published in TIST Volume 14, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key R&D Program of China
National Natural Science Foundation of China
Double First-Class Scientific Research Funds of HIT

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
540
Total Downloads

Downloads (Last 12 months)303
Downloads (Last 6 weeks)30

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li XPeng JLi WSong ZDu X(2025)Generative adversarial local density-based unsupervised anomaly detectionPLOS ONE10.1371/journal.pone.031572120:1(e0315721)Online publication date: 24-Jan-2025
https://doi.org/10.1371/journal.pone.0315721
Chen LJiang HWang LLi JYu MShen YDu X(2025)Generative adversarial synthetic neighbors-based unsupervised anomaly detectionScientific Reports10.1038/s41598-024-84863-615:1Online publication date: 2-Jan-2025
https://doi.org/10.1038/s41598-024-84863-6
Alrumaih TAlenazi M(2024)CGAAD: Centrality- and Graph-Aware Deep-Learning Model for Detecting Cyberattacks Targeting Industrial Control Systems in Critical InfrastructureIEEE Internet of Things Journal10.1109/JIOT.2024.339069111:13(24162-24182)Online publication date: 1-Jul-2024
https://doi.org/10.1109/JIOT.2024.3390691

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

Figures

Tables

Media

View full text|Download PDF

View Issue’s Table of Contents