Biblio

In recent years, generative adversarial networks (GAN) have become a research hotspot in the field of deep learning. Researchers apply them to the field of anomaly detection and are committed to effectively and accurately identifying abnormal images in practical applications. In anomaly detection, traditional supervised learning algorithms have limitations in training with a large number of known labeled samples. Therefore, the anomaly detection model of unsupervised learning GAN is the research object for discussion and research. Firstly, the basic principles of GAN are introduced. Secondly, several typical GAN-based anomaly detection models are sorted out in detail. Then by comparing the similarities and differences of each derivative model, discuss and summarize their respective advantages, limitations and application scenarios. Finally, the problems and challenges faced by GAN in anomaly detection are discussed, and future research directions are prospected.

In control systems, the operation of the system after an incident occurs is important. This paper proposes to design a whitelist model that can detect anomalies and identify locations of anomalous actuators using finite automata during multiple actuators attack. By applying this model and comparing the whitelist model with the operation data, the monitoring system detects anomalies and identifies anomaly locations of actuator that deviate from normal operation. We propose to construct a whitelist model focusing on the order of the control system operation using binary search trees, which can grasp the state of the system when anomalies occur. We also apply combinatorial compression based on BDD (Binary Decision Diagram) to the model to speed up querying and identification of abnormalities. Based on the model designed in this study, we aim to construct a secured control system that selects and executes an appropriate fallback operation based on the state of the system when anomaly is detected.

Industrial Control Systems (ICS) are increasingly facing the threat of False Data Injection (FDI) attacks. As an emerging intrusion detection scheme for ICS, process-based Intrusion Detection Systems (IDS) can effectively detect the anomalies caused by FDI attacks. Specifically, such IDS establishes anomaly detection model which can describe the normal pattern of industrial processes, then perform real-time anomaly detection on industrial process data. However, this method suffers low detection accuracy due to the complexity and instability of industrial processes. That is, the process data inherently contains sophisticated nonlinear spatial-temporal correlations which are hard to be explicitly described by anomaly detection model. In addition, the noise and disturbance in process data prevent the IDS from distinguishing the real anomaly events. In this paper, we propose an Anomaly Detection approach based on Robust Spatial-temporal Modeling (AD-RoSM). Concretely, to explicitly describe the spatial-temporal correlations within the process data, a neural based state estimation model is proposed by utilizing 1D CNN for temporal modeling and multi-head self attention mechanism for spatial modeling. To perform robust anomaly detection in the presence of noise and disturbance, a composite anomaly discrimination model is designed so that the outputs of the state estimation model can be analyzed with a combination of threshold strategy and entropy-based strategy. We conducted extensive experiments on two benchmark ICS security datasets to demonstrate the effectiveness of our approach.

Smart grid is the next generation for power generation, consumption and distribution. However, with the introduction of smart communication in such sensitive components, major risks from cybersecurity perspective quickly emerged. This survey reviews and reports on the state-of-the-art techniques for detecting cyber attacks in smart grids, mainly through machine learning techniques.

Industrial Control Systems (ICS) are not secure by design–with recent developments requiring them to connect to the Internet, they tend to be highly vulnerable. Additionally, attacks on critical infrastructures such as power grids and nuclear plants can cause significant damage and loss of lives. Since such attacks tend to generate anomalies in the systems, an efficient way of attack detection is to monitor the systems and identify anomalies in real-time. An automated anomaly detection tool is introduced in this paper. Additionally, the functioning of the systems is viewed as Finite State Automata. Specific sensor measurements are used to determine permissible transitions, and statistical measures such as the Interquartile Range are used to determine acceptable boundaries for the remaining sensor measurements provided by the system. Deviations from the boundaries or permissible transitions are considered as anomalies. An additional feature is the provision of a finite state automata diagram that provides the operational constraints of a system, given a set of regulated input. This tool showed a high anomaly detection rate when tested with three types of ICS. The concepts are also benchmarked against a state-of-the-art anomaly detection algorithm called Isolation Forest, and the results are provided.

As cyber-physical systems are becoming more wide spread, it is imperative to secure these systems. In the real world these systems produce large amounts of data. However, it is generally impractical to test security techniques on operational cyber-physical systems. Thus, there exists a need to have realistic systems and data for testing security of cyber-physical systems [1]. This is often done in testbeds and cyber ranges. Most cyber ranges and testbeds focus on traditional network systems and few incorporate cyber-physical components. When they do, the cyber-physical components are often simulated. In the systems that incorporate cyber-physical components, generally only the network data is analyzed for attack detection and diagnosis. While there is some study in using physical signals to detect and diagnosis attacks, this data is not incorporated into current testbeds and cyber ranges. This study surveys currents testbeds and cyber ranges and demonstrates a prototype testbed that includes cyber-physical components and sensor data in addition to traditional cyber data monitoring.

Anomaly detection for devices (e.g, sensors and actuators) plays a crucial role in Industrial Control Systems (ICS) for security protection. The typical framework of deep learning-based anomaly detection includes a model to predict or reconstruct the state of devices and a detection mechanism to determine anomalies. The majority of anomaly detection methods use a fixed threshold detection mechanism to detect anomalous points. However, the anomalies caused by cyberattacks in ICSs are usually continuous anomaly segments. In this paper, we propose a novel detection mechanism to detect continuous anomaly segments. Its core idea is to determine the start and end times of anomalies based on the continuity characteristics of anomalies and the dynamics of error. We conducted experiments on the two real-world datasets for performance evaluation using five baselines. The F1 score increased by 3.8% on average in the SWAT dataset and increased by 15.6% in the WADI dataset. The results show a significant improvement in the performance of baselines using an error neighborhood-based continuity detection mechanism in a real-time manner.

Memory-based vulnerabilities are becoming more and more common in low-power and low-cost devices in IOT. We study several low-level vulnerabilities that lead to memory corruption in C and C++ programs, and how to use stack corruption and format string attack to exploit these vulnerabilities. Automatic methods for resisting memory attacks, such as stack canary and address space layout randomization ASLR, are studied. These methods do not need to change the source program. However, a return-oriented programming (ROP) technology can bypass them. Control flow integrity (CFI) can resist the destruction of ROP technology. In fact, the security design is holistic. Finally, we summarize the rules of security coding in embedded devices, and propose two novel methods of software anomaly detection process for IOT devices in the future.

A malicious insider threat is more vulnerable to an organization. It is necessary to detect the malicious insider because of its huge impact to an organization. The occurrence of a malicious insider threat is less but quite destructive. So, the major focus of this paper is to detect the malicious insider threat in an organization. The traditional insider threat detection algorithm is not suitable for real time insider threat detection. A supervised learning-based anomaly detection technique is used to classify, predict and detect the malicious and non-malicious activity based on highest level of anomaly score. In this paper, a framework is proposed to detect the malicious insider threat using supervised learning-based anomaly detection. It is used to detect the malicious insider threat activity using One-Class Support Vector Machine (OCSVM). The experimental results shows that the proposed framework using OCSVM performs well and detects the malicious insider who obtain huge anomaly score than a normal user.

Recent years have witnessed a surge in ransomware attacks. Especially, many a new variant of ransomware has continued to emerge, employing more advanced techniques distributing the payload while avoiding detection. This renders the traditional static ransomware detection mechanism ineffective. In this paper, we present our Hardware Anomaly Realtime Detection - Lightweight (HARD-Lite) framework that employs semi-supervised machine learning method to detect ransomware using low-level hardware information. By using an LSTM network with a weighted majority voting ensemble and exponential moving average, we are able to take into consideration the temporal aspect of hardware-level information formed as time series in order to detect deviation in system behavior, thereby increasing the detection accuracy whilst reducing the number of false positives. Testing against various ransomware across multiple families, HARD-Lite has demonstrated remarkable effectiveness, detecting all cases tested successfully. What's more, with a hierarchical design that distributing the classifier from the user machine that is under monitoring to a server machine, Hard-Lite enables good scalability as well.

Existing anomaly detection models show success in detecting abnormal images with generative adversarial networks on the insufficient annotation of anomalous samples. However, existing models cannot accurately identify the anomaly samples which are close to the normal samples. We assume that the main reason is that these methods ignore the diversity of patterns in normal samples. To alleviate the above issue, this paper proposes a novel anomaly detection framework based on generative adversarial network, called ADe-GAN. More concretely, we construct a self-supervised learning task to fully explore the pattern information and latent representations of input images. In model inferring stage, we design a new abnormality score approach by jointly considering the pattern information and reconstruction errors to improve the performance of anomaly detection. Extensive experiments show that the ADe-GAN outperforms the state-of-the-art methods over several real-world datasets.

The development of industrial automation tools and the integration of industrial and corporate networks in order to improve the quality of production management have led to an increase in the risks of successful cyberattacks and, as a result, to the necessity to solve the problems of practical information security of industrial control systems (ICS). Detection of cyberattacks of both known and unknown types is could be implemented as anomaly detection in dynamic information processes recorded during the operation of ICS. Anomaly detection methods do not require preliminary analysis and labeling of the training sample. In the context of detecting attacks on ICS, cluster analysis is used as one of the methods that implement anomaly detection. The application of hierarchical cluster analysis for clustering data of ICS information processes exposed to various cyberattacks is studied, the problem of choosing the level of the cluster hierarchy corresponding to the minimum set of clusters aggregating separately normal and abnormal data is solved. It is shown that the Ward method of hierarchical cluster division produces the best division into clusters. The next stage of the study involves solving the problem of classifying the formed minimum set of clusters, that is, determining which cluster is normal and which cluster is abnormal.

Network attacks become more complicated with the improvement of technology. Traditional statistical methods may be insufficient in detecting constantly evolving network attack. For this reason, the usage of payload-based deep packet inspection methods is very significant in detecting attack flows before they damage the system. In the proposed method, features are extracted from the byte distributions in the payload and these features are provided to characterize the flows more deeply by using N-Gram analysis methods. The proposed procedure has been tested on IDS 2012 and 2017 datasets, which are widely used in the literature.

In recent years, the design of anomaly detectors has attracted a tremendous surge of interest due to security issues in industrial control systems (ICS). Restricted by hardware resources, most anomaly detectors can only be deployed at the remote monitoring ends, far away from the control sites, which brings potential threats to anomaly detection. In this paper, we propose an active real-time anomaly detection framework deployed in the controller of OpenPLC, which is a standardized open-source PLC and has high scalability. Specifically, we add adaptive active noises to control signals, and then identify a linear dynamic system model of the plant offline and implement it in the controller. Finally, we design two filters to process the estimated residuals based on the obtained model and use χ2 detector for anomaly detection. Extensive experiments are conducted on an industrial control virtual platform to show the effectiveness of the proposed detection framework.

Distributed ledger technologies (DLTs) based on Directed Acyclic Graphs (DAGs) have been gaining much attention due to their performance advantage over the traditional blockchain. IOTA is an example of DAG-based DLT that has shown its significance in the Internet of Things (IoT) environment. Despite that, IOTA is vulnerable to double-spend attacks, which threaten the immutability of the ledger. In this paper, we propose an efficient yet simple method for detecting a parasite chain, which is one form of attempting a double-spend attack in the IOTA network. In our method, a score function measuring the importance of each transaction in the IOTA network is employed. Any abrupt change in the importance of a transaction is reflected in the 1st and 2nd order derivatives of this score function, and therefore used in the calculation of an anomaly score. Due to how the score function is formulated, this anomaly score can be used in the detection of a particular type of parasite chain, characterized by sudden changes in the in-degree of a transaction in the IOTA graph. The experimental results demonstrate that the proposed method is accurate and linearly scalable in the number of edges in the network.

Bitcoin P2P networking is especially vulnerable to networking threats because it is permissionless and does not have the security protections based on the trust in identities, which enables the attackers to manipulate the identities for Sybil and spoofing attacks. The Bitcoin node keeps track of its peer’s networking misbehaviors through ban scores. In this paper, we investigate the security problems of the ban-score mechanism and discover that the ban score is not only ineffective against the Bitcoin Message-based DoS (BM-DoS) attacks but also vulnerable to the Defamation attack as the network adversary can exploit the ban score to defame innocent peers. To defend against these threats, we design an anomaly detection approach that is effective, lightweight, and tailored to the networking threats exploiting Bitcoin’s ban-score mechanism. We prototype our threat discoveries against a real-world Bitcoin node connected to the Bitcoin Mainnet and conduct experiments based on the prototype implementation. The experimental results show that the attacks have devastating impacts on the targeted victim while being cost-effective on the attacker side. For example, an attacker can ban a peer in two milliseconds and reduce the victim’s mining rate by hundreds of thousands of hash computations per second. Furthermore, to counter the threats, we empirically validate our detection countermeasure’s effectiveness and performances against the BM-DoS and Defamation attacks.

Recently, hardware Trojan has become a serious security concern in the integrated circuit (IC) industry. Due to the globalization of semiconductor design and fabrication processes, ICs are highly vulnerable to hardware Trojan insertion by malicious third-party vendors. Therefore, the development of effective hardware Trojan detection techniques is necessary. Testability measures have been proven to be efficient features for Trojan nets classification. However, most of the existing machine-learning-based techniques use supervised learning methods, which involve time-consuming training processes, need to deal with the class imbalance problem, and are not pragmatic in real-world situations. Furthermore, no works have explored the use of anomaly detection for hardware Trojan detection tasks. This paper proposes a semi-supervised hardware Trojan detection method at the gate level using anomaly detection. We ameliorate the existing computation of the Sandia Controllability/Observability Analysis Program (SCOAP) values by considering all types of D flip-flops and adopt semi-supervised anomaly detection techniques to detect Trojan nets. Finally, a novel topology-based location analysis is utilized to improve the detection performance. Testing on 17 Trust-Hub Trojan benchmarks, the proposed method achieves an overall 99.47% true positive rate (TPR), 99.99% true negative rate (TNR), and 99.99% accuracy.

Recent approaches have proven the effectiveness of local outlier factor-based outlier detection when applied over traffic flow probability distributions. However, these approaches used distance metrics based on the Bhattacharyya coefficient when calculating probability distribution similarity. Consequently, the limited expressiveness of the Bhattacharyya coefficient restricted the accuracy of the methods. The crucial deficiency of the Bhattacharyya distance metric is its inability to compare distributions with non-overlapping sample spaces over the domain of natural numbers. Traffic flow intensity varies greatly, which results in numerous non-overlapping sample spaces, rendering metrics based on the Bhattacharyya coefficient inappropriate. In this work, we address this issue by exploring alternative distance metrics and showing their applicability in a massive real-life traffic flow data set from 26 vital intersections in The Hague. The results on these data collected from 272 sensors for more than two years show various advantages of the Earth Mover's distance both in effectiveness and efficiency.

Cyber Physical Systems (CPS), which contain devices to aid with physical infrastructure activities, comprise sensors, actuators, control units, and physical objects. CPS sends messages to physical devices to carry out computational operations. CPS mainly deals with the interplay among cyber and physical environments. The real-time network data acquired and collected in physical space is stored there, and the connection becomes sophisticated. CPS incorporates cyber and physical technologies at all phases. Cyber Physical Systems are a crucial component of Internet of Things (IoT) technology. The CPS is a traditional concept that brings together the physical and digital worlds inhabit. Nevertheless, CPS has several difficulties that are likely to jeopardise our lives immediately, while the CPS's numerous levels are all tied to an immediate threat, therefore necessitating a look at CPS security. Due to the inclusion of IoT devices in a wide variety of applications, the security and privacy of users are key considerations. The rising level of cyber threats has left current security and privacy procedures insufficient. As a result, hackers can treat every person on the Internet as a product. Deep Learning (DL) methods are therefore utilised to provide accurate outputs from big complex databases where the outputs generated can be used to forecast and discover vulnerabilities in IoT systems that handles medical data. Cyber-physical systems need anomaly detection to be secure. However, the rising sophistication of CPSs and more complex attacks means that typical anomaly detection approaches are unsuitable for addressing these difficulties since they are simply overwhelmed by the volume of data and the necessity for domain-specific knowledge. The various attacks like DoS, DDoS need to be avoided that impact the network performance. In this paper, an effective Network Cluster Reliability Model with enhanced security and privacy levels for the data in IoT for Anomaly Detection (NSRM-AD) using deep learning model is proposed. The security levels of the proposed model are contrasted with the proposed model and the results represent that the proposed model performance is accurate

One of the biggest studies on public safety and tracking that has sparked a lot of interest in recent years is deep learning approach. Current public safety methods are existent for counting and detecting persons. But many issues such as aberrant occurring in public spaces are seldom detected and reported to raise an automated alarm. Our proposed method detects anomalies (deviation from normal events) from the video surveillance footages using deep learning and raises an alarm, if anomaly is found. The proposed model is trained to detect anomalies and then it is applied to the video recording of the surveillance that is used to monitor public safety. Then the video is assessed frame by frame to detect anomaly and then if there is match, an alarm is raised.

Industrial control systems (ICSs) have become more complex due to their increasing connectivity, heterogeneity and, autonomy. As a result, cyber-threats against such systems have been significantly increased as well. Since a compromised industrial system can easily lead to hazardous safety and security consequences, it is crucial to develop security countermeasures to protect coexisting IT systems and industrial physical processes being involved in modern ICSs. Accordingly, in this study, we propose a deep learning-based semantic anomaly detection framework to model the complex behavior of ICSs. In contrast to the related work assuming only simpler security threats targeting individual controllers in an ICS, we address multi-PLC attacks that are harder to detect as requiring to observe the overall system state alongside single-PLC attacks. Using industrial simulation and emulation frameworks, we create a realistic setup representing both the production and networking aspects of industrial systems and conduct some potential attacks. Our experimental results indicate that our model can detect single-PLC attacks with 95% accuracy and multi-PLC attacks with 80% accuracy and nearly 1% false positive rate.

The research try to implements an intelligent network operation management system for enterprise networks. First, based on Flask-state software architecture, the system adapt to Phytium CPU and Galaxy Kylin operating system successfully. Second, using the Isolation Forest algorithm, the system implements the anomaly detection of host data such as CPU usage. Third, using the Holt-winters seasonal prediction model, the system can predict time series data such as network I/O. The results show that the system can realizes anomaly detection and time series data prediction more precisely and intelligently.

Anomaly detection has been considered under several extents of prior knowledge. Unsupervised methods do not require any labelled data, whereas semi-supervised methods leverage some known anomalies. Inspired by mixture-of-experts models and the analysis of the hidden activations of neural networks, we introduce a novel data-driven anomaly detection method called ARGUE. Our method is not only applicable to unsupervised and semi-supervised environments, but also profits from prior knowledge of self-supervised settings. We designed ARGUE as a combination of dedicated expert networks, which specialise on parts of the input data. For its final decision, ARGUE fuses the distributed knowledge across the expert systems using a gated mixture-of-experts architecture. Our evaluation motivates that prior knowledge about the normal data distribution may be as valuable as known anomalies.

Security attacks on sensor data can deceive a control system and force the physical plant to reach an unwanted and potentially dangerous state. Therefore, attack detection mechanisms are employed in cyber-physical control systems to detect ongoing attacks, the most prominent one being a threshold-based anomaly detection method called CUSUM. Literature defines the maximum impact of stealth attacks as the maximum deviation in the plant’s state that an undetectable attack can introduce, and formulates it as an optimization problem. This paper proposes an optimization-based attack with different saturation models, and it investigates how the attack duration significantly affects the impact of the attack on the state of the plant. We show that more dangerous attacks can be discovered when allowing saturation of the control system actuators. The proposed approach is compared with the geometric attack, showing how longer attack durations can lead to a greater impact of the attack while keeping the attack stealthy.

An Industrial Control System (ICS) is essential in monitoring and controlling critical infrastructures such as safety and security. Internet of Things (IoT) in ICSs allows cyber-criminals to utilize systems' vulnerabilities towards deploying cyber-attacks. To distinguish risks and keep an eye on malicious activity in networking systems, An Intrusion Detection System (IDS) is essential. IDS shall be used by system admins to identify unwanted accesses by attackers in various industries. It is now a necessary component of each organization's security governance. The main objective of this intended work is to establish a deep learning-depended intrusion detection system that can quickly identify intrusions and other unwanted behaviors that have the potential to interfere with networking systems. The work in this paper uses One Hot encoder for preprocessing and the Auto encoder for feature extraction. On KDD99 CUP, a data - set for network intruding, we categorize the normal and abnormal data applying a Deep Convolutional Neural Network (DCNN), a deep learning-based methodology. The experimental findings demonstrate that, in comparison with SVM linear Kernel model, SVM RBF Kernel model, the suggested deep learning model operates better.