Biblio

Anomaly detection for devices (e.g, sensors and actuators) plays a crucial role in Industrial Control Systems (ICS) for security protection. The typical framework of deep learning-based anomaly detection includes a model to predict or reconstruct the state of devices and a detection mechanism to determine anomalies. The majority of anomaly detection methods use a fixed threshold detection mechanism to detect anomalous points. However, the anomalies caused by cyberattacks in ICSs are usually continuous anomaly segments. In this paper, we propose a novel detection mechanism to detect continuous anomaly segments. Its core idea is to determine the start and end times of anomalies based on the continuity characteristics of anomalies and the dynamics of error. We conducted experiments on the two real-world datasets for performance evaluation using five baselines. The F1 score increased by 3.8% on average in the SWAT dataset and increased by 15.6% in the WADI dataset. The results show a significant improvement in the performance of baselines using an error neighborhood-based continuity detection mechanism in a real-time manner.

Mobile Ad-Hoc Networks (MANETs) are prone to many security attacks. One such attack is the blackhole attack. This work proposes a simple and effective application layer based intrusion detection scheme in a MANET to detect blackholes. The proposed algorithm utilizes mobile agents (MA) and wtracert (modified version of Traceroute for MANET) to detect multiple black holes in a DSR protocol based MANET. Use of MAs ensure that no modifications need to be carried out in the underlying routing algorithms or other lower layers. Simulation results show successful detection of single and multiple blackhole nodes, using the proposed detection mechanism, across varying mobility speeds of the nodes.

The integration of physical systems with distributed embedded computing and communication devices offers advantages on reliability, efficiency, and maintenance. At the same time, these embedded computers are susceptible to cyber-attacks that can harm the performance of the physical system, or even drive the system to an unsafe state; therefore, it is necessary to deploy security mechanisms that are able to automatically detect, isolate, and respond to potential attacks. Detection and isolation mechanisms have been widely studied for different types of attacks; however, automatic response to attacks has attracted considerably less attention. Our goal in this paper is to identify trends and recent results on how to respond and reconfigure a system under attack, and to identify limitations and open problems. We have found two main types of attack protection: i) preventive, which identifies the vulnerabilities in a control system and then increases its resiliency by modifying either control parameters or the redundancy of devices; ii) reactive, which responds as soon as the attack is detected (e.g., modifying the non-compromised controller actions).