Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks
| Title | Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks |
| Publication Type | Conference Paper |
| Year of Publication | 2017 |
| Authors | Feng, C., Li, T., Chana, D. |
| Conference Name | 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) |
| ISBN Number | 978-1-5386-0542-4 |
| Keywords | anomaly detection, baseline signature database, Bloom filter, Bloom filters, communication patterns, control engineering computing, data structures, database management systems, Databases, Detectors, digital signatures, field devices, gas pipeline SCADA system, ICS Anomaly Detection, ICS networks, industrial control, industrial control systems, integrated circuits, Intrusion detection, learning (artificial intelligence), long short term memory networks, LSTM networks, multilevel anomaly detection method, network package content analysis, package content level anomaly detection, package signatures, package traffic, pattern classification, production engineering computing, Protocols, pubcrawl, recurrent neural nets, resilience, Resiliency, SCADA systems, Scalability, signature database, software packages, stacked long short term memory network-based softmax classifier, time series, time-series anomaly detection, time-series structure |
| Abstract | We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) network-based softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current state-of-the-art techniques. |
| URL | https://ieeexplore.ieee.org/document/8023128/ |
| DOI | 10.1109/DSN.2017.34 |
| Citation Key | feng_multi-level_2017 |
- resilience
- multilevel anomaly detection method
- network package content analysis
- package content level anomaly detection
- package signatures
- package traffic
- pattern classification
- production engineering computing
- Protocols
- pubcrawl
- recurrent neural nets
- LSTM networks
- Resiliency
- SCADA systems
- Scalability
- signature database
- software packages
- stacked long short term memory network-based softmax classifier
- time series
- time-series anomaly detection
- time-series structure
- field devices
- baseline signature database
- Bloom filter
- Bloom filters
- communication patterns
- control engineering computing
- data structures
- database management systems
- Databases
- Detectors
- digital signatures
- Anomaly Detection
- gas pipeline SCADA system
- ICS Anomaly Detection
- ICS networks
- industrial control
- Industrial Control Systems
- integrated circuits
- Intrusion Detection
- learning (artificial intelligence)
- long short term memory networks