Visible to the public Multilayer Data-Driven Cyber-Attack Detection System for Industrial Control Systems Based on Network, System, and Process Data

TitleMultilayer Data-Driven Cyber-Attack Detection System for Industrial Control Systems Based on Network, System, and Process Data
Publication TypeJournal Article
Year of Publication2019
AuthorsZhang, Fan, Kodituwakku, Hansaka Angel Dias Edirisinghe, Hines, J. Wesley, Coble, Jamie
JournalIEEE Transactions on Industrial Informatics
Volume15
Pagination4362—4369
ISSN1941-0050
KeywordsAnalytical models, command injection attacks, composability, computer network security, computer security, cyber attack, cyber threats, cyber-attack detection, Cyber-physical systems, data diodes, Data Exfiltration, Data models, data-driven monitoring, defense-in-depth, DoS attacks, early attack detection, false data injection attacks, host system data, industrial control, Industrial Control System (ICS), industrial control systems, Informatics, integrated circuits, intrusion detection results, Malware, Metrics, Monitoring, motivated attackers, multiple-layer data-driven cyber-attack detection system, network data, network traffic data, physical system, physically impactful cyber attacks, pubcrawl, regression analysis, resilience, Resiliency
AbstractThe growing number of attacks against cyber-physical systems in recent years elevates the concern for cybersecurity of industrial control systems (ICSs). The current efforts of ICS cybersecurity are mainly based on firewalls, data diodes, and other methods of intrusion prevention, which may not be sufficient for growing cyber threats from motivated attackers. To enhance the cybersecurity of ICS, a cyber-attack detection system built on the concept of defense-in-depth is developed utilizing network traffic data, host system data, and measured process parameters. This attack detection system provides multiple-layer defense in order to gain the defenders precious time before unrecoverable consequences occur in the physical system. The data used for demonstrating the proposed detection system are from a real-time ICS testbed. Five attacks, including man in the middle (MITM), denial of service (DoS), data exfiltration, data tampering, and false data injection, are carried out to simulate the consequences of cyber attack and generate data for building data-driven detection models. Four classical classification models based on network data and host system data are studied, including k-nearest neighbor (KNN), decision tree, bootstrap aggregating (bagging), and random forest (RF), to provide a secondary line of defense of cyber-attack detection in the event that the intrusion prevention layer fails. Intrusion detection results suggest that KNN, bagging, and RF have low missed alarm and false alarm rates for MITM and DoS attacks, providing accurate and reliable detection of these cyber attacks. Cyber attacks that may not be detectable by monitoring network and host system data, such as command tampering and false data injection attacks by an insider, are monitored for by traditional process monitoring protocols. In the proposed detection system, an auto-associative kernel regression model is studied to strengthen early attack detection. The result shows that this approach detects physically impactful cyber attacks before significant consequences occur. The proposed multiple-layer data-driven cyber-attack detection system utilizing network, system, and process data is a promising solution for safeguarding an ICS.
DOI10.1109/TII.2019.2891261
Citation Keyzhang_multilayer_2019