Title | Anomaly Detection based on Robust Spatial-temporal Modeling for Industrial Control Systems |
Publication Type | Conference Paper |
Year of Publication | 2022 |
Authors | Li, Shijie, Liu, Junjiao, Pan, Zhiwen, Lv, Shichao, Si, Shuaizong, Sun, Limin |
Conference Name | 2022 IEEE 19th International Conference on Mobile Ad Hoc and Smart Systems (MASS) |
Keywords | Analytical models, anomaly detection, Correlation, cyber physical systems, Data models, ICS Anomaly Detection, industrial control systems, Intrusion detection, Intrusion Detection Systems, machine learning, Predictive models, pubcrawl, resilience, Resiliency, Robustness, Scalability, security |
Abstract | Industrial Control Systems (ICS) are increasingly facing the threat of False Data Injection (FDI) attacks. As an emerging intrusion detection scheme for ICS, process-based Intrusion Detection Systems (IDS) can effectively detect the anomalies caused by FDI attacks. Specifically, such IDS establishes anomaly detection model which can describe the normal pattern of industrial processes, then perform real-time anomaly detection on industrial process data. However, this method suffers low detection accuracy due to the complexity and instability of industrial processes. That is, the process data inherently contains sophisticated nonlinear spatial-temporal correlations which are hard to be explicitly described by anomaly detection model. In addition, the noise and disturbance in process data prevent the IDS from distinguishing the real anomaly events. In this paper, we propose an Anomaly Detection approach based on Robust Spatial-temporal Modeling (AD-RoSM). Concretely, to explicitly describe the spatial-temporal correlations within the process data, a neural based state estimation model is proposed by utilizing 1D CNN for temporal modeling and multi-head self attention mechanism for spatial modeling. To perform robust anomaly detection in the presence of noise and disturbance, a composite anomaly discrimination model is designed so that the outputs of the state estimation model can be analyzed with a combination of threshold strategy and entropy-based strategy. We conducted extensive experiments on two benchmark ICS security datasets to demonstrate the effectiveness of our approach. |
DOI | 10.1109/MASS56207.2022.00058 |
Citation Key | li_anomaly_2022 |