A Comparison of ICS Datasets for Security Research Based on Attack Paths

Yun

Lecture Notes in Computer Science

2020

Self Cite

This study proposes an anomaly detection method for operational data of industrial control systems (ICSs). Sequence-to-sequence neural networks were applied to train and predict ICS operational data and interpret their time-series characteristic. The proposed method requires only a normal dataset to understand ICS's normal state and detect outliers. This method was evaluated with SWaT (secure water treatment) dataset, and 29 out of 36 attacks were detected. The reported method also detects the attack points, and 25 out of 53 points were detected. This study provides a detailed analysis of false positives and false negatives of the experimental results.

“…List of detected attacks and comparison with [18]. Red (4,14,29) represents attacks that are impossible to detect. Yellow (24) represents attacks that are difficult to detect.…”

Section: Anomaly Detectionmentioning

confidence: 99%

“…False positives in process 2 The developed model for process 2 created eight false positives. In Table 6, pairs (1, 2), (4,5), and (6, 7) have the same related attacks. Therefore, there were five independent false positives, and four of them were true.…”

Section: Analysis On False Positives (False Alarms)mentioning

confidence: 99%

Anomaly Detection for Industrial Control Systems Using Sequence-to-Sequence Neural Networks

Yun

Lecture Notes in Computer Science

2020

Self Cite

“…The data recorded from the SIMULINK model of the APS imitates device logs recorded in a real ICS. The sampling rate for recording the dataset was set to be 1 sample/sec, a common criterion used in most of the publicly available datasets [21]. The physical system consists of sensors and actuators as shown in Fig.…”

Section: B Datasetmentioning

confidence: 99%

Discovering Data-Aware Mode-Switching Constraints to Monitor Mode-Switching Decisions in Supervisory Control

Hussain

Fidge

Foo

et al. 2022

IEEE Trans. Ind. Inf.

In a multimode industrial control system (ICS), mode switching decisions have to follow standard operating procedures which are set for the safety of the system based on the operating limitations of equipment. A rich literature can be found on monitoring multimode systems. However, that work is mainly focused on mode identification and monitoring anomalies in the process running under each mode. Instead, we present a datadriven method for monitoring the modes' switching constraints. This work is based on state-transition matrix and decisiontree methods to discover data-driven mode switching conditions. Moreover, our approach is not limited to only threshold based condition learning. To capture data trajectory based conditions we adopt a functional data descriptors method. In practical experiments, we showed that our approach can discover anomalous mode switching decisions which can't be discovered by previous multimode process monitoring methods.

“…Therefore, there is the need for new datasets with traffic taken from Operational Technology (OT) networks where hardware and software are used to monitor and control physical processes, devices and infrastructure [23]. Moreover, in addition to the network traffic, data taken from Programmable Logic Controllers (PLC) are necessary in order to inquire the effects of cyber and physical attacks against the physical plant [24].…”

Section: Introductionmentioning

confidence: 99%

A Hardware-in-the-Loop Water Distribution Testbed Dataset for Cyber-Physical Security Testing

Faramondi

Flammini

Guarino³

et al. 2021

IEEE Access

This paper presents a dataset to support researchers in the validation process of solutions such as Intrusion Detection Systems (IDS) based on artificial intelligence and machine learning techniques for the detection and categorization of threats in Cyber Physical Systems (CPS). To this end, data have been acquired from a hardware-in-the-loop Water Distribution Testbed (WDT) which emulates water flowing between eight tanks via solenoid-valves, pumps, pressure and flow sensors. The testbed is composed of a real subsystem which is virtually connected to a simulated one. The proposed dataset encompasses both physical and network data in order to highlight the consequences of attacks in the physical process as well as in network traffic behaviour. Simulations data are organized in four different acquisitions for a total duration of 2 hours by considering normal scenario and multiple anomalies due to cyber and physical attacks.