A scalable specification-agnostic multi-sensor anomaly detection system for IIoT environments

Aoudi, Wissam; Almgren, Magnus

doi:10.1016/j.ijcip.2020.100377

Cited by 19 publications

(10 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A process-level IDS is categorised in two categories, the univariate (independent IDS for each sensor variables) [9], [28], [29], [36] and multivariate (an IDS model takes input from the multiple sensor variables) [31], [32], [33], [37], [21], [34], [35], [38]. In [39], the authors developed a PLC rootkit that can corrupt the communication route between sensors and SCADA.…”

Section: Related Workmentioning

confidence: 99%

EPASAD: Ellipsoid decision boundary based Process-Aware Stealthy Attack Detector

Maurya¹,

Agarwal²,

Kumar³

et al. 2022

Preprint

View full text Add to dashboard Cite

Due to the importance of Critical Infrastructure (CI) in a nation's economy, they have been lucrative targets for cyber attackers. These critical infrastructures are usually Cyber-Physical Systems (CPS) such as power grids, water, and sewage treatment facilities, oil and gas pipelines, etc. In recent times, these systems have suffered from cyber attacks numerous times. Researchers have been developing cyber security solutions for CIs to avoid lasting damages. According to standard frameworks, cyber security based on identification, protection, detection, response, and recovery are at the core of these research. Detection of an ongoing attack that escapes standard protection such as firewall, anti-virus, and host/network intrusion detection has gained importance as such attacks eventually affect the physical dynamics of the system. Therefore, anomaly detection in physical dynamics proves an effective means to implement defense-in-depth. PASAD is one example of anomaly detection in the sensor/actuator data, representing such systems' physical dynamics. We present EPASAD, which improves the detection technique used in PASAD to detect these micro-stealthy attacks, as our experiments show that PASAD's spherical boundary-based detection fails to detect. Our method EPASAD overcomes this by using Ellipsoid boundaries, thereby tightening the boundaries in various dimensions, whereas a spherical boundary treats all dimensions equally. We validate EPASAD using the dataset produced by the TE-process simulator and the C-town datasets. The results show that EPASAD improves PASAD's average recall by 5.8% and 9.5% for the two datasets, respectively.

show abstract

Section: Related Workmentioning

confidence: 99%

EPASAD: Ellipsoid decision boundary based Process-Aware Stealthy Attack Detector

Maurya¹,

Agarwal²,

Kumar³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Spectra is rooted in singular spectrum analysis (SSA), a time-series analysis technique mainly used to explore different behavioral characteristics of a dynamical system purely from noisy time series of measurements [5,14,15,35]. Inherently, SSA can extract essential signal information describing the deterministic behavior of the underlying system and has recently been used for anomaly detection in cyber-physical systems [1][2][3][4]17]. Spectra takes as input a time series of CAN-message payloads and works in two phases: an offline learning phase and an online detection phase.…”

Section: Spectral Analysis Of Can Trafficmentioning

confidence: 99%

Spectra

Aoudi

Nowdehi

Almgren

et al. 2021

Proceedings of the 36th Annual ACM Symposium on Applied Computing

Self Cite

View full text Add to dashboard Cite

Nowadays, vehicles have complex in-vehicle networks that have recently been shown to be increasingly vulnerable to cyber-attacks capable of taking control of the vehicles, thereby threatening the safety of the passengers. Several countermeasures have been proposed in the literature in response to the arising threats, however, hurdle requirements imposed by the industry is hindering their adoption in practice. In this paper, we propose spectra, a datadriven anomaly-detection mechanism that is based on spectral analysis of CAN-message payloads. Spectra does not abide by the strict specifications predefined for every vehicle model and addresses key real-world deployability challenges.

show abstract

“…Rarely, such IIDSs use additional packet features, e.g., packet sizes or checksums for their classification. Still, none of the approaches takes advantage of protocol-specific information or behavior, such that, in theory, the various approaches could be [23] 2015 DTMC S B 1 EtherNet/IP Ahmed et al [6] 2017 Kalman Filter S B 1 -PASAD [15,16] 2018 PCA S B S T 3 Modbus EtherNet/IP Choi et al [28] 2018 Control Invariants S B 1 -Myers et al [85] 2018 Petri-nets S B 1 S7 Kravchik et al [73] 2018 Neural Networks S B 1 EtherNet/IP TABOR [79] 2018 TA, BN S B S 1 EtherNet/IP Anton et al [14] 2019 Matrix Profiles S B S 1 EtherNet/IP HybTester [25] 2019 Hybrid-Automata S B S 1 EtherNet/IP Kim et al [66] 2019 Neural Networks S B S 1 EtherNet/IP Denque Anton [12] 2020 Table 1: Our analysis of the potential for realizing protocol-independent IIDSs relies on a survey of 53 intrusion detection approaches confirming the heterogeneity across the industrial research landscape. While IIDSs operate on few information types, they are mostly developed in isolated silos and seldomly compare to other existing research.…”

Section: Communication-based Intrusion Detectionmentioning

confidence: 99%

Facilitating Protocol-independent Industrial Intrusion Detection Systems

Wolsing

Wagner

Henze

2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

The increasing interconnection of industrial networks with the Internet exposes them to an ever-growing risk of cyberattacks. A well-proven mechanism to detect such attacks is industrial intrusion detection, which searches for anomalies in otherwise predictable communication or process behavior. However, efforts to improve these detection methods mostly focus on specific domains and communication protocols, leading to a research landscape that is broken up into isolated silos. Thus, existing approaches cannot be applied to other industrial scenarios that would equally benefit from powerful detection approaches. To better understand this issue, we survey 53 detection systems and conclude that there is no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenario in theory. To unlock this potential for intrusion detection across industrial domains and protocols, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial communication protocols. We show the practical applicability and correctness of IPAL through a reproducibility study in which we re-implement eight detection approaches from related work on top of IPAL. Finally, we showcase the unique benefits of IPAL for industrial intrusion detection research by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols.

show abstract

A scalable specification-agnostic multi-sensor anomaly detection system for IIoT environments

Cited by 19 publications

References 21 publications

EPASAD: Ellipsoid decision boundary based Process-Aware Stealthy Attack Detector

EPASAD: Ellipsoid decision boundary based Process-Aware Stealthy Attack Detector

Spectra

Facilitating Protocol-independent Industrial Intrusion Detection Systems

Contact Info

Product

Resources

About