A Statistical Analysis Framework for ICS Process Datasets

Turrin, Federico; Erba, Alessandro; Tippenhauer, Nils Ole; Conti, Mauro

doi:10.1145/3411498.3419961

Cited by 10 publications

(11 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Data are provided in different csv, xlsx, and pcap formats. As reported in [240], the various SWAT releases are very different from the operational point of view, also implementing different actuators control logic. It makes it difficult to transfer the detection framework among the dataset releases.…”

Section: F Physical and Network Levelsmentioning

confidence: 99%

“…Exhaustive documentation should include the system's control logic, a description of the implemented attacks, and the configuration settings. In the SWaT case, as reported in [240], the recent versions of the dataset implement different control logic. However, the authors never mentioned such modifications.…”

Section: B Good Practices: Datasetmentioning

confidence: 99%

“…Domain Shift. A common problem in a dataset is the socalled Domain Shift, i.e., the difference between the training entries and the testing data [207], [240]. To support researchers and IDS development, datasets should be released with complete documentation explaining the system's initial state.…”

Section: B Good Practices: Datasetmentioning

confidence: 99%

See 2 more Smart Citations

A Survey on Industrial Control System Testbeds and Datasets for Security Research

Conti,

Donadel,

Turrin

2021

Preprint

Self Cite

View full text Add to dashboard Cite

The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-bydesign concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community.In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs.

show abstract

Section: F Physical and Network Levelsmentioning

confidence: 99%

Section: B Good Practices: Datasetmentioning

confidence: 99%

See 1 more Smart Citation

A Survey on Industrial Control System Testbeds and Datasets for Security Research

Conti,

Donadel,

Turrin

2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…To analyze the ability of existing IIDSs to detect unseen sensor spoofing attacks, the only reproducibility study (considering only model-free state process-based IIDSs) known to us [35] shows significant differences between expected (claimed) generalizability and reality. These works, in addition to issues with widely-used datasets [108], motivate us to quantify these problems and ultimately mitigate them through protocol independence.…”

Section: Further Related Workmentioning

confidence: 99%

“…Moreover, the use of only a few datasets per domain (e.g., SWaT [48]) together with many private ones steers the collective research efforts in a direction where solutions are optimized and biased towards specific scenarios. This problem is already known for traditional IDSs [89] but is even more severe in industrial settings, where systems expose very narrow yet domain-specific behavior [107].…”

Section: Limitations Of Current Iids Researchmentioning

confidence: 99%

Facilitating Protocol-independent Industrial Intrusion Detection Systems

Wolsing

Wagner

Henze

2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

The increasing interconnection of industrial networks with the Internet exposes them to an ever-growing risk of cyberattacks. A well-proven mechanism to detect such attacks is industrial intrusion detection, which searches for anomalies in otherwise predictable communication or process behavior. However, efforts to improve these detection methods mostly focus on specific domains and communication protocols, leading to a research landscape that is broken up into isolated silos. Thus, existing approaches cannot be applied to other industrial scenarios that would equally benefit from powerful detection approaches. To better understand this issue, we survey 53 detection systems and conclude that there is no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenario in theory. To unlock this potential for intrusion detection across industrial domains and protocols, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial communication protocols. We show the practical applicability and correctness of IPAL through a reproducibility study in which we re-implement eight detection approaches from related work on top of IPAL. Finally, we showcase the unique benefits of IPAL for industrial intrusion detection research by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols.

show abstract