AADS: A Noise-Robust Anomaly Detection Framework for Industrial Control Systems

Abdelaty, Maged; Doriguzzi-Corin, Roberto; Siracusa, Domenico

doi:10.1007/978-3-030-41579-2_4

Cited by 10 publications

(8 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Convolutional Neural Networks (CNNs), a specific DL technique, have grown in popularity in recent times leading to major innovations in computer vision [6]- [8] and Natural Language Processing [9], as well as various niche areas such as protein binding prediction [10], [11], machine vibration analysis [12] and medical signal processing [13]. Whilst their use is still under-researched in cybersecurity generally, the application of CNNs has advanced the state-of-the-art in certain specific scenarios such as malware detection [14]- [17], code analysis [18], network traffic analysis [4], [19]- [21] and intrusion detection in industrial control systems [22]. These successes, combined with the benefits of CNN with respect to reduced feature engineering and high detection accuracy, motivate us to employ CNNs in our work.…”

Section: Introductionmentioning

confidence: 99%

Lucid: A Practical, Lightweight Deep Learning Solution for DDoS Attack Detection

Doriguzzi-Corin

Millar

Scott-Hayward

et al. 2020

IEEE Trans. Netw. Serv. Manage.

250

105

View full text Add to dashboard Cite

Distributed Denial of Service (DDoS) attacks are one of the most harmful threats in today's Internet, disrupting the availability of essential services. The challenge of DDoS detection is the combination of attack approaches coupled with the volume of live traffic to be analysed. In this paper, we present a practical, lightweight deep learning DDoS detection system called LUCID, which exploits the properties of Convolutional Neural Networks (CNNs) to classify traffic flows as either malicious or benign. We make four main contributions; (1) an innovative application of a CNN to detect DDoS traffic with low processing overhead, (2) a dataset-agnostic preprocessing mechanism to produce traffic observations for online attack detection, (3) an activation analysis to explain LUCID's DDoS classification, and (4) an empirical validation of the solution on a resource-constrained hardware platform. Using the latest datasets, LUCID matches existing stateof-the-art detection accuracy whilst presenting a 40x reduction in processing time, as compared to the state-of-the-art. With our evaluation results, we prove that the proposed approach is suitable for effective DDoS detection in resource-constrained operational environments.

show abstract

Section: Introductionmentioning

confidence: 99%

Lucid: A Practical, Lightweight Deep Learning Solution for DDoS Attack Detection

Doriguzzi-Corin

Millar

Scott-Hayward

et al. 2020

IEEE Trans. Netw. Serv. Manage.

250

105

View full text Add to dashboard Cite

show abstract

“…In Experiment 3, we evaluate the robustness of DAICS to additive noise applied on the SWaT and WADI test sets. We also compare the results with the frameworks proposed in [19], [20] in case of the SWaT dataset.…”

Section: B Methodologymentioning

confidence: 99%

“…Like in our previous work [19], the neural network comprises a Feature extractor section that learns the relations between all sensors and actuators during the normal operation of an ICS and extracts the features required to predict the normal states of sensors. Instead, the output section is split into multiple branches to serve large-scale ICSs where the sensors are controlled by several PLCs, usually specialised on a specific part of the industrial process with specific behaviour and anomaly threshold.…”

Section: W Out Samplesmentioning

confidence: 99%

“…We then observe the behaviour of DAICS with respect to the number of detected attacks and the detection accuracy measured with the F1 score metric. We then extend the experiment 2 in [19], where AADS and the CNN proposed in [20] are compared, by adding the performance of DAICS on the SWaT dataset.…”

Section: E Experiments 3: Robustness To Additive Noisementioning

confidence: 99%

“…The analysis provides practical insights to improve the performance under different operating conditions. DAICS extends our previous work called AADS (Adaptive Anomaly Detection in industrial control Systems) [19]. With respect to AADS, DAICS scales better to larger ICSs, adopts an automated threshold tuning mechanism based on deep learning, and it has been tested on two public datasets: SWaT (like AADS) and WADI.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

DAICS: A Deep Learning Solution for Anomaly Detection in Industrial Control Systems

Abdelaty,

Doriguzzi-Corin,

Siracusa

2020

Preprint

Self Cite

View full text Add to dashboard Cite

Deep Learning is emerging as an effective technique to detect sophisticated cyber-attacks targeting Industrial Control Systems (ICSs). The conventional approach to detection in literature is to learn the "normal" behaviour of the system, to be then able to label noteworthy deviations from it as anomalies. However, during operations, ICSs inevitably and continuously evolve their behaviour, due to e.g., replacement of devices, workflow modifications, or other reasons. As a consequence, the accuracy of the anomaly detection process may be dramatically affected with a considerable amount of false alarms being generated. This paper presents DAICS, a novel deep learning framework with a modular design to fit in large ICSs. The key component of the framework is a 2-branch neural network that learns the changes in the ICS behaviour with a small number of data samples and a few gradient updates. This is supported by an automatic tuning mechanism of the detection threshold that takes into account the changes in the prediction error under normal operating conditions. In this regard, no specialised human intervention is needed to update the other parameters of the system. DAICS has been evaluated using publicly available datasets and shows an increased detection rate and accuracy compared to state of the art approaches, as well as higher robustness to additive noise.

show abstract