Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning

Inoue, Jun; Yamagata, Yoriyuki; Chen, Yuqi; Poskitt, Christopher M.; Sun, Jun

doi:10.1109/icdmw.2017.149

Cited by 241 publications

(164 citation statements)

References 20 publications

Supporting

Mentioning

161

Contrasting

Unclassified

Order By: Relevance

“…Precision Recall F1 DNN [11] 0.983 0.678 0.803 SVM [11] 0.925 0.699 0.796 TABOR [12] 0.862 0.788 0.823 1D CNN [13] 0 features are linear, and PCA can capture them. As PCA has an analytic solution that does not require iterative optimization, its training is much faster then the discussed neural networks (see Table V).…”

Section: Methodsmentioning

confidence: 99%

Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks

Kravchik

Shabtai

2018

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

251

167

View full text Add to dashboard Cite

Industrial control systems (ICSs) are widely used and vital to industry and society. Their failure can have severe impact on both economics and human life. Hence, these systems have become an attractive target for attacks, both physical and cyber. A number of attack detection methods have been proposed, however they are characterized by a low detection rate, a substantial false positive rate, or are system specific. In this paper, we study an attack detection method based on simple and lightweight neural networks, namely, 1D convolutions and autoencoders. We apply these networks to both the time and frequency domains of the collected data and discuss pros and cons of each approach. We evaluate the suggested method on three popular public datasets and achieve detection rates matching or exceeding previously published detection results, while featuring small footprint, short training and detection times, and generality. We also demonstrate the effectiveness of PCA, which, given proper data preprocessing and feature selection, can provide high attack detection scores in many settings. Finally, we study the proposed method's robustness against adversarial attacks, that exploit inherent blind spots of neural networks to evade detection while achieving their intended physical effect. Our results show that the proposed method is robust to such evasion attacks: in order to evade detection, the attacker is forced to sacrifice the desired physical impact on the system. This finding suggests that neural networks trained under the constraints of the laws of physics can be trusted more than networks trained under more flexible conditions.

show abstract

Section: Methodsmentioning

confidence: 99%

Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks

Kravchik

Shabtai

2018

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

251

167

View full text Add to dashboard Cite

show abstract

“…Other approaches learn models from physical data logs, and use them to evaluate whether or not the current state represents normal behaviour or not: most (e.g. [7], [12], [39]) use unsupervised learning to construct these models, although Chen et al [23], [25] use supervised learning by automatically seeding faults in the control programs (of a high-fidelity simulator). Adepu and Mathur [21], [22], [24] systematically and manually derive a comprehensive set of physics-based invariants and other conditions that relate the states of actuators and sensors, with any violations of them during operation reported.…”

Section: Background and Motivational Examplementioning

confidence: 99%

“…Let v s denote the current value of sensor s, L s denote its lower safety threshold, H s denote its upper safety threshold, and r s = H s − L s denote its range of safe values. Let Select k parents from P using Roulette Wheel Selection; 5 Generate new candidates from parents using crossover; 6 Generate new candidates from parents using bit flip mutation with probability pm; 7 Compute fitness of new candidates c with f (M (S, c)); 8 Replace P with the n fittest of the new and old candidates; 9 until timeout; 10 return candidate c ∈ P that maximises f (M (S, c));…”

Section: B Step Two: Fuzzing To Find Attacksmentioning

confidence: 99%

“…Given the potential to cause massive disruption, such systems have become prime targets for cyber attackers, with a number of successful cases reported in recent years [3], [4]. This pervasive threat faced by CPSs has motivated research and development into a wide variety of attack defence mechanisms, including techniques based on anomaly detection [5], [6], [7], [8], [9], [10], [11], [12], [13], [14], [15], fingerprinting [16], [17], [18], [19], and monitoring conditions or physical invariants [20], [21], [22], [23], [24], [25], [26], [27]. The practical utility of these different countermeasures ultimately depends on how effective they are at their principal goal: detecting and/or preventing attacks.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Learning-Guided Network Fuzzing for Testing Cyber-Physical System Defences

Chen

Poskitt

Sun

et al. 2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)

Self Cite

View full text Add to dashboard Cite

The threat of attack faced by cyber-physical systems (CPSs), especially when they play a critical role in automating public infrastructure, has motivated research into a wide variety of attack defence mechanisms. Assessing their effectiveness is challenging, however, as realistic sets of attacks to test them against are not always available. In this paper, we propose smart fuzzing, an automated, machine learning guided technique for systematically finding 'test suites' of CPS network attacks, without requiring any knowledge of the system's control programs or physical processes. Our approach uses predictive machine learning models and metaheuristic search algorithms to guide the fuzzing of actuators so as to drive the CPS into different unsafe physical states. We demonstrate the efficacy of smart fuzzing by implementing it for two real-world CPS testbeds-a water purification plant and a water distribution system-finding attacks that drive them into 27 different unsafe states involving water flow, pressure, and tank levels, including six that were not covered by an established attack benchmark. Finally, we use our approach to test the effectiveness of an invariant-based defence system for the water treatment plant, finding two attacks that were not detected by its physical invariant checks, highlighting a potential weakness that could be exploited in certain conditions.

show abstract

“…Apart from monitoring physical invariants, the SWaT testbed has also been used to evaluate other attack detection mechanisms, such as a hierarchical intrusion detection system for monitoring network traffic [38], and anomaly detection approaches based on unsupervised machine learning [5,6]. The latter approaches were trained and evaluated using an attack log [12] from the testbed itself.…”

Section: Related Workmentioning

confidence: 99%

Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System

Chen

Poskitt

Sun

2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

113

View full text Add to dashboard Cite

Cyber-physical systems (CPS) consist of sensors, actuators, and controllers all communicating over a network; if any subset becomes compromised, an attacker could cause significant damage. With access to data logs and a model of the CPS, the physical effects of an attack could potentially be detected before any damage is done. Manually building a model that is accurate enough in practice, however, is extremely difficult. In this paper, we propose a novel approach for constructing models of CPS automatically, by applying supervised machine learning to data traces obtained after systematically seeding their software components with faults ("mutants"). We demonstrate the efficacy of this approach on the simulator of a real-world water purification plant, presenting a framework that automatically generates mutants, collects data traces, and learns an SVM-based model. Using cross-validation and statistical model checking, we show that the learnt model characterises an invariant physical property of the system. Furthermore, we demonstrate the usefulness of the invariant by subjecting the system to 55 network and codemodification attacks, and showing that it can detect 85% of them from the data logs generated at runtime.

show abstract

Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning

Cited by 241 publications

References 20 publications

Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks

Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks

Learning-Guided Network Fuzzing for Testing Cyber-Physical System Defences

Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System

Contact Info

Product

Resources

About