Log-Based Anomaly Detection of CPS Using a Statistical Method

Harada, Yoshiyuki; Yamagata, Yoriyuki; Mizuno, Osamu; Choi, Eun-Hye

doi:10.1109/iwesep.2017.12

Cited by 31 publications

(17 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Log-based anomaly detection via statistical methods has been widely applied to ICS in the recent years [42], [43]. However, most of these approaches either are only applicable to a specific type of systems or require prior domain-specific knowledge about the system to construct the detection model.…”

Section: Related Workmentioning

confidence: 99%

A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

Feng

Palleti

Mathur

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Industrial Control Systems (ICS) consisting of integrated hardware and software components designed to monitor and control a variety of industrial processes, are typically deployed in critical infrastructures such as water treatment plants, power grids and gas pipelines. Unlike conventional IT systems, the consequences of deviations from normal operation in ICS have the potential to cause significant physical damage to equipment, the environment and even human life. The active monitoring of invariant rules that define the physical conditions that must be maintained for the normal operation of ICS provides a means to improve the security and dependability of such systems by which early detection of anomalous system states may be achieved, allowing for timely mitigating actions-such as fault checking, system shutdown-to be taken. Generally, invariant rules are predefined by system engineers during the design phase of a given ICS build. However, this manually intensive process is costly, error-prone and, in typically complex systems, sub-optimal. In this paper we propose a novel framework that is designed to systematically generate invariant rules from information contained within ICS operational data logs, using a combination of several machine learning and data mining techniques. The effectiveness of our approach is demonstrated by experiments on two real world ICS testbeds: a water distribution system and a water treatment plant. We show that sets of invariant rules, far larger than those defined manually, can be successfully derived by our framework and that they may be used to deliver significant improvements in anomaly detection compared with the invariant rules defined by system engineers as well as the commonly used residual errorbased anomaly detection model for ICS.

show abstract

Section: Related Workmentioning

confidence: 99%

A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

Feng

Palleti

Mathur

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…the survey [15] and textbook [13]). Harada et al [9] applies one of the most widely-used anomaly detection methods, Local Outlier Factor (LOF) [16], to an automated aquarium management system and detects the failure of mutual exclusion. However, LOF is a method to find outliers without prior knowledge of the normal behaviors.…”

Section: Related Workmentioning

confidence: 99%

“…This research direction is seeing increasing interest (e.g. [8], [9]), but much remains to be understood about how to apply it effectively in practice.…”

Section: Introductionmentioning

confidence: 99%

Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning

Inoue

Yamagata

Chen³

et al. 2017

2017 IEEE International Conference on Data Mining Workshops (ICDMW)

Self Cite

241

148

View full text Add to dashboard Cite

In this paper, we propose and evaluate the application of unsupervised machine learning to anomaly detection for a Cyber-Physical System (CPS). We compare two methods: Deep Neural Networks (DNN) adapted to time series data generated by a CPS, and one-class Support Vector Machines (SVM). These methods are evaluated against data from the Secure Water Treatment (SWaT) testbed, a scaled-down but fully operational raw water purification plant. For both methods, we first train detectors using a log generated by SWaT operating under normal conditions. Then, we evaluate the performance of both methods using a log generated by SWaT operating under 36 different attack scenarios. We find that our DNN generates fewer false positives than our one-class SVM while our SVM detects slightly more anomalies. Overall, our DNN has a slightly better F measure than our SVM. We discuss the characteristics of the DNN and one-class SVM used in this experiment, and compare the advantages and disadvantages of the two methods.

show abstract

“…Let v s denote the current value of sensor s, L s denote its lower safety threshold, H s denote its upper safety threshold, and r s = H s − L s denote its range of safe values. Let Select k parents from P using Roulette Wheel Selection; 5 Generate new candidates from parents using crossover; 6 Generate new candidates from parents using bit flip mutation with probability pm; 7 Compute fitness of new candidates c with f (M (S, c)); 8 Replace P with the n fittest of the new and old candidates; 9 until timeout; 10 return candidate c ∈ P that maximises f (M (S, c));…”

Section: B Step Two: Fuzzing To Find Attacksmentioning

confidence: 99%

“…Given the potential to cause massive disruption, such systems have become prime targets for cyber attackers, with a number of successful cases reported in recent years [3], [4]. This pervasive threat faced by CPSs has motivated research and development into a wide variety of attack defence mechanisms, including techniques based on anomaly detection [5], [6], [7], [8], [9], [10], [11], [12], [13], [14], [15], fingerprinting [16], [17], [18], [19], and monitoring conditions or physical invariants [20], [21], [22], [23], [24], [25], [26], [27]. The practical utility of these different countermeasures ultimately depends on how effective they are at their principal goal: detecting and/or preventing attacks.…”

Section: Introductionmentioning

confidence: 99%

Learning-Guided Network Fuzzing for Testing Cyber-Physical System Defences

Chen

Poskitt

Sun

et al. 2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

The threat of attack faced by cyber-physical systems (CPSs), especially when they play a critical role in automating public infrastructure, has motivated research into a wide variety of attack defence mechanisms. Assessing their effectiveness is challenging, however, as realistic sets of attacks to test them against are not always available. In this paper, we propose smart fuzzing, an automated, machine learning guided technique for systematically finding 'test suites' of CPS network attacks, without requiring any knowledge of the system's control programs or physical processes. Our approach uses predictive machine learning models and metaheuristic search algorithms to guide the fuzzing of actuators so as to drive the CPS into different unsafe physical states. We demonstrate the efficacy of smart fuzzing by implementing it for two real-world CPS testbeds-a water purification plant and a water distribution system-finding attacks that drive them into 27 different unsafe states involving water flow, pressure, and tank levels, including six that were not covered by an established attack benchmark. Finally, we use our approach to test the effectiveness of an invariant-based defence system for the water treatment plant, finding two attacks that were not detected by its physical invariant checks, highlighting a potential weakness that could be exploited in certain conditions.

show abstract

Log-Based Anomaly Detection of CPS Using a Statistical Method

Cited by 31 publications

References 22 publications

A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems

Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning

Learning-Guided Network Fuzzing for Testing Cyber-Physical System Defences

Contact Info

Product

Resources

About