Anomaly Detection for Industrial Control Networks using Machine Learning with the help from the Inter-Arrival Curves

TL;DR

This paper presents a machine learning-based anomaly detection method for Industrial Control Networks, utilizing inter-arrival curves and feature selection to improve detection accuracy of cyber threats in critical infrastructure systems.

Contribution

It introduces a novel approach combining physical system properties, feature selection, and machine learning classifiers with inter-arrival curves for enhanced anomaly detection in ICN.

Findings

SVM and C4.5 achieve high accuracy in detecting anomalies.

Inter-arrival curves improve detection of high sensitivity attacks.

k-NN performs poorly on low and medium sensitivity attack detection.

Abstract

Industrial Control Networks (ICN) such as Supervisory Control and Data Acquisition (SCADA) systems are widely used in industries for monitoring and controlling physical processes. These industries include power generation and supply, gas and oil production and delivery, water and waste management, telecommunication and transport facilities. The integration of internet exposes these systems to cyber threats. The consequences of compromised ICN are determine for a country economic and functional sustainability. Therefore, enforcing security and ensuring correctness operation became one of the biggest concerns for Industrial Control Systems (ICS), and need to be addressed. In this paper, we propose an anomaly detection approach for ICN using the physical properties of the system. We have developed operational baseline of electricity generation process and reduced the feature set using greedy and genetic feature selection algorithms. The classification is done based on Support Vector Machine (SVM), k-Nearest Neighbor (k-NN), and C4.5 decision tree with the help from the inter-arrival curves. The results show that the proposed approach successfully detects anomalies with a high degree of accuracy. In addition, they proved that SVM and C4.5 produces accurate results even for high sensitivity attacks when they used with the inter-arrival curves. As compared to this, k-NN is unable to produce good results for low and medium sensitivity attacks test cases.