Detecting Cyberattacks in Industrial Control Systems Using Online Learning Algorithms

TL;DR

This paper proposes online learning algorithms for real-time cyberattack detection in industrial control systems, addressing computational constraints and class imbalance, with demonstrated improvements on power and pipeline testbeds.

Contribution

It introduces state-of-the-art online learning methods tailored for industrial control systems and a new cost-sensitive algorithm for class imbalance, enhancing detection accuracy.

Findings

Improved attack detection rates on power system testbed.

Effective handling of class imbalance in intrusion detection.

Online algorithms suitable for continuous, resource-limited environments.

Abstract

Industrial control systems are critical to the operation of industrial facilities, especially for critical infrastructures, such as refineries, power grids, and transportation systems. Similar to other information systems, a significant threat to industrial control systems is the attack from cyberspace---the offensive maneuvers launched by "anonymous" in the digital world that target computer-based assets with the goal of compromising a system's functions or probing for information. Owing to the importance of industrial control systems, and the possibly devastating consequences of being attacked, significant endeavors have been attempted to secure industrial control systems from cyberattacks. Among them are intrusion detection systems that serve as the first line of defense by monitoring and reporting potentially malicious activities. Classical machine-learning-based intrusion detection methods usually generate prediction models by learning modest-sized training samples all at once. Such approach is not always applicable to industrial control systems, as industrial control systems must process continuous control commands with limited computational resources in a nonstop way. To satisfy such requirements, we propose using online learning to learn prediction models from the controlling data stream. We introduce several state-of-the-art online learning algorithms categorically, and illustrate their efficacies on two typically used testbeds---power system and gas pipeline. Further, we explore a new cost-sensitive online learning algorithm to solve the class-imbalance problem that is pervasive in industrial intrusion detection systems. Our experimental results indicate that the proposed algorithm can achieve an overall improvement in the detection rate of cyberattacks in industrial control systems.