Intrusion Detection in Binary Process Data: Introducing the Hamming-distance to Matrix Profiles

TL;DR

This paper presents an extension of the Matrix Profiles algorithm using Hamming distance to effectively detect intrusions in binary process data from industrial water treatment, enabling real-time security monitoring with low training effort.

Contribution

The novel extension of Matrix Profiles with Hamming distance allows for meaningful analysis of binary actuators in industrial process data, improving intrusion detection capabilities.

Findings

Effective detection of attacks in binary process data

Low training effort required for the algorithm

Real-time applicability demonstrated

Abstract

The digitisation of industry provides a plethora of novel applications that increase flexibility and reduce setup and maintenance time as well as cost. Furthermore, novel use cases are created by the digitisation of industry, commonly known as Industry 4.0 or the Industrial Internet of Things, applications make use of communication and computation technology that is becoming available. This enables novel business use cases, such as the digital twin, customer individual production, and data market places. However, the inter-connectivity such use cases rely on also significantly increases the attack surface of industrial enterprises. Sabotage and espionage are aimed at data, which is becoming the most crucial asset of an enterprise. Since the requirements on security solutions in industrial networks are inherently different from office networks, novel approaches for intrusion detection need to be developed. In this work, process data of a real water treatment process that contains attacks is analysed. Analysis is performed by an extension of Matrix Profiles, a motif discovery algorithm for time series. By extending Matrix Profiles with a Hammingdistance metric, binary and tertiary actuators can be integrated into the analysis in a meaningful fashion. This algorithm requires low training effort while providing accurate results. Furthermore, it can be employed in a real-time fashion. Selected actuators in the data set are analysed to highlight the applicability of the extended Matrix Profiles.