TL;DR
This paper critically evaluates machine learning-based industrial intrusion detection systems, revealing their poor performance on unknown attacks and emphasizing the need for more robust evaluation methods.
Contribution
It introduces an evaluation methodology to assess ML intrusion detection on unseen attacks and highlights the gap between reported and actual detection capabilities.
Findings
Detection rates for unknown attacks drop to 3.2%-14.7%.
Current ML approaches are ineffective against unseen attack types.
Recommendations for future research to improve detection of unknown attacks.
Abstract
Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations.As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99%. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
