Enhanced Anomaly Detection in Industrial Control Systems aided by Machine Learning

TL;DR

This paper explores combining network and process data using machine learning to improve anomaly detection in industrial control systems, showing promising but preliminary results in enhancing detection capabilities.

Contribution

It introduces a multi-source data approach for ICS intrusion detection, demonstrating potential improvements over single-source methods using the SWaT dataset.

Findings

Enhanced recall rates for attack detection with combined data

Multi-source approach shows promise but needs further validation

Proof-of-concept with preliminary results

Abstract

Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.