Visible to the public Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

TitleMulti-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks
Publication TypeConference Paper
Year of Publication2017
AuthorsFeng, C., Li, T., Chana, D.
Conference Name2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Keywordsanomaly detection, baseline signature database, Bloom filter, Bloom filters, communication patterns, control engineering computing, data structures, database management systems, Databases, Detectors, digital signatures, field devices, gas pipeline SCADA system, ICS Anomaly Detection, ICS networks, industrial control, industrial control systems, integrated circuits, Intrusion detection, learning (artificial intelligence), long short term memory networks, LSTM networks, multilevel anomaly detection method, network package content analysis, package content level anomaly detection, package signatures, package traffic, pattern classification, production engineering computing, Protocols, pubcrawl, recurrent neural nets, resilience, Resiliency, SCADA systems, Scalability, signature database, software packages, stacked long short term memory network-based softmax classifier, time series, time-series anomaly detection, time-series structure

We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) network-based softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current state-of-the-art techniques.

Citation Keyfeng_multi-level_2017