Adversarial Attacks on Machine Learning Cybersecurity Defences in Industrial Control Systems

The proliferation and application of machine learning based Intrusion Detection Systems (IDS) have allowed for more flexibility and efficiency in the automated detection of cyber attacks in Industrial Control Systems (ICS). However, the introduction of such IDSs has also created an additional attack vector; the learning models may also be subject to cyber attacks, otherwise referred to as Adversarial Machine Learning (AML). Such attacks may have severe consequences in ICS systems, as adversaries could potentially bypass the IDS. This could lead to delayed attack detection which may result in infrastructure damages, financial loss, and even loss of life. This paper explores how adversarial learning can be used to target supervised models by generating adversarial samples using the Jacobian-based Saliency Map attack and exploring classification behaviours. The analysis also includes the exploration of how such samples can support the robustness of supervised models using adversarial training. An authentic power system dataset was used to support the experiments presented herein. Overall, the classification performance of two widely used classifiers, Random Forest and J48, decreased by 16 and 20 percentage points when adversarial samples were present. Their performances improved following adversarial training, demonstrating their robustness towards such attacks.


I. INTRODUCTION
I NDUSTRIAL Control Systems (ICS) play a key role in Critical National Infrastructure (CNI) concepts such as manufacturing, power/smart grids, water treatment plants, gas and oil refineries, and health-care. Historically, ICS networks and their components were protected from cyber attacks as they ran on proprietary hardware and software, and were connected in isolated networks with no external connection to the Internet [1]. However, as the world is becoming more interconnected, there has been a need to connect ICS components together and to other networks, allowing remote access and monitoring functionalities. As a result, ICS are now subject to a range of security vulnerabilities [1].
Given the importance of these systems, they have become an attractive target to an attacker. As these systems control operations in the physical world, the cyber attacks against them may have major consequences for the environment they *Corresponding author: anthies@cardiff.ac.uk operate in, and subsequently, its users. It is therefore understandable that the security issues surrounding such systems have become a global issue. Thus, designing robust, secure, and efficient mechanisms for detecting and defending cyber attacks in ICS networks is more important than ever [2].
Although there exist several security mechanisms for traditional IT systems, their integration into ICS systems is challenging mainly for two reasons; a) ICS devices are resource constrained, and b) they include legacy systems and devices that do not support modern security measures. Subsequently, complementary security solutions, such as passive process data monitoring, are promising [3]. This has led to a substantial increase in research focusing on ICS tailored Intrusion Detection Systems (ICS). Such intrusion systems operate by observing the network or sensor data in order to detect attacks and anomalies that may affect ICS.
Due to their efficiency in detecting attacks, there has been a substantial increase in the application and integration of machine learning within IDSs (e.g. [1], [4]- [10]). However, the introduction of such systems has introduced an additional attack vector; the trained models may also be subject to attacks. The act of deploying attacks towards machine learning based systems is known as Adversarial Machine Learning (AML). The aim is to exploit the weaknesses of the pretrained model which has "blind spots" between data points it has seen during training. More specifically, by automatically introducing slight perturbations to the unseen data points the model may cross a decision boundary and classify the data as a different class. As a result, the model's effectiveness can be reduced as it is presented with unseen data points that it cannot associate target values to, subsequently increasing the number of misclassifications.
The existence of such techniques means that infrastructures which incorporate machine learning based IDSs may be at risk of being vulnerable to cyber attacks. In the context of ICS, AML can be used to manipulate data from actuators or other devices by including perturbations to cause malicious data to be classified as being benign, consequently bypassing the IDS. This could lead to delayed attack detection, information leakage, financial loss, and even loss of life. It is therefore understandable that as machine learning based detection mechanisms become more widely deployed, the adversary incentive for defeating them increases. As a result, it is evident that arXiv:2004.05005v1 [cs.
LG] 10 Apr 2020 ii machine learning based IDSs must be extensively evaluated against AML attacks.
To the best of our knowledge, this is the first study which investigates the behaviour of supervised models against AML, as well as the defence of such attacks in the context of ICS. The main contributions of the work presented in this paper are the empirical investigations into: • generating adversarial samples from a power system dataset • the behaviour of supervised machine learning algorithms against adversarial samples for intrusion detection in an ICS system • how adversarial training can support the robustness of such models The study uses a representative power system dataset and was designed as follows (see Figure 1): 1) randomly split the power system dataset into training and testing set, each containing 60% and 40% data points respectively, 2) evaluate a range of supervised machine learning models and identify which are the best performing, 3) generate adversarial samples using the Jacobian-based Saliency map method, 4) evaluate the performance of the trained models in 2 on the generated adversarial samples in 3, 5) include a percentage of adversarial samples from 3 in the training data and re-train and evaluate the models. The remainder of this paper is structured as follows: Section II discusses the relevant work in this research area, Section III discusses the power system testbed and the generated dataset which is used to support the experiments in this paper, Section IV evaluates the performance of a range of supervised classi-fiers, Section V discusses AML and the methodology followed to generate adversarial samples, Section VII investigates the effectiveness of adversarial training as a defence mechanisms, and finally VIII concludes the paper.

II. RELATED WORK
There has been a substantial increase in machine learning based IDSs for a range of ICS systems. Table I presents a summary of the existing ICS systems and associated supervised learning approaches to attack detection and classification in these contexts. To date, there has been less focus on AML in this context. Such research has mainly focused on email spam classifiers, malware detection, and very recently there has been interest in AML against network IDSs for traditional networks (e.g. [11]- [13]).
More specifically, both Nelson et al. [14] and Zhou et al. [15] demonstrate that an adversary can exploit and successfully bypass the machine learning methods employed in spam filters by modifying a small percentage of the original training data. Moreover, Grosse et al. [16] evaluate the robustness of a neural network trained on the DREBIN Android malware dataset. They report that it is possible to confuse the model by perturbing a small amount of the features in the training set. Such an attack is considered to be a white box attack, as in order to be successful, the adversary needs to have access or knowledge of the dataset and the features it includes. Furthermore, Hu and Tan [17] proposed a more advanced adversarial technique which uses the concept of Generative Adversarial Networks (GAN) to successfully attack malware classifiers without requiring any knowledge of the data and the system. This is known as a black box attack.
In the context of ICSs, there exist only a handful of investigations into AML attacks. Specifically, Zizzo et al. [18] showcased a simple AML attack against an Long Short-Term Memory (LSTM) classifier which was applied on an ICS dataset. However, this work is at a preliminary stage as the adversarial samples were generated by manually selecting the feature/acutator values to be perturbed. Yaghoubi and Fainekos [19] proposed a gradient based search approach which was evaluated on a Simulink model of a steam condenser. However, this approach is efficient only against a handful of systems that may specifically employ Recurrent Neural Networks (RNN) with smooth activation functions. Finally, Erba et al. [3] demonstrated two types of real-time evasion attacks, again using Recurrent Neural Network models, and used an autoencoder to generate adversarial samples, which is computationally complex. Neither of these aforementioned works investigate defence methods against AML. Conclusively, it is evident that there is room to investigate AML and the defence against such attacks for current IDSs in ICS systems that are supported by supervised learning. Moreover, as Table I shows, Recurrent Neural Networks are yet to gain prominence in attack detection in an ICS context -with algorithms such as Naive Bayes, Random Forest, SVM, and J48 being much more widely used. We therefore base our experiments in defending against AML on these methods as the state of the art in MLdriven attack detection methods for ICS. iii

Work
Dataset Machine Learning Models [4] Gas Pipeline Naive Bayes, Random Forest, SVM, J48, OneR [20] Power System OneR, Random Forest, Naive Bayes, SVM, JRipper + Adaboost [21] Power system (synthetic) Naive Bayes, Random Forests, SVM [22] SWaT SVM, J48, Random Forest [23] SCADA/ICS J48, Naive Bayes [24] Gas Pipeline SVM, Random Forest [25] SCADA/Modbus Decision Tree, K-Nearest Neighbor, SVM, OCSVM [6] SCADA Testbed Random Forest, J48, Logistic Regression, Naive Bayes [26] Power Grid, Water Plant, Gas Plant J48, Random Forest, Naive Bayes, SVM, JRipper + Adaboost [27] Wind Turbines SVM [28] SCADA Testbed SVM, Decision Tree, and Random Forest [29] Power System SVM, J48, Neural Network [30] SCADA Naive Bayes, BayesNet, J48 [31] SCADA Testbed Decision Tree, Random Forest [32] Power System Random Forest [33] Wind Turbine Decision Trees (J48, Random Forest, CART, Ripper, etc.) [5] SCADA Testbed Bayesian Network [34] SCADA Testbed Long Short Term Memory (RNN) [1] SWaT 1D Convolutional Networks [10] ICS Testbed Neural Network (Error-back propagation and Levenberg-Marquardt) [8] SWaT Long Short Term Memory (RNN) [9] SCADA Network Traffic One-Class SVM [35] ICS Testbed Long Short Term Memory (RNN) Mississippi State University and Oak Ridge National Laboratory implemented a scaled-down version of a power system framework. Although this system is relatively small, it captures the core function and is considered as being a representative example of a larger power system [36]. Figure 2 illustrates in more detail the power system framework configuration and the components used for generating the datasets in which support the experiments in this paper. More specifically, the components of the power system include: • G1 and G2 are the main generators. • R1, R2, R3, and R4 are the Intelligent Electronic Devices (IEDs) responsible for switching the breakers (BR1, BR2, BR3, BR4), which are automatically operated electrical switches designed to protect electrical circuits from damage caused by excess current from an overload or short circuit, on and off. • Each IED automatically controls one breaker (e.g. R1 controls BR1, R2 controls BR2, etc.) • The IEDs use a distance protection scheme which trips the breaker on detected faults (whether they are valid or invalid) since they have no internal validation to detect the difference. • Operators can also manually issue commands to the IEDs to manually trip the breakers. The manual override is used when performing maintenance on the lines or other system components. • There are also other network monitoring devices connected on the testbed, such as SNORT and Syslog servers.

A. Dataset
A total of 15 datasets containing both benign and malicious data points were generated from the power system testbed by [36]. These data points have been further categorised into three main classes; 'no event' instances, 'natural event' instances, and 'attack event' instances. Both the 'no event' and 'natural event' instances are grouped together to represent benign activity. To generate the malicious data, attacks from 5 scenarios were deployed on the power system. These attacks are described as follows: 1) Short-circuit fault. This is a short in a power line and can occur in various locations along the line. The location is indicated by the percentage range. iv 2) Line maintenance. One or more relays are disabled on a specific line to do maintenance for that line. 3) Remote tripping command injection attack. This is an attack that sends a command to a relay which causes a breaker to open. It can only be done once an attacker has penetrated outside defenses. 4) Relay setting change attack. Relays are configured with a distance protection scheme. The attacker changes the setting to disable the relay function so that the relay will not trip for a valid fault or a valid command. 5) Data injection attack. A valid fault is imitated by changing values to parameters such as the current, voltage, and sequence components. This attack aims to blind the operator and causes a black out.
For the purposes of the work described in this paper, all 15 datasets were used. The dataset consisted of 55,663 malicious and 22,714 benign data points.

IV. SUPERVISED MACHINE LEARNING
To explore how well supervised classification algorithms can learn to detect cyber attacks in an ICS environment, the performance of supervised machine learning when the corresponding data discussed in Section III-A was used to train the classification model and evaluated. The following Sections report the features present in the power systems dataset, as well as describing the methodology behind selecting and training the best performing supervised classifiers.

A. Feature Selection
In order to perform machine learning classification experiments, it is essential to identify which attributes best describe the dataset. In this case, the data points within the power system dataset contain attributes associated with synchrophasor measurements and basic network security mechanisms. A synchrophasor measurement unit is a device which measures the electrical waves on an electricity grid, using a common time source for synchronization. The dataset contains a total of 128 features [37]. These features are described in more detail as follows: • 29 types of measurements from each synchrophasor measurement unit. In this specific power system testbed, there are 4 PMUs. Therefore, the dataset contains a total of 116 synchrophasor measurement columns. • 12 types of measurements of control panel logs, snort alerts, and relay logs of the 4 synchrophasor measurement unit and relay.
Table IV-A summarises the features included in the dataset, as well as their corresponding descriptions. More specifically, the index of each feature is in the form of "R#-Signal Reference". The "R '#' " specifies the type of measurement from the synchrophasor measurement unit. For instance, "R1-PA1:VH" corresponds to the "Phase A voltage phase angle" measured by "PMU R1".  To explore how well supervised machine learning algorithms can detect cyber attacks in an ICS environment, the corresponding power system dataset was used to evaluate a range of state-of-the-art classifiers. In the case of identifying whether a datapoint is malicious or benign, classification is evaluated relative to the training dataset, producing four outputs: • true positives (TP) -data points are predicted as being malicious, when they are indeed malicious. • true negatives (TN) -data points are predicted as being benign, when they are indeed benign. • false positives (FP) -data points are predicted as being malicious, when in fact, they are benign. • false negatives (FN) -data points are predicted as being benign, when in fact, they are malicious. Subsequently, these output are used to evaluate the classification performance of the trained model using Precision (P), Recall (R), and F1-score (F). Such measures are calculated using the equations in Equation 1.
The "no free lunch" theorem suggests that there is no universally best learning algorithm [38]. In other words, the choice of an appropriate algorithm should be based on its performance for that particular problem and the properties of data that characterize the problem. In this case, a variety of classifiers distributed as part of Weka [39] were evaluated using 10-fold cross-validation using their default hyper-parameters.
To conform to other comparable IDSs in ICS systems in Table I, the classifiers were also selected based on their ability to support a high-dimensional feature space. The classifiers included: • Generative models that consider conditional dependencies in the dataset or assume conditional independence (e.g. Bayesian Network, Naive Bayes). • Discriminative models that aim to maximise information gain or directly maps data to their respective classes without modeling any underlying probability or structure of the data (e.g. J48 Decision Tree, Support Vector Machine).  To support classification experiments, a random subset of approximately 60% of the dataset described in Section III-A was selected for training, with the remaining 40% selected for testing. Figure 3 reports the distributions of data points across the target values in both the training and testing datasets.  Table III illustrates the results for each classifier. Previous work which have used a very small sample of this power system dataset to support their classification experiments have shown that the ensemble classifier which combines both the Adaboost and JRipper models was found to be the best performing [40]. However, in this work, when both the ensemble classifier and Support Vector Machine (SVM) classifier were applied, both models were still training following approximately 2 days of running. In this case, the models were stopped and their classification performances were omitted in the reporting of the results herein. Conversely, with F1-scores of 0.93 and 0.87, the classifiers with the highest performances were Random Forest and Weka's implementation of the J48 decision tree method with no pruning respectively.

V. ADVERSARIAL MACHINE LEARNING
To reiterate, the aim of AML is to automatically introduce perturbations to the unseen data points in order to confuse the pre-trained model. The following sections introduce the types of AML attacks, as well as the methods used to automatically generate adversarial samples.

A. Adversarial Attack Types
Depending on the phase and aspect of the machine learning model that is being targeted, AML attacks can be described in terms of four primary vectors: [13], [41]: • The Influence of an attack's affects the classifier's decision. Attacks can be further categorised as causative attacks, which occur during the learning phase (poison attacks), or exploratory attacks, which target the trained model during the testing phases (evasion attacks). • Security Violations affect either the integrity of the model when the adversarial samples cause misclassifications, or when the high rate of misclassifications causes the model to become unusable. • Specificity refers to targeted attacks, where the adversarial samples aim to target a specific target value, or indiscriminate attacks, where the samples do not target a specific target value. • Privacy refers to attacks where the adversary's goal is to extract information from the classifier. Papernot et al. [42] further categorise adversarial attacks based on: • Their complexity. The consequences of such attacks can range from slightly reducing the confidence of a model's predictions to causing it to misclassify all unseen data points. • The knowledge an adversary may have. A white box attack refers to when an attacker has useful knowledge related to the learning model, such as it's architecture, the network's traffic it reads, and the features used to support its training. It is considered as being a black box attack when an adversary has no information about the internal workings of the target model. Given that we have access to the full training dataset and its features, and we don't know the target model, the AML approach presented in this work is classified as a being a greybox attack.

B. Adversarial Sample Generation Methods
There are various methods by which adversarial samples can be generated. Such methods vary in complexity, the speed of their generation, and their performance. An unsophisticated approach towards crafting such samples is to manually perturb the input data points. However, manual perturbations are slow to generate and evaluate by comparison with automatic approaches. Two of the most popular techniques towards automatically generating perturbed samples include the Fast Gradient Sign Method (FGSM) and the Jacobian based Saliency Map Attack (JSMA), presented by Goodfellow et al. [43] and Papernot et al. [42] respectively.
Both methods rely on the methodology, that when adding small perturbations (δ) to the original sample (X), the resulting sample (X*) can exhibit adversarial characteristics (X* = X + δ) [11] in that X* is now classified differently by the targeted model. Moreover, both methods are also usually applied by using a pre-trained MLP as the underlying model for the adversarial sample generation.  The FGSM method aims to target each of the features of the input data by adding a specified amount of perturbation. The perturbation noise is computed by the gradient of the cost function J with respect to the input data. Let θ represent the model parameters, x are the inputs to the model, y are the labels associated with the input data, is a value which represents the extent of the noise to be applied, and J(θ,x,y) is the cost function used to train the targeted neural network.
On the other hand, the JSMA method generates perturbations using saliency maps. A saliency map identifies which features of the input data are the most relevant to the model decision being one class or another; these features if altered are most likely affect the classification of the target values. More specifically, an initial percentage of features (θ) is chosen to be perturbed by a (γ) amount of noise. Then, the model establishes whether the added noise has caused the targeted model to misclassify or not. If the noise has not affected the model's performance, another set of features is selected and a new iteration occurs until a saliency map appears which can be used to generate an adversarial sample.
Given that the JSMA method may take a few iterations to generate adversarial samples, the FGSM is computationally faster [42]. However, as opposed to FGSM which alters each feature, JSMA is a more complex and elaborate approach which represents more realistic attacks as it progressively alters a small percentage of features at a time. This allows for more realistic and finer grained AML attacks, as adversaries are able to define both the percentage of features to perturb and the amount of perturbation to include when generating the adversarial samples.
This work presents the use of JSMA in a grey-box attack, in which the attacker has no knowledge of the target model but has access to the full dataset and knowledge of features. Despite not knowing the target model, we can approximate samples that will cause the target model to misclassify using another model due to the transferability of adversarial samples across machine learning models [44].
In this case, the adversarial samples used in the experiments herein were generated using the JSMA method. A pre-trained MLP was used as the underlying model for the generation. The code implementation used to create the adversarial data was based on the CleverHans project [42]. Table IV shows the transformation of the features of a malicious data point using the JSMA method.

VI. EVALUATING SUPERVISED MODELS ON ADVERSARIAL SAMPLES
Both the trained Random Forest and J48 models presented in Section IV-B were first evaluated against the original testing dataset. The F1-scores achieved by both classifiers were 0.67 and 0.66 respectively. The confusion matrix in Table V shows how the predicted classes for each data point in the original testing dataset compare against the actual ones. In comparison to the Random Forest model, J48 demonstrated a high percentage of correct predictions, thus less often miclassifying the data points.
To explore how different combinations of the JSMA parameters affect the performance of the trained classifiers, adversarial samples were generated from all malicious data points present in the testing data by using a range of combinations of θ and γ. The adversarial samples were joined with the benign testing data points and subsequently presented to the trained models. Figures 4 and 5 report the overall weighted-averaged F1-scores for all adversarial combinations of JSMA's θ and γ parameters. Conversely, the classification performance of the Random Forest model achieved an increase in F1-scores for the majority of θ and γ pairs. This may indicate that Random Forest may be a more robust classifier in correctly discriminating between malicious and benign data points. However, when θ = 0.2, γ = 0.4, the model's classification performance decrease by 16 percentage points (F1-score = 0.57). Based on the dataset used in the experiments presented in this paper, θ = 0.2, γ = 0.4 would be the optimal parameter an adversary would use to successfully reduce the accuracy of a machine learning based IDS, subsequently diverting malicious data points.
These findings demonstrate the importance of parametertuning in applying JSMA for generating adversarial examples. The JSMA model is likely to be more robust under white-box conditions as it was designed but these results indicate that with careful parameter tuning, this approach can be adapted to work under black-box conditions. Although the F1-scores increase in some instances, the attacker is primarily interested in their malicious data points being classified as benign, such that an increase in F1-score is not necessarily undesirable from the attacker's perspective.
The confusion matrices in Tables VI and VII provide a better insight into the performance of the classifiers across the experiments. In comparison to the original classification distributions in Table V, both classifiers demonstrate a significant increase in false positives. That is, data points with an actual target value of malicious have been misclassified as being benign. On the other hand, when θ = 0.5, γ = 0.9, the Random Forest model's true positive distribution increases, which may explain as to why its F1-score also increases.

VII. DEFENDING ADVERSARIAL MACHINE LEARNING
A few methods towards defending AML attacks have been proposed in the literature. Two of the most popular techniques    [45] demonstrated that re-training the neural network on a dataset containing both the original and adversarial samples significantly improves its efficiency against adversarial samples. The latter technique involves the implementation of mechanisms that are capable of detecting the presence of such samples using direct classification, neural network uncertainty, or input processing [18]. However, these detection mechanisms have been found to be weak in defending AML [18], [46]. Subsequently, in this paper, the robustness of supervised machine learning classifiers against AML is further evaluated using adversarial training. In this case, a random sample of 20% of the adversarial data points in the testing dataset which significantly decreased the model's performance (Random Forest: θ = 0.2, γ = 0.4 and J48: θ = 0.1, γ = 0.3) were included in the original training dataset.
The experiments described in Sections IV-B and VI were repeated by retraining the models with the newly generated training data and applying such models on all unseen adversarial samples. Both the Random Forest and J48 models achieved cross-validation F1-scores of 0.94 and 0.89 respectively. Figures 6 and 7 report the overall weighted-averaged F1scores for all adversarial combinations of JSMA's θ and γ parameters following adversarial training. The results demonstrated that for both classifiers, including adversarial samples in the training data increased their classification performances. More specifically, Random Forest and J48 achieved F1-scores of 0.76 and 0.80 respectively, an increase of 2 and 11 percentage points in comparison to the classification performances reported in Figures 4 and 5.
The classification performances demonstrated by the Random Forest model achieves a greater overall increase in comparison to the J48 model. That is, for Random Forest, the classification performance for all combinations were improved. Whereas for J48, only around 30% of the classification performances increased significantly. This may imply that Random Forest is a more robust model towards classifying adversarial samples of all combinations of JSMA's θ and γ parameters. This is intuitive given Strauss et al.'s [7] demonstration that ensemble machine learning algorithms are more robust against adversarial techniques and Random Forests are ensembles of decision trees (such as J48).

VIII. CONCLUSION
Due to their effectiveness and flexibility, machine learning based IDSs are now recognised as fundamental tools for detecting cyber attacks in ICS systems. Nevertheless, such systems are vulnerable to attacks that may severely undermine or mislead their capabilities, commonly known as Adversarial Machine Learning (AML). Such attacks may have severe consequences in ICS infrastructures, as adversaries could potentially modify malicious data points in order to bypass the IDS, causing delayed attack detection and extensive damages.
Thus, it is evident that understanding the applicability of these attacks in ICS systems is necessary in order to develop more robust machine learning based IDSs. This paper explores how adversarial learning can be used to target supervised models by generating adversarial samples and exploring classification behaviours. To support the experiments presented herein, an authentic power system dataset was used to train and test widely used supervised machine learning classifiers. The testing data was presented to a JSMA in order to generate adversarial samples with a range of combinations that affect the amount of noise and the number of features to perturb. Such samples were evaluated against two of the best performing classifiers, Random Forest and J48. Overall, the classification performance for both models decreased by 16 and 20 percentage points when adversarial samples were present.
The analysis also includes the exploration of how such samples can support the robustness of supervised models using adversarial training. A random sample of 20% of the generated adversarial data points were included in the original training dataset. The models were retrained and applied on all unseen adversarial samples. Overall, the classification performance of the Random Forest model reported a greater increase in comparison to the J48 model. This demonstrates that Random Forest is a more robust model towards classifying adversarial samples of all combinations of JSMA parameters on the given dataset.

IX. FUTURE WORK
Although the experiments described in this paper have demonstrated that adversarial samples can successfully be generated using JSMA and affect the classification performance of state-of-the-art supervised models, it is important to note that there are several other methods of generating such samples to consider (e.g. Iterative Gradient Sign, Carlini Wagner, Generative Adversarial Networks). In this case, as part of future work, this study can be extended further to include different models as a source for generating adversarial samples. Moreover, AML should be further investigated against other models such as LSTMs.
Finally, the robustness of the supervised models was demonstrated using adversarial training. It is also important to note that this method may not always be sufficient as it is difficult to anticipate all possible types of adversarial machine learning attacks against a given system. Therefore, there is a need to investigate other possible defense mechanisms.