Abstract
Recent adversaries targeting the Industrial Control Systems (ICSs) have started exploiting their sophisticated inherent contextual semantics such as the data associativity among heterogeneous field devices. In light of the subtlety rendered in these semantics, anomalies triggered by such interactions tend to be extremely covert, hence giving rise to extensive challenges in their detection. Driven by the critical demands of securing ICS processes, a Graph-Neural-Network (GNN) based method is presented to tackle these subtle hostilities by leveraging an ICS’s advanced contextual features refined from a universal perspective, rather than exclusively following GNN’s conventional local aggregation paradigm. Specifically, we design and implement the Graph Sample-and-Integrate Network (GSIN), a general chained framework performing node-level anomaly detection via advanced feature integration, which combines a node’s local awareness with the graph’s prominent global properties extracted via process-oriented pooling. The proposed GSIN is evaluated on multiple well-known datasets with different kinds of integration configurations, and results demonstrate its superiority consistently on not only anomaly detection performance (e.g., F1 score and AUPRC) but also runtime efficiency over recent representative baselines.
- [1] . 2021. A hybrid CNN-LSTM based approach for anomaly detection systems in SDNs. In Proceedings of the 16th International Conference on Availability, Reliability and Security. 1–7.Google ScholarDigital Library
- [2] . 2019. K–means based one-class svm classifier. In Proceedings of the International Conference on Database and Expert Systems Applications. Springer, 45–53.Google ScholarCross Ref
- [3] . 2021. Cybersecurity in industrial control system (ICS). In Proceedings of the 2021 International Conference on Information Technology.Google ScholarCross Ref
- [4] . 2019. Cybersecurity in industrial control systems: Issues, technologies, and challenges. Computer Networks 165, C (2019), 106946. Google ScholarDigital Library
- [5] . 2012. A first look into SCADA network traffic. In Proceedings of the 2012 IEEE Network Operations and Management Symposium. IEEE, 518–521.Google ScholarCross Ref
- [6] . 2015. Sequence-aware intrusion detection in industrial control systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security. 13–24.Google ScholarDigital Library
- [7] . 2022. Dual auto-encoder GAN-based anomaly detection for industrial control system. Applied Sciences 12, 10 (2022), 4986.Google ScholarCross Ref
- [8] . 2020. Graph neural network-based anomaly detection in multivariate time series. In Proceedings of the AAAI Conference on Artificial Intelligence. 4027–4035.Google Scholar
- [9] . 2022. Flow topology-based graph convolutional network for intrusion detection in label-limited IoT networks. IEEE Transactions on Network and Service Management 20, 1 (2022), 684–696. https://ieeexplore.ieee.org/document/9919790Google Scholar
- [10] . 2020. Deep IDS: A deep learning approach for Intrusion detection based on IDS 2018. In Proceedings of the 2020 2nd International Conference on Sustainable Technologies for Industry 4.0. IEEE, 1–5.Google ScholarCross Ref
- [11] . 2021. Wind turbine gearbox anomaly detection based on adaptive threshold and twin support vector machines. IEEE Transactions on Energy Conversion 36, 4 (2021), 3462–3469.Google ScholarCross Ref
- [12] . 2017. Topology adaptive graph convolutional networks. arXiv:1710.10370. Retrieved from https://arxiv.org/abs/1710.10370Google Scholar
- [13] . 2022. Lightweight long short-term memory variational auto-encoder for multivariate time series anomaly detection in industrial control systems. Sensors 22, 8 (2022), 2886.Google ScholarCross Ref
- [14] . 2016. A dataset to support research in the design of secure water treatment systems. In Proceedings of the International Conference on Critical Information Infrastructures Security. Springer, 88–99.Google Scholar
- [15] . 2013. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. International journal of critical infrastructure protection 6, 2 (2013), 63–75.Google ScholarCross Ref
- [16] . 2014. Through the eye of the PLC: Semantic security monitoring for industrial processes. In Proceedings of the 30th Annual Computer Security Applications Conference. 126–135.Google ScholarDigital Library
- [17] . 2017. Inductive representation learning on large graphs. Advances in Neural Information Processing Systems 30 (2017), 1025–1035.Google Scholar
- [18] . 2002. Outlier detection using replicator neural networks. In Proceedings of the International Conference on Data Warehousing and Knowledge Discovery. Springer, 170–180.Google ScholarDigital Library
- [19] . 2020. Gpt-gnn: Generative pre-training of graph neural networks. In Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1857–1867.Google ScholarDigital Library
- [20] . 2020. n-ary isolation forest: An experimental comparative analysis. In Proceedings of the International Conference on Artificial Intelligence and Soft Computing. Springer, 188–198.Google ScholarDigital Library
- [21] . 2016. Semi-supervised classification with graph convolutional networks. arXiv:1609.02907. Retrieved from https://arxiv.org/abs/1609.02907Google Scholar
- [22] . 2019. Generative adversarial active learning for unsupervised outlier detection. IEEE Transactions on Knowledge and Data Engineering 32, 8 (2019), 1517–1528.Google Scholar
- [23] . 2022. E-graphsage: A graph neural network based intrusion detection system for iot. In Proceedings of the NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1–9.Google ScholarDigital Library
- [24] . 2022. Global-local integration for GNN-based anomalous device state detection in industrial control systems. Expert Systems with Applications 209 (2022), 118345. https://www.sciencedirect.com/science/article/pii/S0957417422014658?via%3DihubGoogle Scholar
- [25] . 2017. A new burst-DFA model for SCADA anomaly detection. In Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy. 1–12.Google ScholarDigital Library
- [26] . 2019. Meta-GNN: Metagraph neural network for semi-supervised learning in attributed heterogeneous information networks. In Proceedings of the 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. 137–144.Google ScholarDigital Library
- [27] . 2023. Process-Oriented heterogeneous graph learning in GNN-Based ICS anomalous pattern recognition. Pattern Recognition 141 (2023), 109661. https://www.sciencedirect.com/science/article/pii/S003132032300362XGoogle ScholarDigital Library
- [28] . 2020. Efficient deep CNN-BILSTM model for network intrusion detection. In Proceedings of the 2020 3rd International Conference on Artificial Intelligence and Pattern Recognition. 223–231.Google ScholarDigital Library
- [29] and H. K. Kim. 2018. Can network intrusion datasets. http://ocslab.hksecurity.net/Datasets/car-hacking-datasetGoogle Scholar
- [30] . 2018. A parallel algorithm for network traffic anomaly detection based on Isolation Forest. International Journal of Distributed Sensor Networks 14, 11 (2018), 1550147718814471.Google ScholarCross Ref
- [31] . 2018. The battle of the attack detection algorithms: Disclosing cyber attacks on water distribution networks. Journal of Water Resources Planning and Management 144, 8(2018), 04018048.
DOI: Google ScholarCross Ref - [32] . 2020. Anomaly detection for data streams based on isolation forest using scikit-multiflow. In Proceedings of the International Conference on Computational Science and Its Applications. Springer, 15–30.Google ScholarDigital Library
- [33] . 2017. Graph attention networks. arXiv:1710.10903. Retrieved from https://arxiv.org/abs/1710.10903Google Scholar
- [34] . 2021. Decoupling representation learning and classification for gnn-based anomaly detection. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 1239–1248.Google ScholarDigital Library
- [35] . 2019. A software-defined security approach for securing field zones in industrial control systems. IEEE Access 7 (2019), 87002–87016. https://ieeexplore.ieee.org/document/8744558Google ScholarCross Ref
- [36] . 2016. Intrusion detection in SCADA systems by traffic periodicity and telemetry analysis. In Proceedings of the 2016 IEEE Symposium on Computers and Communication. IEEE, 318–325.Google Scholar
Index Terms
- GNN-based Advanced Feature Integration for ICS Anomaly Detection
Recommendations
A hybrid behavior- and Bayesian network-based framework for cyber–physical anomaly detection
AbstractIn recent years, the increasing Internet connectivity and heterogeneity of industrial protocols have been raising the number and nature of cyber-attacks against Industrial Control Systems (ICS). Such cyber-attacks may lead to cyber anomalies and ...
Highlights- Hybrid behavior- and Bayesian network-based cyber–physical anomaly detection.
- Hybrid anomaly detection framework based on both cyber and physical data from ICS.
- Identification of cyber, physical and cyber–physical anomalies in ICS.
Super Detector: An Ensemble Approach for Anomaly Detection in Industrial Control Systems
Critical Information Infrastructures SecurityAbstractIndustrial Control Systems encompass supervisory systems (SCADA) and cyber-physical components (sensors/actuators), which are typically deployed in critical infrastructure to control physical processes. Their interconnectedness and controllability ...
Global-local integration for GNN-based anomalous device state detection in industrial control systems
Highlights- A GNN-based method, named the GLIN, is proposed to detect anomalous ICS devices.
AbstractAnomaly detection are gaining popularity among the research communities for its essential role in securing Industrial Control Systems (ICS). Over the decades, diverse approaches have been proposed to profile anomalous behaviours ...
Comments