An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems

被引:84
作者
Almalawi, Abdulmohsen [1 ,3 ]
Yu, Xinghuo [2 ]
Tari, Zahir [1 ]
Fahad, Adil [1 ,4 ]
Khalil, Ibrahim [1 ]
机构
[1] RMIT Univ, Sch Comp Sci & Informat Technol, Melbourne, Vic 3001, Australia
[2] RMIT Univ, Sch Elect & Comp Engn, Melbourne, Vic 3001, Australia
[3] King Abdulaziz Univ, Fac Comp & IT, Jeddah 21413, Saudi Arabia
[4] Al Baha Univ, Dept Comp Sci, Al Baha City, Saudi Arabia
基金
澳大利亚研究理事会;
关键词
Unsupervised detection; Cyber-warfare; SCADA systems; Intrusion Detection System; Consistent/Inconsistent SCADA; Patterns; FRAMEWORK; DENSITY;
D O I
10.1016/j.cose.2014.07.005
中图分类号
TP [自动化技术、计算机技术];
学科分类号
080201 [机械制造及其自动化];
摘要
Supervisory Control and Data Acquisition (SCADA) systems are a core part of industrial systems, such as smart grid power and water distribution systems. In recent years, such systems become highly vulnerable to cyber attacks. The design of efficient and accurate data-driven anomaly detection models become an important topic of interest relating to the development of SCADA-specific Intrusion Detection Systems (IDSs) to counter cyber attacks. This paper proposes two novel techniques: (i) an automatic identification of consistent and inconsistent states of SCADA data for any given system, and (ii) an automatic extraction of proximity detection rules from identified states. During the identification phase, the density factor for the k-nearest neighbours of an observation is adapted to compute its inconsistency score. Then, an optimal inconsistency threshold is calculated to separate inconsistent from consistent observations. During the extraction phase, the well-known fixed-width clustering technique is extended to extract proximity-detection rules, which forms a small and most-representative data set for both inconsistent and consistent behaviours in the training data set. Extensive experiments were carried out both on real as well as simulated data sets, and we show that the proposed techniques provide significant accuracy and efficiency in detecting cyber attacks, compared to three well-known anomaly detection approaches. Crown Copyright (C) 2014 Published by Elsevier Ltd. All rights reserved.
引用
收藏
页码:94 / 110
页数:17
相关论文
共 56 条
[1]
Diagnosis mechanism for accurate monitoring in critical infrastructure protection [J].
Alcaraz, Cristina ;
Lopez, Javier .
COMPUTER STANDARDS & INTERFACES, 2014, 36 (03) :501-512
[2]
WASAM: A dynamic wide-area situational awareness model for critical domains in Smart Grids [J].
Alcaraz, Cristina ;
Lopez, Javier .
FUTURE GENERATION COMPUTER SYSTEMS-THE INTERNATIONAL JOURNAL OF ESCIENCE, 2014, 30 :146-154
[3]
Almalawi A, 2013, C LOCAL COMPUT NETW, P639, DOI 10.1109/LCN.2013.6761301
[4]
Outlier mining in large high-dimensional data sets [J].
Angiulli, F ;
Pizzuti, C .
IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, 2005, 17 (02) :203-215
[5]
Ankerst M., 1999, SIGMOD Record, V28, P49, DOI 10.1145/304181.304187
[6]
[Anonymous], 2002, Proceedings of the 9th ACM conference on Computer and communications security, CCS'02, DOI DOI 10.1145/586110.586144
[7]
[Anonymous], P INT WORKSH COMPL N
[8]
[Anonymous], 2000, P 27 ANN W PROT REL
[9]
Arning A., 1996, KDD-96 Proceedings. Second International Conference on Knowledge Discovery and Data Mining, P164
[10]
Beygelzimer A, 2006, P 23 INT C MACH LEAR, P97, DOI DOI 10.1145/1143844.1143857