CloudPAD

Abstract

Modern attacks on Industrial Control Systems (ICSs) are the result of several colliding circumstances: historically insecure communication protocols, increased ICS connectivity, and the rise of state-sponsored attackers. Extensive research has been conducted on using anomaly detection (AD) to counter this; here, deviations from an ICS's normal operation are monitored to indicate potentially dangerous situations. However, most works either assume an on-site deployment, or focus only on the neural architecture and disregard the deployment environment altogether. For the former, failure to update local AD can result in otherwise preventable attacks going undetected; as for the latter, directly porting these architectures to a cloud deployment can result in stale predictions due to communication delays, timeout-induced gaps in predictions, and surcharges due to bandwidth costs. In this work, we presentCloudPAD, an ICS anomaly detection pipeline that accounts for the issues introduced by an off-premises deployment, which uses theClozeLSTM ---a neural network based on the Long Short-Term Memory (LSTM) architecture---to detect anomalies. We train and test theClozeLSTM on the Secure Water Treatment (SWaT) dataset, and show that it outperforms an advanced attention baseline, with a precision-recall AUC of 0.797 vs. 0.717. We also discuss measures to minimizeCloudPAD 's bandwidth consumption, and show that performance remains competitive with a maximum decrease in PR AUC by 0.01 when running in this mode.