KingFisher: an Industrial Security Framework based on Variational Autoencoders

Abstract

The recent evolution of edge computing favored the Industrial Internet of Things (IIoT) growth, opening dangerous surfaces of vulnerabilities. In this distributed sensor system scenario, due to the insecure interactions between Information Technology (IT) and Operational Technology (OT) networks, cyber-physical threats could lead to destructive consequences for environments and population safety. To deal with industrial cyber-physical security, modern anomaly detection systems implement innovative Machine Learning (ML) techniques. Unfortunately, current solutions still fail to provide an effective prevention to complex industrial threats. In this paper, we present KingFisher, an Intrusion Detection System (IDS) framework based on ML. KingFisher is, to the best of our knowledge, the first solution that looks independently at IT and OT traffic, but also from sensors deployed to capture side-channel physical processes data (e.g., vibrations, background noise). Thanks to this feature, KingFisher can detect attacks that other systems would ignore. As our tests report, the correlation of inferred physical processes status with OT-network and IT-network data can give insights into suspicious and anomalous activities targeting industrial networks. For our framework, we use the Variational Autoencoders (VAEs), an unsupervised neural network model, to categorize data without a priori knowledge of the dataset. We evaluate the detection capabilities and performances of KingFisher in a proof of concept simulated industrial scenario under cyber-physical attacks. Our preliminary results show that KingFisher identifies attacks on both network and physical layers.