High-Performance Unsupervised Anomaly Detection for Cyber-Physical System Networks

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy Pub Date : 2018-01-15 DOI:10.1145/3264888.3264890

Peter Schneider, Konstantin Böttinger

{"title":"High-Performance Unsupervised Anomaly Detection for Cyber-Physical System Networks","authors":"Peter Schneider, Konstantin Böttinger","doi":"10.1145/3264888.3264890","DOIUrl":null,"url":null,"abstract":"While the ever-increasing connectivity of cyber-physical systems enlarges their attack surface, existing anomaly detection frameworks often do not incorporate the rising heterogeneity of involved systems. Existing frameworks focus on a single fieldbus protocol or require more detailed knowledge of the cyber-physical system itself. Thus, we introduce a uniform method and framework for applying anomaly detection to a variety of fieldbus protocols. We use stacked denoising autoencoders to derive a feature learning and packet classification method in one step. As the approach is based on the raw byte stream of the network traffic, neither specific protocols nor detailed knowledge of the application is needed. Additionally, we pay attention on creating an efficient framework which can also handle the increased amount of communication in cyber-physical systems. Our evaluation on a Secure Water Treatment dataset using EtherNet/IP and a Modbus dataset shows that we can acquire network packets up to 100 times faster than packet parsing based methods. However, we still achieve precision and recall metrics for longer lasting attacks of over 99%.","PeriodicalId":247918,"journal":{"name":"Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"62","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3264888.3264890","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 62

Abstract

While the ever-increasing connectivity of cyber-physical systems enlarges their attack surface, existing anomaly detection frameworks often do not incorporate the rising heterogeneity of involved systems. Existing frameworks focus on a single fieldbus protocol or require more detailed knowledge of the cyber-physical system itself. Thus, we introduce a uniform method and framework for applying anomaly detection to a variety of fieldbus protocols. We use stacked denoising autoencoders to derive a feature learning and packet classification method in one step. As the approach is based on the raw byte stream of the network traffic, neither specific protocols nor detailed knowledge of the application is needed. Additionally, we pay attention on creating an efficient framework which can also handle the increased amount of communication in cyber-physical systems. Our evaluation on a Secure Water Treatment dataset using EtherNet/IP and a Modbus dataset shows that we can acquire network packets up to 100 times faster than packet parsing based methods. However, we still achieve precision and recall metrics for longer lasting attacks of over 99%.

查看原文本刊更多论文

网络物理系统网络的高性能无监督异常检测

虽然网络物理系统的连通性不断增加，扩大了其攻击面，但现有的异常检测框架往往没有考虑到所涉及系统的异质性。现有的框架侧重于单一的现场总线协议，或者需要对网络物理系统本身有更详细的了解。因此，我们引入了一种统一的方法和框架，将异常检测应用于各种现场总线协议。我们使用叠置去噪自编码器，一步推导出一种特征学习和包分类方法。由于该方法基于网络流量的原始字节流，因此不需要特定的协议或应用程序的详细知识。此外，我们注重创建一个有效的框架，也可以处理网络物理系统中增加的通信量。我们对使用以太网/IP和Modbus数据集的安全水处理数据集的评估表明，我们获取网络数据包的速度比基于数据包解析的方法快100倍。然而，对于更长时间的攻击，我们仍然达到了超过99%的准确率和召回率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

自引率

0.00%

发文量