{"title":"Adaptive learning anomaly detection and classification model for cyber and physical threats in industrial control systems","authors":"Gabriela Ahmadi-Assalemi, Haider Al-Khateeb, Vladlena Benson, Bogdan Adamyk, Meryem Ammi","doi":"10.1049/cps2.70004","DOIUrl":null,"url":null,"abstract":"<p>A surge of digital technologies adopted into Industrial Control Systems (ICS) exposes critical infrastructures to increasingly hostile and well-organised cybercrime. The increased need for flexibility and convenient administration expands the attack surface. Likewise, an insider with authorised access reveals a difficult-to-detect attack vector. Because of the range of critical services that ICS provide, disruptions to operations could have devastating consequences making ICS an attractive target for sophisticated threat actors. Hence, the authors introduce a novel anomalous behaviour detection model for ICS data streams from physical plant sensors. A model for one-class classification is developed, using stream rebalancing followed by adaptive machine learning algorithms coupled with drift detection methods to detect anomalies from physical plant sensor data. The authors’ approach is shown on ICS datasets. Additionally, a use case illustrates the model's applicability to post-incident investigations as part of a defence-in-depth capability in ICS. The experimental results show that the proposed model achieves an overall Matthews Correlation Coefficient score of 0.999 and Cohen's Kappa score of 0.9986 on limited variable single-type anomalous behaviour per data stream. The results on wide data streams achieve an MCC score of 0.981 and a K score of 0.9808 in the prevalence of multiple types of anomalous instances.</p>","PeriodicalId":36881,"journal":{"name":"IET Cyber-Physical Systems: Theory and Applications","volume":"10 1","pages":""},"PeriodicalIF":1.7000,"publicationDate":"2025-02-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1049/cps2.70004","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Cyber-Physical Systems: Theory and Applications","FirstCategoryId":"1085","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/cps2.70004","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
A surge of digital technologies adopted into Industrial Control Systems (ICS) exposes critical infrastructures to increasingly hostile and well-organised cybercrime. The increased need for flexibility and convenient administration expands the attack surface. Likewise, an insider with authorised access reveals a difficult-to-detect attack vector. Because of the range of critical services that ICS provide, disruptions to operations could have devastating consequences making ICS an attractive target for sophisticated threat actors. Hence, the authors introduce a novel anomalous behaviour detection model for ICS data streams from physical plant sensors. A model for one-class classification is developed, using stream rebalancing followed by adaptive machine learning algorithms coupled with drift detection methods to detect anomalies from physical plant sensor data. The authors’ approach is shown on ICS datasets. Additionally, a use case illustrates the model's applicability to post-incident investigations as part of a defence-in-depth capability in ICS. The experimental results show that the proposed model achieves an overall Matthews Correlation Coefficient score of 0.999 and Cohen's Kappa score of 0.9986 on limited variable single-type anomalous behaviour per data stream. The results on wide data streams achieve an MCC score of 0.981 and a K score of 0.9808 in the prevalence of multiple types of anomalous instances.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
