TRACER: Attack-Aware Divide-and-Conquer Transformer for Intrusion Detection in Industrial Internet of Things

IF 11.7 1区计算机科学 Q1 AUTOMATION & CONTROL SYSTEMS

IEEE Transactions on Industrial Informatics Pub Date : 2025-03-18 DOI:10.1109/TII.2025.3547050

Minyue Wu;Ying Zheng;David Shan-Hill Wong;Yanwei Wang;Xiaoya Hu

{"title":"TRACER: Attack-Aware Divide-and-Conquer Transformer for Intrusion Detection in Industrial Internet of Things","authors":"Minyue Wu;Ying Zheng;David Shan-Hill Wong;Yanwei Wang;Xiaoya Hu","doi":"10.1109/TII.2025.3547050","DOIUrl":null,"url":null,"abstract":"Industrial Internet of Things (IIoT) enables smart factories, production, and logistics. However, any vulnerability in the network can lead to severe consequences for both industries and individuals. Being essential cybersecurity tools for IIoT, intrusion detection systems (IDS) play an important role in detecting network attacks. However, IDS can suffer from inaccuracy due to the rare nature of cyberattacks, a.k.a. sample imbalance. In this article, we introduce a transformer-based model termed aTtack-awaRe divide-And-ConquEr tRansformer (<sc>Tracer) for both anomaly detection and attack classification, which only needs network traffic data instead of content data. In particular, <sc>Tracer incorporates attack-aware learnable queries to enhance category-specific information. A hierarchical divide-and-conquer decoder is also designed tailored to these queries, which is effective in enhancing the accuracy of minority classes. <sc>Tracer aims to detect complex, imbalanced traffic attacks without the need for data balancing samplers or separate classifiers. <sc>Tracer achieves remarkable 98.8% accuracy in anomaly detection on the UNSW-NB15 dataset, with 0.3% false alarm rate. It also reports multiclass attack accuracy of 86.02%, 96.17%, and 99.48% on the UNSW-NB15, Edge-IIoT, and CICIDS-2017 dataset, respectively, increasing the detection accuracy by about 1%–10%. The results suggest our <sc>Tracer model shows potential to be an effective and easy-to-use solution for generic intrusion detection in IIoT.","PeriodicalId":13301,"journal":{"name":"IEEE Transactions on Industrial Informatics","volume":"21 6","pages":"4924-4934"},"PeriodicalIF":11.7000,"publicationDate":"2025-03-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Industrial Informatics","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10931790/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"AUTOMATION & CONTROL SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Industrial Internet of Things (IIoT) enables smart factories, production, and logistics. However, any vulnerability in the network can lead to severe consequences for both industries and individuals. Being essential cybersecurity tools for IIoT, intrusion detection systems (IDS) play an important role in detecting network attacks. However, IDS can suffer from inaccuracy due to the rare nature of cyberattacks, a.k.a. sample imbalance. In this article, we introduce a transformer-based model termed aTtack-awaRe divide-And-ConquEr tRansformer (Tracer) for both anomaly detection and attack classification, which only needs network traffic data instead of content data. In particular, Tracer incorporates attack-aware learnable queries to enhance category-specific information. A hierarchical divide-and-conquer decoder is also designed tailored to these queries, which is effective in enhancing the accuracy of minority classes. Tracer aims to detect complex, imbalanced traffic attacks without the need for data balancing samplers or separate classifiers. Tracer achieves remarkable 98.8% accuracy in anomaly detection on the UNSW-NB15 dataset, with 0.3% false alarm rate. It also reports multiclass attack accuracy of 86.02%, 96.17%, and 99.48% on the UNSW-NB15, Edge-IIoT, and CICIDS-2017 dataset, respectively, increasing the detection accuracy by about 1%–10%. The results suggest our Tracer model shows potential to be an effective and easy-to-use solution for generic intrusion detection in IIoT.

查看原文本刊更多论文

TRACER：用于工业物联网入侵检测的攻击感知分治变压器

工业物联网（IIoT）实现了智能工厂、智能生产和智能物流。然而，网络中的任何漏洞都可能给行业和个人带来严重后果。入侵检测系统（IDS）是工业物联网必不可少的网络安全工具，在检测网络攻击方面发挥着重要作用。然而，由于网络攻击的罕见性，IDS可能会出现不准确的情况，即样本不平衡。在本文中，我们介绍了一种基于转换器的模型，称为攻击感知分治转换器（Tracer），用于异常检测和攻击分类，它只需要网络流量数据，而不需要内容数据。特别是，Tracer集成了攻击感知的可学习查询，以增强特定类别的信息。还针对这些查询设计了分层分治解码器，有效地提高了少数类的准确性。Tracer旨在检测复杂的、不平衡的流量攻击，而不需要数据平衡采样器或单独的分类器。Tracer在UNSW-NB15数据集上的异常检测准确率达到了惊人的98.8%，虚警率为0.3%。在UNSW-NB15、Edge-IIoT和CICIDS-2017数据集上，多类攻击准确率分别达到86.02%、96.17%和99.48%，检测准确率提高约1%-10%。结果表明，我们的Tracer模型显示出成为工业物联网中通用入侵检测的有效且易于使用的解决方案的潜力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Industrial Informatics 工程技术-工程：工业

CiteScore

24.10

自引率

8.90%

发文量

1202

审稿时长

5.1 months

期刊介绍： The IEEE Transactions on Industrial Informatics is a multidisciplinary journal dedicated to publishing technical papers that connect theory with practical applications of informatics in industrial settings. It focuses on the utilization of information in intelligent, distributed, and agile industrial automation and control systems. The scope includes topics such as knowledge-based and AI-enhanced automation, intelligent computer control systems, flexible and collaborative manufacturing, industrial informatics in software-defined vehicles and robotics, computer vision, industrial cyber-physical and industrial IoT systems, real-time and networked embedded systems, security in industrial processes, industrial communications, systems interoperability, and human-machine interaction.