A transformer-enhanced LSTM framework for robust malicious traffic detection in industrial control systems

IF 7.6 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Knowledge-Based Systems Pub Date : 2025-05-07 DOI:10.1016/j.knosys.2025.113725

Fang Wang , Yuxuan Liu , Zhongyuan Qin , Fang Dong

{"title":"A transformer-enhanced LSTM framework for robust malicious traffic detection in industrial control systems","authors":"Fang Wang , Yuxuan Liu , Zhongyuan Qin , Fang Dong","doi":"10.1016/j.knosys.2025.113725","DOIUrl":null,"url":null,"abstract":"<div><div>Industrial control systems (ICS) play a vital role in ensuring the safe and efficient operation of critical infrastructures, including power grids, pipelines, and water treatment facilities. The detection of malicious traffic in ICS environments is inherently difficult due to the complexity and diversity of traffic characteristics. In this paper we propose a novel approach of malicious traffic classification in ICS by harnessing the strengths of both the Long Short-Term Memory (LSTM) model and Transformer architecture. Considering the temporal nature of ICS traffic data, we integrate Transformer's embedding and encoder layers into our model to effectively extract sequential features. Additionally, we focus on meticulous feature engineering of the ICS flow dataset, which is essential for accurately capturing feature relevance during model training. Besides, we employ a composite correlation calculation method as imputation matrix, ensuring that the model training is robust and the feature relationships are accurately represented. Extensive experiments are carried on the SCADA flow dataset, which includes a variety of scenarios from natural gas pipelines and water tanks, predominantly based on the Modbus protocol. Our model's performance is benchmarked against seven other models. The results show that our hybrid model outperforms the other methods, making it a promising solution for identifying malicious flows in industrial control systems.</div></div>","PeriodicalId":49939,"journal":{"name":"Knowledge-Based Systems","volume":"321 ","pages":"Article 113725"},"PeriodicalIF":7.6000,"publicationDate":"2025-05-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Knowledge-Based Systems","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950705125007713","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Industrial control systems (ICS) play a vital role in ensuring the safe and efficient operation of critical infrastructures, including power grids, pipelines, and water treatment facilities. The detection of malicious traffic in ICS environments is inherently difficult due to the complexity and diversity of traffic characteristics. In this paper we propose a novel approach of malicious traffic classification in ICS by harnessing the strengths of both the Long Short-Term Memory (LSTM) model and Transformer architecture. Considering the temporal nature of ICS traffic data, we integrate Transformer's embedding and encoder layers into our model to effectively extract sequential features. Additionally, we focus on meticulous feature engineering of the ICS flow dataset, which is essential for accurately capturing feature relevance during model training. Besides, we employ a composite correlation calculation method as imputation matrix, ensuring that the model training is robust and the feature relationships are accurately represented. Extensive experiments are carried on the SCADA flow dataset, which includes a variety of scenarios from natural gas pipelines and water tanks, predominantly based on the Modbus protocol. Our model's performance is benchmarked against seven other models. The results show that our hybrid model outperforms the other methods, making it a promising solution for identifying malicious flows in industrial control systems.

查看原文本刊更多论文

一种用于工业控制系统中稳健恶意流量检测的变压器增强LSTM框架

工业控制系统（ICS）在确保关键基础设施（包括电网、管道和水处理设施）的安全高效运行方面发挥着至关重要的作用。由于流量特征的复杂性和多样性，在ICS环境中检测恶意流量本来就很困难。在本文中，我们提出了一种利用长短期记忆（LSTM）模型和Transformer架构的优势在ICS中进行恶意流量分类的新方法。考虑到ICS流量数据的时间性质，我们将Transformer的嵌入层和编码器层集成到我们的模型中，以有效地提取序列特征。此外，我们还关注了ICS流数据集的细致特征工程，这对于在模型训练过程中准确捕获特征相关性至关重要。此外，我们采用复合相关计算方法作为输入矩阵，保证了模型训练的鲁棒性和特征关系的准确表示。在SCADA流量数据集上进行了大量的实验，其中包括天然气管道和水箱的各种场景，主要基于Modbus协议。我们模型的性能与其他七个模型进行了基准测试。结果表明，我们的混合模型优于其他方法，使其成为工业控制系统中恶意流量识别的有希望的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Knowledge-Based Systems 工程技术-计算机：人工智能

CiteScore

14.80

自引率

12.50%

发文量

1245

审稿时长

7.8 months

期刊介绍： Knowledge-Based Systems, an international and interdisciplinary journal in artificial intelligence, publishes original, innovative, and creative research results in the field. It focuses on knowledge-based and other artificial intelligence techniques-based systems. The journal aims to support human prediction and decision-making through data science and computation techniques, provide a balanced coverage of theory and practical study, and encourage the development and implementation of knowledge-based intelligence models, methods, systems, and software tools. Applications in business, government, education, engineering, and healthcare are emphasized.