Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks

Feng, Cheng, Li, Tingting ORCID: https://orcid.org/0000-0002-9448-1655 and Chana, Deeph 2017. Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks. Presented at: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Denver, CO, USA, 26-29 June 2017. 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). pp. 261-272. 10.1109/DSN.2017.34

[thumbnail of Li_DSN17.pdf]
Preview
PDF - Accepted Post-Print Version
Download (1MB) | Preview

Abstract

We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) network-based softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current state-of-the-art techniques.

Item Type: Conference or Workshop Item (Paper)
Date Type: Published Online
Status: Published
Schools: Computer Science & Informatics
ISBN: 9781538605431
ISSN: 2158-3927
Funders: EPSRC
Date of First Compliant Deposit: 22 November 2019
Date of Acceptance: 31 August 2017
Last Modified: 26 Oct 2022 08:16
URI: https://orca.cardiff.ac.uk/id/eprint/127039

Citation Data

Cited 170 times in Scopus. View in Scopus. Powered By Scopus® Data

Actions (repository staff only)

Edit Item Edit Item

Downloads

Downloads per month over past year

View more statistics