Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks
2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2017)
Denver, CO, United States
June 26, 2017 to June 29, 2017
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/DSN.2017.34
We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) network-based softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current state-of-the-art techniques.
Integrated circuits, Anomaly detection, Detectors, Intrusion detection, Protocols, Databases
C. Feng, T. Li and D. Chana, "Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks," 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Denver, CO, United States, 2017, pp. 261-272.