The Role of One-Class Classification in Detecting Cyberattacks in Critical Infrastructures
The security of critical infrastructures has gained a lot of attention in the past few years with the growth of cyberthreats and the diversity of cyberattacks. Although traditional IDS update frequently their databases of known attacks, new complex attacks are generated everyday to circumvent security systems and to make their detection nearly impossible. This paper outlines the importance of one-class classification algorithms in detecting malicious cyberattacks in critical infrastructures. The role of machine learning algorithms is complementary to IDS and firewalls, and the objective of this work is to detect intentional intrusions once they have already bypassed these security systems. Two approaches are investigated, Support Vector Data Description and Kernel Principal Component Analysis. The impact of the metric in kernels is investigated, and a heuristic for choosing the bandwidth parameter is proposed. Tests are conducted on real data with several types of cyberattacks.
KeywordsCritical infrastructures Intrusion detection One-class classification SCADA systems
The authors would like to thank Thomas Morris and the Mississippi state university SCADA Laboratory for providing the real SCADA dataset.
- 1.Stouffer, K., Falco, J., Kent, K.: Guide to supervisory control and data acquisition (scada) and industrial control systems security. Technical report, National Institute of Standards and Technology (NIST) (2006)Google Scholar
- 2.Fovino, I., Masera, M., Guidi, L., Carpi, G.: An experimental platform for assessing SCADA vulnerabilities and countermeasures in power plants. In: 3rd Conference on Human System Interactions (HSI), pp. 679–686 (2010)Google Scholar
- 7.Cárdenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 355–366. ACM, New York (2011)Google Scholar
- 8.Gorman, S.: Electricity grid in U.S. Penetrated by spies. Wall Street J. (2008)Google Scholar
- 11.Urias, V., Van Leeuwen, B., Richardson, B.: Supervisory command and data acquisition (SCADA) system cyber security analysis using a live, virtual, and constructive (LVC) testbed. In: Military Communication Conference - MILCOM, pp. 1–8 (2012)Google Scholar
- 12.Yang, Y., McLaughlin, K., Littler, T., Sezer, S., Pranggono, B., Wang, H.: Intrusion detection system for IEC 60870-5-104 based SCADA networks. In: 2013 IEEE Power and Energy Society General Meeting (PES), pp. 1–5 (2013)Google Scholar
- 14.Gross, P., Parekh, J., Kaiser, G.: Secure selecticast for collaborative intrusion detection systems. In: 3rd International Workshop on Distributed Event-Based Systems (DEBS 2004), Edinburgh, Scotland, UK (2004)Google Scholar
- 16.Morris, T., Vaughn, R.B., Dandass, Y.S.: A testbed for SCADA control system cybersecurity research and pedagogy. In: CSIIRW, Oak Ridge, Tennessee (2011)Google Scholar
- 23.Noumir, Z., Honeine, P., Richard, C.: Online one-class machines based on the coherence criterion. In: Proceedings of the 20th European Conference on Signal Processing, Bucharest, Romania (2012)Google Scholar
- 25.Mazhelis, O.: One-class classifiers : a review and analysis of suitability in the context of mobile-masquerader detection. S. Afr. Comput. J. 36, 29–48 (2006)Google Scholar
- 27.Nader, P., Honeine, P., Beauseroy, P.: Intrusion detection in SCADA systems using one-class classification. In: Proceedings of the 21th European Conference on Signal Processing, Marrakech, Morocco (2013)Google Scholar