The Role of One-Class Classification in Detecting Cyberattacks in Critical Infrastructures

  • Patric NaderEmail author
  • Paul Honeine
  • Pierre Beauseroy
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8985)


The security of critical infrastructures has gained a lot of attention in the past few years with the growth of cyberthreats and the diversity of cyberattacks. Although traditional IDS update frequently their databases of known attacks, new complex attacks are generated everyday to circumvent security systems and to make their detection nearly impossible. This paper outlines the importance of one-class classification algorithms in detecting malicious cyberattacks in critical infrastructures. The role of machine learning algorithms is complementary to IDS and firewalls, and the objective of this work is to detect intentional intrusions once they have already bypassed these security systems. Two approaches are investigated, Support Vector Data Description and Kernel Principal Component Analysis. The impact of the metric in kernels is investigated, and a heuristic for choosing the bandwidth parameter is proposed. Tests are conducted on real data with several types of cyberattacks.


Critical infrastructures Intrusion detection One-class classification SCADA systems 



The authors would like to thank Thomas Morris and the Mississippi state university SCADA Laboratory for providing the real SCADA dataset.


  1. 1.
    Stouffer, K., Falco, J., Kent, K.: Guide to supervisory control and data acquisition (scada) and industrial control systems security. Technical report, National Institute of Standards and Technology (NIST) (2006)Google Scholar
  2. 2.
    Fovino, I., Masera, M., Guidi, L., Carpi, G.: An experimental platform for assessing SCADA vulnerabilities and countermeasures in power plants. In: 3rd Conference on Human System Interactions (HSI), pp. 679–686 (2010)Google Scholar
  3. 3.
    Fovino, I., Coletta, A., Carcano, A., Masera, M.: Critical state-based filtering system for securing SCADA network protocols. IEEE Trans. Ind. Electron. 59, 3943–3950 (2012)CrossRefGoogle Scholar
  4. 4.
    Ten, C.W., Hong, J., Liu, C.C.: Anomaly detection for cybersecurity of the substations. IEEE Trans. Smart Grid 2, 865–873 (2011)CrossRefGoogle Scholar
  5. 5.
    Slay, J., Miller, M.: Lessons learned from the maroochy water breach. In: Goetz, E., Shenoi, S. (eds.) Critical Infrastructure Protection, pp. 73–82. Springer, US (2007)CrossRefGoogle Scholar
  6. 6.
    Christiansson, H., Luiijf, E.: Creating a European SCADA security testbed. In: Goetz, E., Shenoi, S. (eds.) Critical Infrastructure Protection. IFIP International Federation for Information Processing, vol. 253, pp. 237–247. Springer, US (2007)CrossRefGoogle Scholar
  7. 7.
    Cárdenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 355–366. ACM, New York (2011)Google Scholar
  8. 8.
    Gorman, S.: Electricity grid in U.S. Penetrated by spies. Wall Street J. (2008)Google Scholar
  9. 9.
    Chen, T., Abu-Nimeh, S.: Lessons from stuxnet. Computer 44, 91–93 (2011)CrossRefGoogle Scholar
  10. 10.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9, 49–51 (2011)CrossRefGoogle Scholar
  11. 11.
    Urias, V., Van Leeuwen, B., Richardson, B.: Supervisory command and data acquisition (SCADA) system cyber security analysis using a live, virtual, and constructive (LVC) testbed. In: Military Communication Conference - MILCOM, pp. 1–8 (2012)Google Scholar
  12. 12.
    Yang, Y., McLaughlin, K., Littler, T., Sezer, S., Pranggono, B., Wang, H.: Intrusion detection system for IEC 60870-5-104 based SCADA networks. In: 2013 IEEE Power and Energy Society General Meeting (PES), pp. 1–5 (2013)Google Scholar
  13. 13.
    Bigham, J., Gamez, D., Lu, N.: Safeguarding SCADA systems with anomaly detection. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 171–182. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Gross, P., Parekh, J., Kaiser, G.: Secure selecticast for collaborative intrusion detection systems. In: 3rd International Workshop on Distributed Event-Based Systems (DEBS 2004), Edinburgh, Scotland, UK (2004)Google Scholar
  15. 15.
    Carcano, A., Coletta, A., Guglielmi, M., Masera, M., Fovino, I., Trombetta, A.: A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans. Ind. Inf. 7, 179–186 (2011)CrossRefGoogle Scholar
  16. 16.
    Morris, T., Vaughn, R.B., Dandass, Y.S.: A testbed for SCADA control system cybersecurity research and pedagogy. In: CSIIRW, Oak Ridge, Tennessee (2011)Google Scholar
  17. 17.
    Morris, T., Srivastava, A., Reaves, B., Gao, W., Pavurapu, K., Reddi, R.: A control system testbed to validate critical infrastructure protection concepts. Int. J. Crit. Infrastruct. Prot. 4, 88–103 (2011)CrossRefGoogle Scholar
  18. 18.
    Hofmann, T., Schölkopf, B., Smola, A.J.: Kernel methods in machine learning. Ann. Stat. 36, 1171–1220 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Shawe-Taylor, J., Cristianini, N.: Kernel Methods for Pattern Analysis. Cambridge University Press, New York (2004)CrossRefzbMATHGoogle Scholar
  20. 20.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41, 15:1–15:58 (2009)CrossRefGoogle Scholar
  21. 21.
    Tax, D.M.J., Duin, R.P.W.: Support vector data description. Mach. Learn. 54, 45–66 (2004)CrossRefzbMATHGoogle Scholar
  22. 22.
    Schölkopf, B., Smola, A., Müller, K.R.: Nonlinear component analysis as a kernel eigenvalue problem. Neural Comput. 10, 1299–1319 (1998)CrossRefGoogle Scholar
  23. 23.
    Noumir, Z., Honeine, P., Richard, C.: Online one-class machines based on the coherence criterion. In: Proceedings of the 20th European Conference on Signal Processing, Bucharest, Romania (2012)Google Scholar
  24. 24.
    Khan, S.S., Madden, M.G.: A survey of recent trends in one class classification. In: Coyle, L., Freyne, J. (eds.) AICS 2009. LNCS, vol. 6206, pp. 188–197. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  25. 25.
    Mazhelis, O.: One-class classifiers : a review and analysis of suitability in the context of mobile-masquerader detection. S. Afr. Comput. J. 36, 29–48 (2006)Google Scholar
  26. 26.
    Hoffmann, H.: Kernel PCA for novelty detection. Pattern Recogn. 40, 863–874 (2007)CrossRefzbMATHGoogle Scholar
  27. 27.
    Nader, P., Honeine, P., Beauseroy, P.: Intrusion detection in SCADA systems using one-class classification. In: Proceedings of the 21th European Conference on Signal Processing, Marrakech, Morocco (2013)Google Scholar
  28. 28.
    Schölkopf, B., Platt, J.C., Shawe-Taylor, J.C., Smola, A.J., Williamson, R.C.: Estimating the support of a high-dimensional distribution. Neural Comput. 13, 1443–1471 (2001)CrossRefzbMATHGoogle Scholar
  29. 29.
    Soares, C., Brazdil, P.B., Kuba, P.: A meta-learning method to select the kernel width in support vector regression. Mach. Learn. 54, 195–209 (2004)CrossRefzbMATHGoogle Scholar
  30. 30.
    Cherkassky, V., Ma, Y.: Practical selection of SVM parameters and noise estimation for SVM regression. Neural Netw. 17, 113–126 (2004)CrossRefzbMATHGoogle Scholar
  31. 31.
    Gurram, P., Kwon, H.: Support-vector-based hyperspectral anomaly detection using optimized kernel parameters. IEEE Geosci. Remote Sens. Lett. 8, 1060–1064 (2011)CrossRefGoogle Scholar
  32. 32.
    Haykin, S.: Neural Networks: A Comprehensive Foundation, 2nd edn. Prentice Hall, Upper Saddle River (1998)zbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Institut Charles Delaunay (CNRS)Université de Technologie de TroyesTroyesFrance

Personalised recommendations