Anomaly Detection of Industrial Control Systems Based on Transfer Learning

Weiping Wang; Zhaorong Wang; Zhanfan Zhou; Haixia Deng; Weiliang Zhao; Chunyang Wang; Yongzhen Guo

doi:10.26599/TST.2020.9010041

Tsinghua Science and Technology 2021, 26(6): 821-832 https://doi.org/10.26599/TST.2020.9010041

Open Access | Issue | Published: 09 June 2021

Anomaly Detection of Industrial Control Systems Based on Transfer Learning

Show Author's Information Hide Author's Information Weiping Wang(

), Zhaorong Wang, Zhanfan Zhou, Haixia Deng, Weiliang Zhao, Chunyang Wang, Yongzhen Guo(

)

School of Computer and Communication Engineering, the Beijing Key Laboratory of Knowledge Engineering for Materials Science, and the Institute of Artificial Intelligence, University of Science and Technology Beijing, Beijing 100083, China

School of Automation and Electrical Engineering, University of Science and Technology Beijing, Beijing 100083, China

School of Mechanical Engineering, University of Science and Technology Beijing, Beijing 100083, China

Donlinks School of Economics and Management, University of Science and Technology Beijing, Beijing 100083, China

School of Automation, Beijing Institute of Technology, Beijing

100081

China Software Testing Center, Beijing 100048, China

Shunde Graduate School, University of Science and Technology Beijing, Guangzhou 528399, China

Keywords:

deep learning, transfer learning, anomaly detection, Industrial Control System (ICS)

Cite this article:

Wang W, Wang Z, Zhou Z, et al. Anomaly Detection of Industrial Control Systems Based on Transfer Learning. Tsinghua Science and Technology, 2021, 26(6): 821-832. https://doi.org/10.26599/TST.2020.9010041

Download citation

EndNote(RIS)

BibTeX

693

Views

Downloads

Citations

Crossref

WoS

Scopus

CSCD

Abstract Full text About this article

Abstract

Industrial Control Systems (ICSs) are the lifeline of a country. Therefore, the anomaly detection of ICS traffic is an important endeavor. This paper proposes a model based on a deep residual Convolution Neural Network (CNN) to prevent gradient explosion or gradient disappearance and guarantee accuracy. The developed methodology addresses two limitations: most traditional machine learning methods can only detect known network attacks and deep learning algorithms require a long time to train. The utilization of transfer learning under the modification of the existing residual CNN structure guarantees the detection of unknown attacks. One-dimensional ICS flow data are converted into two-dimensional grayscale images to take full advantage of the features of CNN. Results show that the proposed method achieves a high score and solves the time problem associated with deep learning model training. The model can give reliable predictions for unknown or differently distributed abnormal data through short-term training. Thus, the proposed model ensures the safety of ICSs and verifies the feasibility of transfer learning for ICS anomaly detection.

Full text

Abstract

Full text

Outline

About this article

Anomaly Detection of Industrial Control Systems Based on Transfer Learning

Show Author's information Hide Author's Information Weiping Wang(

), Zhaorong Wang, Zhanfan Zhou, Haixia Deng, Weiliang Zhao, Chunyang Wang, Yongzhen Guo(

)

School of Automation and Electrical Engineering, University of Science and Technology Beijing, Beijing 100083, China

School of Mechanical Engineering, University of Science and Technology Beijing, Beijing 100083, China

Donlinks School of Economics and Management, University of Science and Technology Beijing, Beijing 100083, China

School of Automation, Beijing Institute of Technology, Beijing

100081

China Software Testing Center, Beijing 100048, China

Shunde Graduate School, University of Science and Technology Beijing, Guangzhou 528399, China

Abstract

Keywords: deep learning, transfer learning, anomaly detection, Industrial Control System (ICS)

References(29)

[1]

A. R. Sadeghi, C. Wachsmann, and M. Waidner, Security and privacy challenges in industrial Internet of Things, in Proceedings of the 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, 2015, pp. 1-6.

DOI

[2]

L. Obergon, InfoSec reading room secure architecture for industrial control systems, SANS Institute InfoSec, GIAC(GSEC) Gold Certification, vol. 1, pp. 1-27, 2014.

Google Scholar

[3]

C. Markman, A. Wool, and A. A. Cardenas, A new burst-DFA model for SCADA anomaly detection, in Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, Dallas, TX, USA, 2017, pp. 1-12.

DOI

[4]

M. Mantere, I. Uusitalo, M. Sailio, and S. Noponen, Challenges of machine learning based monitoring for industrial control system networks, in Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications Workshops, Fukuoka, Japan, 2012, pp. 968-972.

DOI

[5]

R. Zhao, R. Q. Yan, Z. H. Chen, K. Z. Mao, P. Wang, and R. X. Gao, Deep learning and its applications to machine health monitoring: A survey, Mechanical System and Signal Processing, vol. 115, pp. 213-237, 2019.

DOI Google Scholar

[6]

C. Raffel, N. Shazeer, A. Roberts, K. Lee, S. Narang, M. Matena, Y. Q. Zhou, W. Li, and P. J. Liu, Exploring the limits of transfer learning with a unified text-to-text transformer, Journal of Machine Learning Research, vol. 21, no. 140, pp. 1-67, 2020.

Google Scholar

[7]

S. N. Shirazi, A. Gouglidis, K. N. Syeda, S. Simpson, A. Mauthe, I. M. Stephanakis, and D. Hutchison, Evaluation of anomaly detection techniques for SCADA communication resilience, in Proceedings of the 2016 Resilience Week (RWSr), Chicago, IL, USA, 2016, pp. 140-145.

DOI

[8]

Y. Lai, J. Zhang, and Z. liu,, Industrial anomaly detection and attack classification method based on convolutional neural network, Security and Communication Networks, .

DOI Google Scholar

[9]

J. Hurley, A. Munoz, and S. Sezer, ITACA: Flexible, scalable network analysis, in Proceedings of the 2012 IEEE International Conference on Communications (ICC), Ottawa, Canada, 2012, pp. 1069-1073.

DOI

[10]

G. Thatte, U. Mitra, and J. Heidemann, Parametric methods for anomaly detection in aggregate traffic, IEEE/ACM Transactions On Networking, vol. 19, no. 2, pp. 512-525, 2010.

DOI Google Scholar

[11]

A. Terai, S. Abe, K. Shoya, Y. Takano, and I. Koshijima, Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile, in Proceedings of the 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Paris, France, 2017, pp. 132-138.

DOI

[12]

C. Zhou, S. Huang, N. Xiong, S. Yang, H. Li, Y. Qin, and X. Li, Design and analysis of multimodel-based anomaly intrusion detection systems in industrial process automation, IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 45, no. 10, pp. 1345-1360, 2015.

DOI Google Scholar

[13]

M. Zhang, B. Y. Xu, and J. Gong, An anomaly detection model based on one-class SVM to detect network intrusions, in Proceedings of the 2015 11th International Conference on Mobile Ad-hoc and Sensor Networks (MSN), Shenzhen, China, 2015, pp. 102-107.

DOI

[14]

S. C. Zhang, X. Y. Xie, and Y. Xu, Intrusion detection method based on a deep convolutional neural network, Tsinghua Science and Technology, vol. 59, no. 1, pp. 44-52, 2019.

Google Scholar

[15]

A. Almalawi, X. H. Yu, Z. Tari, A. Fahad, and I. Khalil, An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems, Computers & Security, vol. 46, pp. 94-110, 2014.

DOI Google Scholar

[16]

W. Gao, Cyberthreats, attacks and intrusion detection in supervisory control and data acquisition networks, PhD dissertation, Department of Electronic & Computer Engineering, Mississippi State University, Mississippi, MS, USA, 2013.

[17]

J. Liang, J. H. Chen, X. Q. Zhang, Y. Zhou, and J. J. Lin, One-hot encoding and convolutional neural network based anomaly detection, Tsinghua Science and Technology, vol. 59, no. 7, pp. 523-529, 2019.

Google Scholar

[18]

Y. Wang, C. Wang, L. Luo, and Z. Zhou, Image classification based on transfer learning of convolutional neural network, in Proceedings of the 2019 Chinese Control Conference (CCC), Guangzhou, China, 2019, pp. 7506-7510.

DOI

[19]

K. He, X. Zhang, S. Ren, and J. Sun, Deep residual learning for image recognition, in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognitio, Las Vegas, NV, USA, 2016, pp. 770-778.

DOI

[20]

E. Rezende, G. Ruppert, T. Carvalho, F. Ramos, and P. de Geus, Malicious software classification using transfer learning of resnet-50 deep neural network, in Proceedings of the 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), Cancun, Mexico, 2017, pp. 1011-1014.

DOI

[21]

Z. Chen, Z. Xie, W. Zhang, and X. Xu, ResNet and model fusion for automatic spoofing detection, in Proceedings of the Interspeech, Stockholm, Sweden, 2017, pp. 102-106.

DOI

[22]

W. Liu, J. Qin, and H. Qu, Intrusion detection algorithm of industrial control network based on improved one-class support vector machine, Journal of Computer Applications, vol. 38, no. 5, pp. 1360-1365, 2018.

Google Scholar

[23]

P. C. Mahalanobis, On the generalised distance in statistics, in Proceedings of the National Institute of Science of India, Calcutta, India, 1936, pp. 49-55

[24]

S. Xiang, F. Nie, and C. Zhang, Learning a Mahalanobis distance metric for data clustering and classification, Pattern Recognition, vol. 41, no. 12, pp. 3600-3612, 2008.

DOI Google Scholar

[25]

S. Ioffe and C. Szegedy, Batch normalization: Accelerating deep network training by reducing internal covariate shift, arXiv preprint arXiv: 1502.03167, 2015.

Google Scholar

[26]

A. F. Agarap, Deep learning using rectified linear units (Relu), arXiv preprint arXiv:1803.08375, 2018.

Google Scholar

[27]

G. J. Wang, J. Feng, M. Z. A. Bhuiyan, R. X. Lu, Security, Privacy and Anonymity in Computation, Communication and Storage. Berlin, Germany: Springer, 2019.

DOI

[28]

X. Zhang, H. Zeng, and L. Jia, Research of intrusion detection system dataset-KDDCUP99, Computer Engineering and Design, vol. 31, no. 22, pp. 4809-4812, 2010.

Google Scholar

[29]

I. S. Thaseen and C. A. Kumar, Intrusion detection model using fusion of chi-square feature selection and multi class SVM, Journal of King Saud University-Computer and Information Sciences, vol. 29, no. 4, pp. 462-472, 2017.

DOI Google Scholar

About this article

Publication history

Acknowledgements

Rights and permissions

Publication history

Received: 02 September 2020

Accepted: 23 September 2020

Published: 09 June 2021

Issue date: December 2021

Copyright

Acknowledgements

This work was supported in part by 2018 industrial Internet innovation and development project "Construction of Industrial Internet Security Standard System and Test and Verification Environment" , in part by the National Industrial Internet Security Public Service Platform, in part by the Fundamental Research Funds for the Central Universities (Nos. FRF-BD-19-012A and FRF-TP-19-005A3), in part by the National Natural Science Foundation of China (Nos. 81961138010, U1736117, and U1836106), and in part by the Technological Innovation Foundation of Shunde Graduate School, University of Science and Technology Beijing (No. BK19BF006).

Rights and permissions

The articles published in this open access journal are distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).