AI and Machine Learning for Anomaly Detection in ICS Environments
Abstract
Since telemetry data generated in ICS environments can be both vast and difficult to interpret via traditional, rule-based intrusion detection methods, machine learning techniques have emerged to help close the gap in ICS-specific detection. Machine learning-including techniques like supervised classification (e. g. , using Support Vector Machines or Decision Trees), unsupervised approaches (e. g. , for baseline normal activity or anomaly detection) and more recent deep models applied to time-series data-has recently been introduced and increasingly used in ICS security settings. This survey introduces machine learning techniques for ICS anomaly detection, discusses the implementation patterns used to create productive ML-based intrusion detection systems based on passive collection and feedback loops, highlights commonly seen operational challenges with these types of systems and names specific problems encountered in deployment, such as false positive economics, model drift, training data scarcity and an explainability gap that impacts analyst work. The target audience of this survey includes security engineers at facilities using industrial control systems. The survey should provide a sense of the value, limitations and pitfalls of modern AI-driven intrusion detection. It aims to equip the audience to more critically examine vendor claims for ML-based products
Article Information
Journal |
International Journal of Advanced Engineering Science and Information Technology (IJAESIT) |
|---|---|
Volume (Issue) |
Vol. 6 No. 3 (2023): International Journal of Advanced Engineering Science and Information Technology (IJAESIT) |
DOI |
|
Pages |
11625-11631 |
Published |
June 6, 2023 |
| Copyright | |
Open Access |
This work is licensed under a Creative Commons Attribution 4.0 International License. |
How to Cite |
Vilas Shewale (2023). AI and Machine Learning for Anomaly Detection in ICS Environments. International Journal of Advanced Engineering Science and Information Technology (IJAESIT) , Vol. 6 No. 3 (2023): International Journal of Advanced Engineering Science and Information Technology (IJAESIT) , pp. 11625-11631. https://doi.org/10.15662/IJAESIT.2023.0603002 |
References
[2] J. Goh, S. Adepu, K. N. Junejo, and A. Mathur, “A Dataset to Support Research in the Design of Secure Water Treatment Systems,” Proc. CRITIS, 2016.
[3] S. Hochreiter and J. Schmidhuber, “Long Short-Term Memory,” Neural Computation, vol. 9, no. 8, pp. 1735–1780, 1997.
[4] P. Malhotra, A. Ramakrishnan, G. Anand, L. Vig, P. Agarwal, and G. Shroff, “LSTM-Based Encoder-Decoder for Multi-Sensor Anomaly Detection,” Proc. ICML Workshop on Anomaly Detection, 2016.
[5] K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, “Guide to Industrial Control Systems (ICS) Security,” NIST Special Publication 800-82 Revision 2, May 2015; Initial Public Draft of Revision 3, April 2022.
[6] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-Efficient Learning of Deep Networks from Decentralized Data,” Proc. AISTATS, 2017.
[7] I. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and Harnessing Adversarial Examples,” arXiv:1412.6572, 2014.
[8] European Union Agency for Cybersecurity (ENISA), “Artificial Intelligence Cybersecurity Challenges,” December 2020; ENISA “Threat Landscape 2022,” November 2022.
[9] National Institute of Standards and Technology, “Artificial Intelligence Risk Management Framework (AI RMF 1.0),” January 26, 2023.
[10] Dragos, Inc., “Year in Review 2022: ICS/OT Cybersecurity,” February 2023.
[11] MITRE Corporation, “ATT&CK for ICS,” framework documentation, ongoing.
[12] National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.1, April 2018.
[13] D. Yang, A. Usynin, and J. W. Hines, “Anomaly-based Intrusion Detection for SCADA Systems,” Proc. NPIC-HMIT, 2006 (foundational reference).
[14] Verizon, “2022 Data Breach Investigations Report,” May 2022.
[15] World Economic Forum, “Global Cybersecurity Outlook 2023,” January 2023.