This article presents three-tiered intrusion detection systems, which uses a supervised approach to detect cyber-attacks in industrial control systems networks. The proposed approach does not only aim to identify malicious packets on the network but also attempts to identify the general and finer grain attack type occurring on the network. This is key in the industrial control systems environment as the ability to identify exact attack types will lead to an increased response rate to the incident and the defence of the infrastructure. More specifically, the proposed system consists of three stages that aim to classify: (i) whether packets are malicious; (ii) the general attack type of malicious packets (e.g. Denial of Service); and (iii) finer-grained cyber-attacks (e.g. bad cyclic redundancy check, attack). The effectiveness of the proposed intrusion detection systems is evaluated on network data collected from a real industrial gas pipeline system. In addition, an insight is provided as to which features are most relevant in detecting such malicious behaviour. The performance of the system results in an F-measure of: (i) 87.4%, (ii) 74.5% and (iii) 41.2%, for each of the layers, respectively. This demonstrates that the proposed architecture can successfully distinguish whether network activity is malicious and detect which general attack was deployed.

中文翻译：

---

一种用于工业控制系统的三层入侵检测系统

本文介绍了三层入侵检测系统，该系统使用监督方法来检测工业控制系统网络中的网络攻击。所提出的方法不仅旨在识别网络上的恶意数据包，而且还试图识别网络上发生的一般和更细粒度的攻击类型。这在工业控制系统环境中是关键，因为识别准确攻击类型的能力将提高对事件的响应率和基础设施的防御。更具体地说，所提出的系统由三个阶段组成，旨在分类：（i）数据包是否是恶意的；(ii) 恶意数据包的一般攻击类型（例如拒绝服务）；(iii) 更细粒度的网络攻击（例如糟糕的循环冗余校验、攻击）。所提出的入侵检测系统的有效性是根据从真实工业气体管道系统收集的网络数据进行评估的。此外，还提供了关于哪些功能与检测此类恶意行为最相关的见解。系统的性能导致每个层的 F 度量分别为：(i) 87.4%、(ii) 74.5% 和 (iii) 41.2%。这表明所提出的架构可以成功区分网络活动是否是恶意的，并检测部署了哪种一般攻击。每层分别为 5% 和 (iii) 41.2%。这表明所提出的架构可以成功区分网络活动是否是恶意的，并检测部署了哪种一般攻击。每层分别为 5% 和 (iii) 41.2%。这表明所提出的架构可以成功区分网络活动是否是恶意的，并检测部署了哪种一般攻击。