Industrial intrusion detection based on the behavior of rotating machine

Abstract

In this study, a new industrial intrusion detection method is introduced for the control system of rotating machines as critical assets in many industries. Data tampering is a major attack on the control systems which disrupts the functionality of the asset. Hence, our objective is to detect data manipulations in the system. We use the behavior of the rotating machine to propose new industrial intrusion detection for the control system of the rotating machine by machine learning techniques. The behavior is elicited by the data of sensors under all the conditions of the rotating machine operation. In this work, the nonlinear regression, novelty detection, outlier detection, and classification approaches are implemented to create behavioral model. On each implementation, online data are compared with the real data of behavior prediction model during the operation of the rotating machine to detect any abnormality. According to our experimental results, the accuracy of the behavioral models created by the One-classSVM novelty detection, k- Nearest Neighbor (kNN) outlier detection, decision tree classifier, k-Neighbors classifier, random forest classifier, and AdaBoost classifier is obtained as 0.98, 0.994, 0.999, 0.999, 0.999, and 0.999, respectively. The results indicate that the proposed industrial intrusion detection method is able to detect the data tampering attacks on the control system of the rotating machines very accurately.

Introduction

Physical world is controlled by the Industrial Control System (ICS); therefore, some significant risks must be considered, including the ''safety of human lives, serious damage to the environment, and production losses” [1], [2], [3]. Consequently, the ICS is considered as a central important part of critical infrastructures. Security protections must be performed to maintain the integrity and safety of the physical system during normal operations and cyber-attacks [4]. ICS manufacturers utilize the advanced information technology to increase the corporate connectivity and remote access capabilities, minimize the operational overheads, and also achieve the optimum resource utilization and market globalization [5]. Therefore, ICSs have become more similar to the Information Technology (IT) systems. Unfortunately, this has caused significantly less security for ICS than the predecessor systems. According to the Kaspersky report in the first half of 2019, 41.6% of ICS computers in the energy sector were infected by the malicious activities [6]. Thus, there is an urgent need to secure these systems. Strategies, including those related to the people, processes, and technologies are needed to enhance the security of ICS comprehensively.

Security solutions that have been designed to be used for ICSs cannot be compared to the IT systems [7]. Consequently, any solution must be used without interfering with the system, and for instance, the anti-virus software applied in the IT systems cannot be easily installed and used in the ICS [4]. Unfortunately, cyber security issue has not been considered sufficiently in most of the ICSs [3,8]. In many cases, designers of the ICSs believe that internet disconnection is the only solution for cyber security.

In the recent attacks on the control system, data tampering has become one of the main goals of an attacker, especially in rotating machines as a critical asset in many industries. There are some critical input-output signals in the rotating machines control system, which can disrupt the performance if they are tampered by a hacker or malware. Also, this can create significant harm on the rotating machine or industrial plant. For instance, Stuxnet would be classified as a Cyber-Physical System (CPS) malware developed to harm centrifuge machines [8,9].

Traditionally, Network-based Intrusion Detection Systems (NIDSs) are used to deal with the network intrusion using signatures of the attacks or traffic behavior. Incidentally, the attacker can exploit regular traffic (without any signature or change on traffic pattern) by varying some critical input-outputs; therefore, it seems impossible to detect the data tampering attack using a conventional IDSs.

For addressing this concern, some efforts have been made to introduce new intrusion/threat detection methods for Cyber Physical System (CPSs) according to the process-oriented behavior- based intrusion detection system [10,11]. These efforts are presented with more details in Section 2.

This paper introduces a method for industrial intrusion detection systems based on the behavior of the rotating machines. Most papers have used some predefined data-sets or data from testbed to create the model. In most of the rotating machines the physical and process features are not exactly same even in machines with same model and brand. Therefore, there is a concern to use same dataset or predefine dataset which was created from real data of test bed to implement intrusion detection system specially to detect data tampering attack for all rotating machines. In this study this concern is addressed. We are using the real data from operational machine (not test bed) to implement the IDS for data tampering attack. Unlike the others papers the data of this work have been extracted from the real rotating machine under all the conditions of normal operation. The proposed method extracts the data from instrumentation sensors and devices directly. To do this, the physical signals are taken out by installing the signal duplicator in the control system.

Behavioral models of the normal rotating machine are created by the nonlinear regression, novelty detection, outlier detection, and classification algorithm. Then, the online data are compared with the data of the prediction model of behavior during the operation of the rotating machine to detect any abnormality. Next, the nonlinear regression, novelty detection, supervised and unsupervised outlier detection, and classification algorithm are used to prove which one has efficient results in creating of the behavioral model of the rotating machine.

The experimental results indicate that the proposed method can detect the tampering data attacks on the rotating machine control systems very accurately. nonlinear regression and novelty detection employ the original dataset only consisting of regular records, which is considered as a strength and advantage for these algorithms. The nonlinear regression model implemented by the four-layer fully-connected (dense) neural network has the Mean Absolute Error (MAE) of 1.5%. The accuracy of behavioral models created by the One-Class Support Vector Machine (SVM) novelty detection, kNN outlier detection, decision tree classifier, and k-Neighbors classifier, random forest classifier, and AdaBoost classifier are equal to 0.98, 0.994, 0.999, 0.999, 0.999, and 0.999, respectively. The other evaluation metrics show that classification and outlier detection are more efficient than the novelty detection and nonlinear regression. Test time values demonstrate that all the methods work in a timely manner compared to the control system scan time.

The contributions of this study are as follows:

• Proposing a new method to detect any harmful data manipulation on the rotating machine control system based on the behavior of the rotating machine in the normal operational mode.

• Utilizing the real process data in the normal operational mode to propose the industrial intrusion detection on the control system of the rotating machines instead of simulation or making use of pre-existing datasets.

• Trajectory evolution to identify the critical signals of the rotating machines.

• We describe some appropriate features to create a data set that is suitable for use in machine learning to generate an intrusion detection system in the rotating machines.

• Nonlinear regression, novelty detection, outlier detection and classification methods have been used together in this study. different algorithms of these methods have been applied to produce a data manipulation detection system and compared the results of the methods.

• Based on the experimental results obtained in this work on a number of algorithms and based on the comparison of different metrics and score, very accurate detection method are presented to detect data change attacks, at least for rotating machines.

• Implementation of the IDS is control system independent and conveniently without having in-depth knowledge of the industrial network.

• Suggesting to extract the data directly from the sensor and actuator through hardwire signals using a signal duplicator to guarantee the validation of received data in the IDS.

The other parts of this paper are arranged as follows: In the next Section 2, the related works are discussed. Section 3 presents the initial definition regarding the control system and case study of the rotating machine. The proposed method and experimental results are provided in Section 4. Section 5 summarizes the study findings, and provides the conclusions.