[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

GNN-based Advanced Feature Integration for ICS Anomaly Detection

Published: 14 November 2023 Publication History

Abstract

Recent adversaries targeting the Industrial Control Systems (ICSs) have started exploiting their sophisticated inherent contextual semantics such as the data associativity among heterogeneous field devices. In light of the subtlety rendered in these semantics, anomalies triggered by such interactions tend to be extremely covert, hence giving rise to extensive challenges in their detection. Driven by the critical demands of securing ICS processes, a Graph-Neural-Network (GNN) based method is presented to tackle these subtle hostilities by leveraging an ICS’s advanced contextual features refined from a universal perspective, rather than exclusively following GNN’s conventional local aggregation paradigm. Specifically, we design and implement the Graph Sample-and-Integrate Network (GSIN), a general chained framework performing node-level anomaly detection via advanced feature integration, which combines a node’s local awareness with the graph’s prominent global properties extracted via process-oriented pooling. The proposed GSIN is evaluated on multiple well-known datasets with different kinds of integration configurations, and results demonstrate its superiority consistently on not only anomaly detection performance (e.g., F1 score and AUPRC) but also runtime efficiency over recent representative baselines.

References

[1]
M. Abdallah, N. An Le Khac, H. Jahromi, and A. Delia Jurcut. 2021. A hybrid CNN-LSTM based approach for anomaly detection systems in SDNs. In Proceedings of the 16th International Conference on Availability, Reliability and Security. 1–7.
[2]
Loai Abedalla, Murad Badarna, Waleed Khalifa, and Malik Yousef. 2019. K–means based one-class svm classifier. In Proceedings of the International Conference on Database and Expert Systems Applications. Springer, 45–53.
[3]
M. AlMedires and M. AlMaiah. 2021. Cybersecurity in industrial control system (ICS). In Proceedings of the 2021 International Conference on Information Technology.
[4]
M. R. Asghar, Q. Hu, and S. Zeadally. 2019. Cybersecurity in industrial control systems: Issues, technologies, and challenges. Computer Networks 165, C (2019), 106946.
[5]
R. R. R. Barbosa, R. Sadre, and A. Pras. 2012. A first look into SCADA network traffic. In Proceedings of the 2012 IEEE Network Operations and Management Symposium. IEEE, 518–521.
[6]
M. Caselli, E. Zambon, and F. Kargl. 2015. Sequence-aware intrusion detection in industrial control systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security. 13–24.
[7]
Lei Chen, Yuan Li, Xingye Deng, Zhaohua Liu, Mingyang Lv, and Hongqiang Zhang. 2022. Dual auto-encoder GAN-based anomaly detection for industrial control system. Applied Sciences 12, 10 (2022), 4986.
[8]
A. Deng and B. Hooi. 2020. Graph neural network-based anomaly detection in multivariate time series. In Proceedings of the AAAI Conference on Artificial Intelligence. 4027–4035.
[9]
Xiaoheng Deng, Jincai Zhu, Xinjun Pei, Lan Zhang, Zhen Ling, and Kaiping Xue. 2022. Flow topology-based graph convolutional network for intrusion detection in label-limited IoT networks. IEEE Transactions on Network and Service Management 20, 1 (2022), 684–696. https://ieeexplore.ieee.org/document/9919790
[10]
A. Dey. 2020. Deep IDS: A deep learning approach for Intrusion detection based on IDS 2018. In Proceedings of the 2020 2nd International Conference on Sustainable Technologies for Industry 4.0. IEEE, 1–5.
[11]
H. S. Dhiman, D. Deb, S. M. Muyeen, and I. Kamwa. 2021. Wind turbine gearbox anomaly detection based on adaptive threshold and twin support vector machines. IEEE Transactions on Energy Conversion 36, 4 (2021), 3462–3469.
[12]
Jian Du, Shanghang Zhang, Guanhang Wu, José M. F. Moura, and Soummya Kar. 2017. Topology adaptive graph convolutional networks. arXiv:1710.10370. Retrieved from https://arxiv.org/abs/1710.10370
[13]
Daniel Fährmann, Naser Damer, Florian Kirchbuchner, and Arjan Kuijper. 2022. Lightweight long short-term memory variational auto-encoder for multivariate time series anomaly detection in industrial control systems. Sensors 22, 8 (2022), 2886.
[14]
Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. 2016. A dataset to support research in the design of secure water treatment systems. In Proceedings of the International Conference on Critical Information Infrastructures Security. Springer, 88–99.
[15]
N. Goldenberg and A. Wool. 2013. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. International journal of critical infrastructure protection 6, 2 (2013), 63–75.
[16]
D. Hadžiosmanović, R. Sommer, E. Zambon, and P. H. Hartel. 2014. Through the eye of the PLC: Semantic security monitoring for industrial processes. In Proceedings of the 30th Annual Computer Security Applications Conference. 126–135.
[17]
W. Hamilton, Z. Ying, and J. Leskovec. 2017. Inductive representation learning on large graphs. Advances in Neural Information Processing Systems 30 (2017), 1025–1035.
[18]
Simon Hawkins, Hongxing He, Graham Williams, and Rohan Baxter. 2002. Outlier detection using replicator neural networks. In Proceedings of the International Conference on Data Warehousing and Knowledge Discovery. Springer, 170–180.
[19]
Z. Hu, Y. Dong, K. Wang, K. W. Chang, and Y. Sun. 2020. Gpt-gnn: Generative pre-training of graph neural networks. In Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1857–1867.
[20]
Paweł Karczmarek, Adam Kiersztyn, and Witold Pedrycz. 2020. n-ary isolation forest: An experimental comparative analysis. In Proceedings of the International Conference on Artificial Intelligence and Soft Computing. Springer, 188–198.
[21]
T. N. Kipf and M. Welling. 2016. Semi-supervised classification with graph convolutional networks. arXiv:1609.02907. Retrieved from https://arxiv.org/abs/1609.02907
[22]
Yezheng Liu, Zhe Li, Chong Zhou, Yuanchun Jiang, Jianshan Sun, Meng Wang, and Xiangnan He. 2019. Generative adversarial active learning for unsupervised outlier detection. IEEE Transactions on Knowledge and Data Engineering 32, 8 (2019), 1517–1528.
[23]
Wai Weng Lo, Siamak Layeghy, Mohanad Sarhan, Marcus Gallagher, and Marius Portmann. 2022. E-graphsage: A graph neural network based intrusion detection system for iot. In Proceedings of the NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1–9.
[24]
S. L(y)u, K. Wang, L. Zhang, and B. Wang. 2022. Global-local integration for GNN-based anomalous device state detection in industrial control systems. Expert Systems with Applications 209 (2022), 118345. https://www.sciencedirect.com/science/article/pii/S0957417422014658?via%3Dihub
[25]
C. Markman, A. Wool, and A. A. Cardenas. 2017. A new burst-DFA model for SCADA anomaly detection. In Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy. 1–12.
[26]
A. Sankar, X. Zhang, and K. C. C. Chang. 2019. Meta-GNN: Metagraph neural network for semi-supervised learning in attributed heterogeneous information networks. In Proceedings of the 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. 137–144.
[27]
L. Shuaiyi, Kai Wang, Liren Zhang, and Bailing Wang. 2023. Process-Oriented heterogeneous graph learning in GNN-Based ICS anomalous pattern recognition. Pattern Recognition 141 (2023), 109661. https://www.sciencedirect.com/science/article/pii/S003132032300362X
[28]
J. Sinha and M. Manollas. 2020. Efficient deep CNN-BILSTM model for network intrusion detection. In Proceedings of the 2020 3rd International Conference on Artificial Intelligence and Pattern Recognition. 223–231.
[29]
H. M. Song and H. K. Kim. 2018. Can network intrusion datasets. http://ocslab.hksecurity.net/Datasets/car-hacking-dataset
[30]
Xiaoling Tao, Yang Peng, Feng Zhao, Peichao Zhao, and Yong Wang. 2018. A parallel algorithm for network traffic anomaly detection based on Isolation Forest. International Journal of Distributed Sensor Networks 14, 11 (2018), 1550147718814471.
[31]
Riccardo Taormina, Stefano Galelli, Nils Ole Tippenhauer, Elad Salomons, Avi Ostfeld, Demetrios G. Eliades, Mohsen Aghashahi, Raanju Sundararajan, Mohsen Pourahmadi, M. Katherine Banks, B. M. Brentan, M. Herrera, Amin Rasekh, Enrique Campbell, I. Montalvo, G. Lima, J. Izquierdo, Kelsey Haddad, Nikolaos Gatsis, Ahmad Taha, Saravanakumar Lakshmanan Somasundaram, D. Ayala-Cabrera, Sarin E. Chandy, Bruce Campbell, Pratim Biswas, Cynthia S. Lo, D. Manzi, E. Luvizotto, Jr, Zachary A. Barker, Marcio Giacomoni, M. Fayzul K. Pasha, M. Ehsan Shafiee, Ahmed A. Abokifa, Mashor Housh, Bijay Kc, and Ziv Ohar. 2018. The battle of the attack detection algorithms: Disclosing cyber attacks on water distribution networks. Journal of Water Resources Planning and Management 144, 8(2018), 04018048. DOI:
[32]
Maurras Ulbricht Togbe, Mariam Barry, Aliou Boly, Yousra Chabchoub, Raja Chiky, Jacob Montiel, and Vinh-Thuy Tran. 2020. Anomaly detection for data streams based on isolation forest using scikit-multiflow. In Proceedings of the International Conference on Computational Science and Its Applications. Springer, 15–30.
[33]
P. Veličković, G. Cucurull, A. Casanova, A. Romero, P. Lio, and Y. Bengio. 2017. Graph attention networks. arXiv:1710.10903. Retrieved from https://arxiv.org/abs/1710.10903
[34]
Y. Wang, J. Zhang, S. Guo, H. Yin, C. Li, and H. Chen. 2021. Decoupling representation learning and classification for gnn-based anomaly detection. In Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval. 1239–1248.
[35]
J. Yang, C. Zhou, Y. C. Tian, and S. H. Yang. 2019. A software-defined security approach for securing field zones in industrial control systems. IEEE Access 7 (2019), 87002–87016. https://ieeexplore.ieee.org/document/8744558
[36]
J. Zhang, S. Gan, X. Liu, and P. Zhu. 2016. Intrusion detection in SCADA systems by traffic periodicity and telemetry analysis. In Proceedings of the 2016 IEEE Symposium on Computers and Communication. IEEE, 318–325.

Cited By

View all
  • (2024)CGAAD: Centrality- and Graph-Aware Deep-Learning Model for Detecting Cyberattacks Targeting Industrial Control Systems in Critical InfrastructureIEEE Internet of Things Journal10.1109/JIOT.2024.339069111:13(24162-24182)Online publication date: 1-Jul-2024

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Intelligent Systems and Technology
ACM Transactions on Intelligent Systems and Technology  Volume 14, Issue 6
December 2023
493 pages
ISSN:2157-6904
EISSN:2157-6912
DOI:10.1145/3632517
  • Editor:
  • Huan Liu
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2023
Online AM: 05 September 2023
Accepted: 21 August 2023
Revised: 27 June 2023
Received: 21 November 2022
Published in TIST Volume 14, Issue 6

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Advanced feature pooling
  2. embedding integration
  3. graph neural networks
  4. anomaly detection
  5. industrial control systems

Qualifiers

  • Research-article

Funding Sources

  • National Key R&D Program of China
  • National Natural Science Foundation of China
  • Double First-Class Scientific Research Funds of HIT

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)351
  • Downloads (Last 6 weeks)31
Reflects downloads up to 19 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)CGAAD: Centrality- and Graph-Aware Deep-Learning Model for Detecting Cyberattacks Targeting Industrial Control Systems in Critical InfrastructureIEEE Internet of Things Journal10.1109/JIOT.2024.339069111:13(24162-24182)Online publication date: 1-Jul-2024

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

Full Text

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media