Abstract
In this paper we present an intrusion detection module capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system, based on the combination of One-Class Support Vector Machine (OCSVM) with RBF kernel and recursive k-means clustering. Important parameters of OCSVM, such as Gaussian width o and parameter v affect the performance of the classifier. Tuning of these parameters is of great importance in order to avoid false positives and over fitting. The combination of OCSVM with recursive k- means clustering leads the proposed intrusion detection module to distinguish real alarms from possible attacks regardless of the values of parameters o and v, making it ideal for real-time intrusion detection mechanisms for SCADA systems. Extensive simulations have been conducted with datasets extracted from small and medium sized HTB SCADA testbeds, in order to compare the accuracy, false alarm rate and execution time against the base line OCSVM method.
Highlights
Several techniques and algorithms have been reported by researchers for intrusion detection [2, 3]
Anomaly detection can be regarded as binary classification problem and many classification algorithms which are utilized for detecting anomalies, such as neural networks, support vector machines, K-nearest neighbor (KNN) and Hidden Markov model can be used
We evaluate the performance of the method using data from the wireless network of the University campus, from a testbed that mimics a small-scale SCADA system and from a Hybrid testbed of a medium sized SCADA system
Summary
Several techniques and algorithms have been reported by researchers for intrusion detection [2, 3]. Negative selection only works for a standard sequence, which is not suitable for on line detection Other algorithms, such as time series analysis are introduced to anomaly detections, and again, they may not be suitable for most of the real application cases. Intrusion detection systems (IDS) fail to deal with all kinds of attacks, while on the other hand, false alarms that are arisen from high sensitive IDS arise high economic risks These situations are described in subsection 1.1. OCSVM similar to other one-class classifiers suffer from false positive and over fitting The former is a situation that occurs when the classifier fires an alarm in the absence of real anomaly in the system and happens when parameter σ has too large vale. In this article we propose the combination of OCSVM method with a recursive k-means clustering, separating the real from false alarms in real time and with no preselection of parameters σ and ν
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call