Abstract
Intrusion detection systems (IDS) are commonly categorized into misuse based, anomaly based and specification based IDS. Both misuse based IDS and anomaly based IDS are extensively researched in academia and industry. However, as critical infrastructures including smart grids (SG) may often face sophisticated unknown attacks in the near future, misuse based attack detection techniques will mostly miss their targets. Despite the fact that anomaly based IDS can detect novel attacks, they are not often deployed in industry, mainly owing to high false positive rate and lack of interpretability of trained models. With misuse based IDS’ inability to detect unknown attacks and requirement for frequently manually crafting and updating signatures and with anomaly based IDS’ bad reputation for high false alarm rate, specification based IDS can be regarded as the most suitable detection engine for cyber-physical systems (CPS) including SG. We argue that specification based IDS especially using rule learning could prove to be the most promising IDS for SG. Intrusion detection rules are learned through rule learning techniques and periodically automatically updated to accommodate dynamic system behaviors in SG. Fortunately, rule learning based IDS can not only detect previously unknown attacks but also achieve higher interpretability, due to symbolic representation of learned rules. It can thus be considered more “trustworthy” from human perspective and further assist human in the loop security operation. The present work provides a systematic and deep analysis of rule learning techniques and their suitability for IDS in SG. Besides, it concludes the most important criteria for learning intrusion detection rules and assessing their quality. This work serves not only as a guide to a number of important rule learning techniques but also as the first survey on their applications in IDS, which indicates their potential opportunities in SG security.
Highlights
As a complement to security appliances like encryption, authentication, authorization, firewalls and VPN, intrusion detection systems (IDS) are often regarded as the second defense line in the so called defense in depth
WORK In the present work, we provide a gentle introduction and a systematic analysis of intrusion detection systems, smart grids and rule learning techniques, respectively
To the best of our knowledge, we present the first survey focusing on rule learning based IDS to shed more light on this research area
Summary
As a complement to security appliances like encryption, authentication, authorization, firewalls and VPN, intrusion detection systems (IDS) are often regarded as the second defense line in the so called defense in depth. Liu et al.: Review of Rule Learning-Based IDS and Their Prospects in SG ing to imitate human intelligence, to improve learning and decision-making processes and to solve real-world problems, soft computing as a general term describes a set of optimization techniques including fuzzy logic, artificial neural networks, probabilistic reasoning, association rule mining, genetic algorithms, particle swarm intelligence, ant colony optimization etc. In specification based IDS, specifications can be generated either manually from human experts or automatically from rule learning techniques. The rules or policies in the majority of current specification based IDS are created manually by human experts, and they can be based on protocol specifications like in [6] and [7]. The present work mainly investigates specification based IDS making use of rule learning techniques. We aim to attract more attention from security researchers into rule learning techniques to develop more explainable and more practical machine learning based IDS.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
