Detection of Low-Frequency and Multi-Stage Attacks in Industrial Internet of Things

Abstract

The increasingly sophisticated cyber attacks have become a serious challenge for Industrial Internet of Things (IIoT), which presents two new characteristics: low frequency and multi-stage. That is, hackers could gain authority to attack industrial equipment/infrastructure gradually in a long interval through lurking, lateral intrusion and privilege escalation. While, the existing Machine Learning (ML) based intrusion detection schemes all require the participation of expert knowledge, so it is difficult to adaptively select an attack interval and a retraining period of the detection model in IIoT, resulting in poor detection performance. To solve above problems, a bidirectional long and short-term memory network with multi-feature layer (B-MLSTM) is designed. Firstly, sequence and stage feature layers are introduced in the model training phase model which can learn the corresponding attack interval from historical data, so that the model can effectively detect attacks with different intervals. Then, a double-layer reverse unit is introduced to update the detection model. By collecting information from test data and making association analysis with historical data, the retraining period is adaptively selected to match the new attack interval. Compared with the previous works, our proposed scheme has a lower false positive rate than existing schemes by at least 46.79%, and the false negative rate is reduced by at least 79.85%, which are carried out on three classic IIoT datasets.