Machine Learning Based Intrusion Detection in Control System Communication

Abstract

The importance of cybersecurity has increased with the networked and highly complex structure of computer systems, and the increased value of information. Traditionally, control systems did not use networked communication systems. So, the cybersecurity was not important for the control systems. The networked control systems such as an intelligent distribution network system and so on are appearing and the cybersecurity will become very important for the control systems in the near future. However, we have few actual cyberattacks against the control systems. The intrusion detection should be developed by using only normal control system communication. This chapter consists of two parts which are intrusion detections for the control system communication without sequence patterns and for the control system communication with sequence patterns. The first part is an intrusion detection for the control system communication without sequence patterns. In the first part, we compare supervised machine learning based intrusion detection methods with unsupervised machine learning based intrusion detection methods. The supervised learning are C4.5 and support vector machine. And the unsupervised machine learning are local outlier factor, one-class support vector machine, and support vector domain description. We applied these intrusion detection methods to the water storage tank control system communication data and the gas pipeline control system communication data, and compared the differences in the performance. The second part is an intrusion detection for the control system communication with sequence patterns. In the second part, we compare conditional random field based intrusion detection with the other probabilistic models based intrusion detection. These methods use the sequence characteristics of network traffic in the control system communication. The learning only utilizes normal network traffic data, assuming that there is no prior knowledge on attacks in the system. We applied these two probabilistic models to intrusion detection in DARPA data and an experimental control system network, and compared the differences in the performance.