TICPS: A trustworthy collaborative intrusion detection framework for industrial cyber–physical systems

Abstract

The networking of industrial cyber–physical systems (CPS) introduces increased security vulnerabilities, necessitating advanced intrusion detection systems (IDS). Many current studies aiming to enhance IDS capabilities leverage Federated Learning (FL) technology for collaborative intrusion detection. However, devices deployed in an industrial setting in a distributed manner are vulnerable to cyber and poisoning attacks. Compromised clients can create malicious parameters to disrupt intrusion detection models, making them ineffective in identifying attacks. Nevertheless, existing FL-based intrusion detection methods exhibit suboptimal performance in detecting malicious clients and resisting poisoning attacks. To address these issues, we propose TICPS, a collaborative intrusion detection framework based on a trustworthy model update strategy to detect cyber threats from industrial CPS. The framework enables multiple industrial CPS to collaboratively construct an intrusion detection model and evaluate the security of each industrial CPS node using an update evaluation mechanism, ensuring effective intrusion detection even in the presence of poisoning. Extensive experiments on real-world industrial CPS datasets demonstrate that TICPS can effectively detect various types of cyber threats targeting industrial CPS. In particular, the framework achieves an intrusion detection accuracy of 94% even when the proportion of malicious agents reaches 80% under three typical poisoning attacks.