Comparison of industrial control system anomaly detection methods
| dc.contributor.author | Sobonski, Piotr | en |
| dc.contributor.author | Roedig, Utz | en |
| dc.contributor.funder | Science Foundation Ireland | en |
| dc.date.accessioned | 2025-01-22T13:39:54Z | |
| dc.date.available | 2025-01-22T13:39:54Z | |
| dc.date.issued | 2024-11-20 | en |
| dc.description.abstract | Industrial Control System (ICS) are used to produce goods that must be free of errors. Examples are medicines, medical equipment or vehicle parts. It is essential in such production environments to detect an attack which may aim to compromise goods. While Anomaly Detection (AD) is common to protect Information Technology (IT) infrastructure, it is not yet widely used to protect Operational Technology (OT) elements such as ICS and ultimately production. In this work we analyze the usefulness of different AD algorithms in the context of ICS. We aim to determine if simple statistical methods such as K-Means clustering (K-Means), Density-Based Spatial Clustering of Applications with Noise (DBSCAN), Stochastic Gradient Decent (SGD) or Support Vector Machine (SVM) are sufficient or if more advanced Machine Learning (ML) algorithms such as an Autoencoder are necessary to achieve a useful performance. Specifically, we consider real-world constraints such as limited available attack examples in training data and variations in background conditions. We use an evaluation framework called Anomaly Detection Evaluation Framework (ADEF) to model an autoclave manufacturing use case and possible attacks. Using ADEF we benchmark different AD algorithms. Our results show that simple methods perform very well, that large amount of attack examples are un necessary and that fluctuations in environmental conditions pose a significant challenge. | en |
| dc.description.status | Peer reviewed | en |
| dc.description.version | Accepted Version | en |
| dc.format.mimetype | application/pdf | en |
| dc.identifier.citation | Sobonski, P. and Roedig, U. (2024) 'Comparison of industrial control system anomaly detection methods', Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Salt Lake City, UT, USA, 14 - 18 October, pp. 79-85. https://doi.org/10.1145/3689930.3695211 | en |
| dc.identifier.doi | https://doi.org/10.1145/3689930.3695211 | en |
| dc.identifier.endpage | 85 | en |
| dc.identifier.isbn | 979-8-4007-1226-5 | en |
| dc.identifier.startpage | 79 | en |
| dc.identifier.uri | https://hdl.handle.net/10468/16875 | |
| dc.language.iso | en | en |
| dc.publisher | Association for Computing Machinery (ACM) | en |
| dc.relation.ispartof | Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Salt Lake City, UT, USA, 14 - 18 October 2024 | en |
| dc.relation.project | info:eu-repo/grantAgreement/SFI/SFI Centres for Research Training Programme::Data and ICT Skills for the Future/18/CRT/6222/IE/SFI Centre for Research Training in Advanced Networks for Sustainable Societies/ | en |
| dc.rights | © 2024, the authors. Publication rights licensed to ACM. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. | en |
| dc.subject | ICS security | en |
| dc.subject | ICS simulation | en |
| dc.subject | ICS anomaly detection | en |
| dc.subject | ICS attacks | en |
| dc.subject | CPS security | en |
| dc.title | Comparison of industrial control system anomaly detection methods | en |
| dc.type | Conference item | en |
