Process-level Anomaly Detection in Industrial Control Systems
Examensarbete för masterexamen
Använd denna länk för att citera eller länka till detta dokument:
|Typ: ||Examensarbete för masterexamen|
|Titel: ||Process-level Anomaly Detection in Industrial Control Systems|
|Författare: ||Ström, David|
Sinai Nadkarni, Viren
|Sammanfattning: ||Over the last decade, Industrial Control Systems (ICSs), which manage critical infrastructure
such as power, water and gas distribution systems, are increasingly
being targeted by sophisticated cyberattacks. It is of paramount importance that
necessary safeguards are in place for these systems to avoid potentially catastrophic
damage. Intrusion Detection Systems (IDSs) can be used to monitor computer
systems for signs of attacks and are commonly of two types: signature-based or
anomaly-based. Signature-based IDSs work by using a database of known traffic
patterns to identify malicious activity. Attacks against ICSs are specialised and
crafted to exploit specific protocol semantics and setup. As such, building a signature
database which incorporates all attack properties is difficult. This has led to a
growing interest in doing anomaly-based intrusion detection using information from
the industrial processes, such as sensor readings and control commands.
Research has shown that process-level anomaly detection can identify a large range
of attack types, but so far there have been limited insights into whether processlevel
anomaly detection is suitable for modern ICS software. Questions such as if the
cost of processing a large number of signals is reasonable, if it is feasible to integrate
anomaly detection into existing ICS software, need a deeper understanding.
This study aims to evaluate the suitability of using process-level anomaly detection
in production-grade ICS software. The platform is provided by ABB, a major international
supplier of ICSs. We focus on two time series algorithms: Process-Aware
Stealthy Attack Detection (PASAD) and Auto-Regression (AR) modelling.
Our findings show that both methods can successfully be used in large-scale ICS
software. AR gives throughput one magnitude higher than PASAD, while PASAD
is better at detecting stealthy attacks and attacks in noisy signals. PASAD can also
leverage GPU capabilities, but needs buffering to outperform CPU implementations.
The design of PASAD means that it requires a large amount of memory to model
signals which have many values representing the normal behaviour. On the whole, we
find that process-level anomaly detection can be a reliable complementary security
mechanism for ICS deployments.|
|Nyckelord: ||Anomaly detection;Intrusion detection;Industrial control systems;Electrical grid|
|Utgivare: ||Chalmers tekniska högskola / Institutionen för data och informationsvetenskap|
|Samling:||Examensarbeten för masterexamen // Master Theses|
Materialet i Chalmers öppna arkiv är upphovsrättsligt skyddat och får ej användas i kommersiellt syfte!