Towards Effective and Adaptive Anomalybased Intrusion Detection Methods for Industrial Network Systems

dc.contributor.advisorTari, Zahir
dc.contributor.authorAlsaedi, Abdullah
dc.date.accessioned2024-04-29T11:45:29Z
dc.date.available2024-04-29T11:45:29Z
dc.date.issued2024-04-18
dc.description.abstractModern Industrial Network Systems, characterised by the integration of Cyber-Physical Systems (CPSs) and the Internet of Things (IoT), are at the forefront of technological progress in Industry 4.0. They enable advanced automation, data exchange, and system monitoring on a global scale. However, these advancements also increase their vulnerability to cyber threats, particularly to targeted attacks launched by adversaries with high motivation and domain knowledge. These attacks aim to cause significant damage to the physical operation of critical infrastructures. The direct impact of these systems on physical processes means that compromises can lead to severe equipment damage, environmental disruptions, and even loss of human life. Hence, securing these systems requires advanced, robust, and adaptive cybersecurity measures. Anomaly-based Intrusion Detection Systems (IDSs) are crucial for securing IT systems but often fail to fully protect Industrial Network Systems against targeted attacks. Traditional IDSs cannot monitor the physical operations integral to these systems, making it vital to develop detection methods to oversee physical activities, as attacks may impact these operations. Current detection methods face challenges, including a lack of comprehensive benchmark datasets for modern industrial setups and difficulties adapting to the dynamic nature of industrial environments. This underscores the urgent need for research to address these significant issues. This thesis addresses the critical challenges of securing modern Industrial Network Systems, given their growing prevalence and the increasing sophistication of cyber threats. The primary aim is to develop innovative, advanced anomaly-based intrusion detection methods specifically tailored to these systems. These methods aim to identify targeted attacks that subtly alter system behaviour while evading detection. The emphasis is on real-time monitoring of multi-sensor measurements to identify threats in large-scale, evolving data streams, thus preventing significant damage to the physical infrastructure and protecting it from emerging threats. This research will tackle four significant research challenges. The first involves creating a representative benchmark dataset for evaluating intrusion detection solutions in Industrial Network Systems, addressing the lack of existing datasets that capture the specific nuances of these systems. The subsequent three challenges will focus on developing a set of effective, robust and adaptive IDS solutions. Collectively, these solutions aim to address the primary objectives of this research, thereby achieving its overall aim. First, practical evaluation of anomaly-based intrusion detection methods tailored to Industrial Network Systems hinges on the availability of datasets that accurately reflect real-world systems dynamics. Such datasets are essential for assessing the accuracy and effectiveness of security solutions. However, there is a notable lack of such datasets, which often miss critical elements like sensor measurement data. To address this, this research introduces the TON_IoT dataset, a comprehensive compilation of telemetry data, operating system logs, and network traffic designed to reflect the complexity of modern Cyber-Physical Systems (CPSs) and the Internet of Things (IoT). Unlike existing datasets, TON_IoT integrates sensor measurement data crucial for identifying sophisticated, subtle cyber threats, thus serving as an invaluable resource for the research community. It aids in understanding CPS/IoT vulnerabilities and promotes advanced intrusion detection solutions suitable for the evolving threats in Industry 4.0. Second, with the proliferation of embedded sensors in modern industrial infrastructure, these systems produce a vast volume of multi-sensor data that hold valuable insights about their operational dynamics for anomaly-based intrusion detection tasks. However, capturing these insights is challenging due to the inherent complexities, temporal intricacies, and inherent noise. Existing detection methods struggle with these issues, leading to security inefficiencies within the systems they aim to protect. Addressing this challenge, this research introduces the UnSupervised Misbehaviour Detection (USMD) method, a novel unsupervised and model-free anomaly-based intrusion detection method tailored for multi-sensor industrial data. USMD consists of a robust Unified Learner Network and a misbehaviour detector, leveraging an innovative deep learning-based method to effectively learn and represent normal system behaviour for anomaly detection. Evaluated against state-of-the-art methods, USMD demonstrates superior performance, underscoring its potential as an effective solution for securing complex and noisy industrial environments. Thirdly, modern Industrial Network Systems are dynamic environments where changes such as environmental shifts cause unpredictable variations in operational/measurement data, leading to concept drift. This drift significantly impacts the accuracy and reliability of Machine Learning (ML)-based security measures in these systems, potentially leading to diminished effectiveness in anomaly detection and response capabilities. To tackle this, this research presents ReActive concept Drift mAnagement with Robust variational inference (RADAR), a novel unsupervised framework designed explicitly for evolving and high-dimensional data streams. RADAR addresses uncertainties and temporal dependencies in measurement data, significantly improving the dynamic adaptation of ML models to changing data statistics. At the heart of RADAR lies the innovative use of two main methods: temporal discrepancy measure, and intensity-aware analyser. Collectively, these methods enable RADAR to determine the effective adaptation decision to ensure sustained accuracy and reliability of ML-based analytics and security solutions. Experiments conducted using synthetic and real-world datasets demonstrate that RADAR outperforms other benchmarks with the best F-score of 0.86 and obtains efficient runtime, offering a reactive, robust solution to manage concept drift in critical industrial operations. Lastly, the primary challenge in intrusion detection is the ability to adapt to evolving “normal” behaviour, especially in the face of concept drift. Current methods struggle with this in dynamic environments, leading to decreased sensitivity and specificity in intrusion alerts due to issues like self-poisoning and catastrophic forgetting in real-time systems. Addressing these challenges, this research introduces the Robust and adaptive Deviation detection for StreAming and Dynamic Sensor Data (RDSAD) method. RDSAD is specifically designed to overcome the challenges of concept drift, self-poisoning, and catastrophic forgetting in real-time monitoring of high-dimensional measurement data. It features two novel components: Dynamic Deviation Recognition (DDR) for accurate deviation detection, and Drift-aware Model Adaptation (DMA) for incremental updates, maintaining historical knowledge. RDSAD has shown excellent performance in anomaly detection, achieving an AUC of 0.90 and efficient runtime with large data streams, offering a robust, efficient solution for real-time anomaly detection and enhanced cybersecurity in industrial environments.
dc.format.extent244
dc.identifier.urihttps://hdl.handle.net/20.500.14154/71897
dc.language.isoen
dc.publisherRMIT University
dc.subjectCybersecurity
dc.subjectIntrusion Detection Systems (IDSs)
dc.subjectAnomaly Detection
dc.subjectIndustrial Network Systems
dc.subjectCyber-Physical Systems (CPSs)
dc.titleTowards Effective and Adaptive Anomalybased Intrusion Detection Methods for Industrial Network Systems
dc.typeThesis
sdl.degree.departmentComputing Technologies
sdl.degree.disciplineComputer Science
sdl.degree.grantorRMIT
sdl.degree.nameDoctor of Philosophy
sdl.thesis.sourceSACM - Australia

Files

Collections

Copyright owned by the Saudi Digital Library (SDL) © 2024