Correlation-Based Anomaly Detection in Industrial Control Systems

Industrial Control Systems (ICSs) were initially designed to be operated in an isolated network. However, recently, ICSs have been increasingly connected to the Internet to expand their capability, such as remote management. This interconnectivity of ICSs exposes them to cyber-attacks. At the same time, cyber-attacks in ICS networks are different compared to traditional Information Technology (IT) networks. Cyber attacks on ICSs usually involve a sequence of actions and a multitude of devices. However, current anomaly detection systems only focus on local analysis, which misses the correlation between devices and the progress of attacks over time. As a consequence, they lack an effective way to detect attacks at an entire network scale and predict possible future actions of an attack, which is of significant interest to security analysts to identify the weaknesses of their network and prevent similar attacks in the future. To address these two key issues, this paper presents a system-wide anomaly detection solution using recurrent neural networks combined with correlation analysis techniques. The proposed solution has a two-layer analysis. The first layer targets attack detection, and the second layer analyses the detected attack to predict the next possible attack actions. The main contribution of this paper is the proof of the concept implementation using two real-world ICS datasets, SWaT and Power System Attack. Moreover, we show that the proposed solution effectively detects anomalies and attacks on the scale of the entire ICS network.