TY - JOUR
T1 - Add-on anomaly threshold technique for improving unsupervised intrusion detection on SCADA data
AU - Almalawi, Abdulmohsen
AU - Fahad, Adil
AU - Tari, Zahir
AU - Khan, Asif Irshad
AU - Alzahrani, Nouf
AU - Bakhsh, Sheikh Tahir
AU - Alassafi, Madini O.
AU - Alshdadi, Abdulrahman
AU - Qaiyum, Sana
N1 - Publisher Copyright:
© 2020 by the authors. Licensee MDPI, Basel, Switzerland.
PY - 2020/6/18
Y1 - 2020/6/18
N2 - Supervisory control and data acquisition (SCADA) systems monitor and supervise our daily infrastructure systems and industrial processes. Hence, the security of the information systems of critical infrastructures cannot be overstated. The effectiveness of unsupervised anomaly detection approaches is sensitive to parameter choices, especially when the boundaries between normal and abnormal behaviours are not clearly distinguishable. Therefore, the current approach in detecting anomaly for SCADA is based on the assumptions by which anomalies are defined; these assumptions are controlled by a parameter choice. This paper proposes an add-on anomaly threshold technique to identify the observations whose anomaly scores are extreme and significantly deviate from others, and then such observations are assumed to be ”abnormal”. The observations whose anomaly scores are significantly distant from ”abnormal” ones will be assumed as ”normal”. Then, the ensemble-based supervised learning is proposed to find a global and efficient anomaly threshold using the information of both ”normal”/”abnormal” behaviours. The proposed technique can be used for any unsupervised anomaly detection approach to mitigate the sensitivity of such parameters and improve the performance of the SCADA unsupervised anomaly detection approaches. Experimental results confirm that the proposed technique achieved a significant improvement compared to the state-of-the-art of two unsupervised anomaly detection algorithms.
AB - Supervisory control and data acquisition (SCADA) systems monitor and supervise our daily infrastructure systems and industrial processes. Hence, the security of the information systems of critical infrastructures cannot be overstated. The effectiveness of unsupervised anomaly detection approaches is sensitive to parameter choices, especially when the boundaries between normal and abnormal behaviours are not clearly distinguishable. Therefore, the current approach in detecting anomaly for SCADA is based on the assumptions by which anomalies are defined; these assumptions are controlled by a parameter choice. This paper proposes an add-on anomaly threshold technique to identify the observations whose anomaly scores are extreme and significantly deviate from others, and then such observations are assumed to be ”abnormal”. The observations whose anomaly scores are significantly distant from ”abnormal” ones will be assumed as ”normal”. Then, the ensemble-based supervised learning is proposed to find a global and efficient anomaly threshold using the information of both ”normal”/”abnormal” behaviours. The proposed technique can be used for any unsupervised anomaly detection approach to mitigate the sensitivity of such parameters and improve the performance of the SCADA unsupervised anomaly detection approaches. Experimental results confirm that the proposed technique achieved a significant improvement compared to the state-of-the-art of two unsupervised anomaly detection algorithms.
KW - Industrial Internet of Things (IIoT)
KW - Information-security
KW - Intrusion detection
KW - SCADA security
KW - Security threats
KW - Unsupervised learning
KW - Vulnerability measurement
UR - http://www.scopus.com/inward/record.url?scp=85086671739&partnerID=8YFLogxK
U2 - 10.3390/electronics9061017
DO - 10.3390/electronics9061017
M3 - Article
AN - SCOPUS:85086671739
SN - 2079-9292
VL - 9
SP - 1
EP - 20
JO - Electronics (Switzerland)
JF - Electronics (Switzerland)
IS - 6
M1 - 1017
ER -