Add-on anomaly threshold technique for improving unsupervised intrusion detection on SCADA data

Abdulmohsen Almalawi, Adil Fahad*, Zahir Tari, Asif Irshad Khan, Nouf Alzahrani*, Sheikh Tahir Bakhsh, Madini O. Alassafi, Abdulrahman Alshdadi, Sana Qaiyum

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

11 Citations (Scopus)

Abstract

Supervisory control and data acquisition (SCADA) systems monitor and supervise our daily infrastructure systems and industrial processes. Hence, the security of the information systems of critical infrastructures cannot be overstated. The effectiveness of unsupervised anomaly detection approaches is sensitive to parameter choices, especially when the boundaries between normal and abnormal behaviours are not clearly distinguishable. Therefore, the current approach in detecting anomaly for SCADA is based on the assumptions by which anomalies are defined; these assumptions are controlled by a parameter choice. This paper proposes an add-on anomaly threshold technique to identify the observations whose anomaly scores are extreme and significantly deviate from others, and then such observations are assumed to be ”abnormal”. The observations whose anomaly scores are significantly distant from ”abnormal” ones will be assumed as ”normal”. Then, the ensemble-based supervised learning is proposed to find a global and efficient anomaly threshold using the information of both ”normal”/”abnormal” behaviours. The proposed technique can be used for any unsupervised anomaly detection approach to mitigate the sensitivity of such parameters and improve the performance of the SCADA unsupervised anomaly detection approaches. Experimental results confirm that the proposed technique achieved a significant improvement compared to the state-of-the-art of two unsupervised anomaly detection algorithms.

Original languageEnglish
Article number1017
Pages (from-to)1-20
Number of pages20
JournalElectronics (Switzerland)
Volume9
Issue number6
DOIs
Publication statusPublished - 18 Jun 2020
Externally publishedYes

Keywords

  • Industrial Internet of Things (IIoT)
  • Information-security
  • Intrusion detection
  • SCADA security
  • Security threats
  • Unsupervised learning
  • Vulnerability measurement

Cite this