Feature-driven Anomalous Behaviour Detection and Incident Classification Model for ICS in Water Treatment Plants

Gabriela Ahmadi-Assalemi, Haider Al-Khateeb, Tanaka Laura Makonese, Vladlena Benson, Samiya Khan, Usman Javed Butt

Research output: Contribution to journalArticlepeer-review

Abstract

Industry 5.0 envisions humans working alongside emerging technologies and enabled by the fusion of devices and sensors using Information and Communication Technologies (ICT) to facilitate process automation, monitoring and distributed control in Industrial Control Systems (ICS). However, the application of disruptor technologies and exposure of insecure devices broadens the attack surface making ICS an attractive target for sophisticated threat actors. Furthermore, ICS deliver a range of critical services hence disruption of industrial operations and services could have serious consequences. This study proposes an anomaly-based intrusion detection system for a water treatment plant based on a new model to determine variable significance for improved detection accuracy using Machine Learning (ML) algorithms coupled with incident classification based on functional impact. Determining statistical significance for independent ICS variables was addressed using logistic regression. Overall, thirty-nine variables are deemed relevant in diagnosing the system state of the ICS operation to be expected or under attack. Our approach is validated using the Secure Water Treatment (SWaT) testbed. Experimental results reveal that anomaly detection was effective using k-NN, ANN and SVM achieving an F1-score of 0.99, 0.98 and 0.97 respectively.
Original languageEnglish
Number of pages24
JournalInternational Journal of Electronic Security and Digital Forensics
DOIs
Publication statusAccepted/In press - 22 Jun 2023

Keywords

  • Critical national infrastructure
  • fifth industrial revolution
  • operational technology
  • smart city
  • APT
  • artificial intelligence

Fingerprint

Dive into the research topics of 'Feature-driven Anomalous Behaviour Detection and Incident Classification Model for ICS in Water Treatment Plants'. Together they form a unique fingerprint.

Cite this