IEEE Project Abstract

The growing number of attacks against cyber physical systems (CPSs) in recent years elevates the concern for cyber security of industrial control systems (ICSs). The current efforts of ICS cyber security are mainly based on firewalls, data diodes and other methods of intrusion prevention, which may not be sufficient for growing cyber threats from motivated attackers.To enhance the cyber security of ICS, a cyber-attack detection system built on the concept of defense-in-depth is developed utilizing network traffic data, host system data, and measured process parameters. This attack detection system provides multiple-layer defense in order to gain the defenders precious time before unrecoverable consequences occur in the physical system. The data used for demonstrating the proposed detection system are from a real-time ICS testbed. Five attacks, including man in the middle (MITM), denial of service (DoS), data ex filtration,data tampering, and false data injection, are carried out to simulate the consequences of cyber-attack and generate data for building data-driven detection models. Four classical classification models based on network data and host system data are studied, including k-nearest neighbor (KNN), decision tree,bootstrap aggregating (Bagging), and random forest, to provide a secondary line of defense of cyber-attack detection in the event that the intrusion prevention layer fails. Intrusion detection results suggest that KNN, Bagging, and random forest have low missed alarm and false alarm rates for MITM and DoS attacks,providing accurate and reliable detection of these cyber-attacks.Cyber-attacks that may not be detectable by monitoring network and host system data, such as command tampering and false data injection attacks by an insider, are monitored for by traditional process monitoring protocols. In the proposed detection system,an auto-associative kernel regression (AAKR) model is studied to strengthen early attack detection. The result shows that this approach detects physically-impact ful cyber-attacks before significant consequences occur. The proposed multiple-layer data driven cyber-attack detection system utilizing network, system,and process data is a promising solution for safeguarding an ICS