Title: Anomaly detection via statistical learning in industrial communication networks

Authors: Julian L. Rrushi

Addresses: Faculty of Computer Science, University of New Brunswick, 550 Windsor St., Fredericton, New Brunswick E3B 5A3, Canada

Abstract: In this paper, we discuss a novel statistical learning algorithm that predicts normal flows of process data in a distributed control system, i.e., process data evolutions that characterise the normal behaviour of a cyber-physical system such as a power plant. The algorithm's prediction capability allows for determining whether the payload of a network packet that is about to be processed by a computer device in a distributed control system is normal or malicious. This classification is based on whether or not the process data evolution that a network packet under inspection has potential to cause is predicted as normal by the algorithm. In this paper, we also discuss a probabilistic validation of the algorithm. We construct stochastic activity networks with activity-marking oriented reward structures that model pertinent aspects of the normal operation of a cyber-physical system as a whole as perceived by the algorithm. The solution of these models via a tool such as Mbius indicates whether the algorithm's perception of normalcy is correct. We have implemented the algorithm in the MATLAB programming language, and thus in the paper we also discuss practical testing and evaluation of the effectiveness of the algorithm in a testbed that resembles a power plant.

Keywords: distributed control systems; DCS; anomaly intrusion detection; applied statistics; stochastic activity networks; SANs; anomaly detection; power plants; reward structures; cyber-physical systems; industrial communication networks.

DOI: 10.1504/IJICS.2011.044821

International Journal of Information and Computer Security, 2011 Vol.4 No.4, pp.295 - 315

Published online: 28 Feb 2015 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article