Detecting Cyberattacks in Industrial Control Systems Using Online Learning Algorithms

Industrial control systems are critical to the operation of industrial facilities, especially for critical infrastructures, such as refineries, power gri ds, and transportation systems. Similar to other information systems, a significant threat to indust rial control systems is the attack from cyberspace--the offensive maneuvers launched by "anon ymous" in the digital world that target computer-based assets with the goal of compromising a system's functions or probing for information. Owing to the importance of industrial control systems, and the possibly devastating consequences of being attacked, significant endeavors have been attempted to secure industrial control systems from cyberattacks. Among them are intrusio n detection systems that serve as the first line of defense by monitoring and reporting potenti ally malicious activities. Classical machine-learning-based intrusion detection methods usua lly generate prediction models by learning modest-sized training samples all at once. Such approac h is not always applicable to industrial control systems, as industrial control systems must proces s continuous control commands with limited computational resources in a nonstop way. To satisf y such requirements, we propose using online learning to learn prediction models from the control ling data stream. W e introduce several state-of-the-art online learning algorithms categorical ly, and illustrate their efficacies on two typically used testbeds--power system and gas pipeline. Fur ther, we explore a new cost-sensitive online learning algorithm to solve the class-imbalance pro blem that is pervasive in industrial intrusion detection systems. Our experimental results ind icate that the proposed algorithm can achieve an overall improvement in the detection rate of cybe rattacks in industrial control systems. Modern industrial control systems are microprocessor-equ ipped devices and associated communication networks used to monitor and operate physica l equipment in the industrial environment.