Anomaly Detection for a Water Treatment System Based on One-Class Neural Network

Abstract

The prevalence of Internet-of-Things (IoT) technologies and the ubiquity of networked sensors and actuators in many Industrial Control Systems (ICS) have led to the exposure of critical infrastructure in our society to malicious activities and cyber threats. Programmable logic controllers (PLCs) are embedded devices that automate ICS processes. PLCs, which serve as the heart of ICS, are vulnerable to attacks and system malfunctions like other embedded devices. Because PLCs are widely used to control ICS physical processes, attacks against PLCs can cause irreparable damage to enterprises and even loss of life. However, due to the unique and proprietary architecture of PLCs, it is not easy to apply traditional tools and techniques for PLC protection. This work presents an unsupervised learning approach for anomaly detection in ICS based on neural networks with one class objective function and an additional regularization term. This technique combines the abilities of neural networks to learn complex relationships with a one-class objective function and a regularization term for separating normal conditions from anomalous operations. The newly introduced regularization term provides a model-tuning mechanism based on specific industrial requirements and performance metrics of interest (i.e., precision or recall). The model is evaluated on a recent real-world ICS dataset: the Secure Water Treatment (SWaT) dataset. The proposed technique's performance is compared with previous work, showing improvements in terms of scalability and attack detection capability, proving that the proposed technique is suitable for use in real ICS scenarios. The proposed method with the regularization term demonstrated superior recall values in 15 out of the 36 attack scenarios in the SWaT dataset, which is the largest of any published methods in the literature. A qualitative analysis of the proposed technique on the SWaT security showdown event data further proves the technique's high anomaly detection ability on real-time injected attacks.