A spiking one-class anomaly detection framework for cyber-security on industrial control systems

Abstract

Developments and upgrades in the field of industrial information technology, particularly those relating to information systems’ technologies for the collection and processing of real-time data, have introduced a large number of new threats. These threats are primarily related to the specific tasks these applications perform, such as their distinct design specifications, the specialized communication protocols they use and the heterogeneous devices they are required to interconnect. In particular, specialized attacks can undertake mechanical control, dynamic rearrangement of centrifugation or reprogramming of devices in order to accelerate or slow down their operations. This may result in total industrial equipment being destroyed or permanently damaged. Cyber-attacks against Industrial Control Systems which mainly use Supervisory Control and Data Acquisition (SCADA) combined with Distributed Control Systems are implemented with Programmable Logic Controllers. They are characterized as Advanced Persistent Threats. This paper presents an advanced Spiking One-Class Anomaly Detection Framework (SOCCADF) based on the evolving Spiking Neural Network algorithm. This algorithm implements an innovative application of the One-class classification methodology since it is trained exclusively with data that characterize the normal operation of ICS and it is able to detect divergent behaviors and abnormalities associated with APT attacks.