Intrusion detection using long short-term memory model for industrial control system

Abstract

Given the rapid progress of digital technology, systems are increasingly vulnerable to cyber-attacks. Intrusion detection systems (IDS), which monitor an industrial control system (ICS) network traffic and detect suspicious activities, are a necessity for the operation of ICSs. Previous studies argued that packet intervals could ideally be regarded as indicators of the cyber-attacks on ICSs and proposed an intrusion detection methodology relying on packet intervals using singular spectrum analysis (SSA). SSA is a nonparametric spectral estimation method, but it suffers from high computational cost. Thus, in this study, a long short-term memory (LSTM) model was developed based on the packet intervals during steady-state operation, and an intrusion detection method using the LSTM model was proposed. The LSTM model is a recurrent neural network model and can be used for time-series prediction problems. Furthermore, we evaluated the proposed method on a cybersecurity testbed using penetration tests. The results show that the LSTM model performs better than SSA and suggests the possibility of the application of the LSTM model to IDS for various types of plants by adjusting its complexity.