Analysis of intrusion detection in control system communication based on outlier detection with one-class classifiers

Abstract

In this paper, we introduce an analysis of outlier detection using SVM (Support Vector Machine) for intrusion detection in control system communication networks. SVMs have proved to be useful for classifying normal communication and intrusion attacks. In control systems, a large amount of normal communication data is available, but as there have been almost no cyber attacks, there is very little actual attack data. One class SVM and SVDD (Support Vector Data Description) are two methods used for one class classification where only information of one of the classes is available. We applied these two methods to intrusion detection in an experimental control system network, and compared the differences in the classification. To gain information of the kind of traffic that would be classified as an attack, the percentage of allowed outliers was changed interactively, adding human knowledge of the control system to the results. And our experiments clarified that sequence information in control system communication is very important for detecting some intrusion attacks. © 2012 Springer-Verlag.