Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA Data

Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA Data

Supervisory control and data acquisition (SCADA) systems monitor and supervise our daily infrastructure systems and industrial processes. Hence, the security of the information systems of critical infrastructures cannot be overstated. The effectiveness of unsupervised anomaly detection approaches is...

Full description

Bibliographic Details
Main Authors: Abdulmohsen Almalawi, Adil Fahad, Zahir Tari, Asif Irshad Khan, Nouf Alzahrani, Sheikh Tahir Bakhsh, Madini O. Alassafi, Abdulrahman Alshdadi, Sana Qaiyum
Format: Article
Language:English
Published: MDPI AG 2020-06-01
Series:Electronics
Subjects:
SCADA security
intrusion detection
unsupervised learning
Industrial Internet of Things (IIoT)
information-security
security threats
Online Access:https://www.mdpi.com/2079-9292/9/6/1017
id doaj-8112e29f7bf84ddabdf59d6c6bd65de3
record_format Article
spelling doaj-8112e29f7bf84ddabdf59d6c6bd65de32020-11-25T03:12:06ZengMDPI AGElectronics2079-92922020-06-0191017101710.3390/electronics9061017Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA DataAbdulmohsen Almalawi0Adil Fahad1Zahir Tari2Asif Irshad Khan3Nouf Alzahrani4Sheikh Tahir Bakhsh5Madini O. Alassafi6Abdulrahman Alshdadi7Sana Qaiyum8School of Computer Science & Information Technology, King Abdulaziz University, Jeddah 21589, Saudi ArabiaCollege of Computer Science & Information Technology, Department of Computer Science, Al Baha University, Al Baha 65527, Saudi ArabiaDistributed Systems and Networking (DSN) Discipline, School of Computer Science and Information Technology (CSIT), RMIT University, Melbourne, VIC 3000, AustraliaSchool of Computer Science & Information Technology, King Abdulaziz University, Jeddah 21589, Saudi ArabiaCollege of Computer Science & Information Technology, Department of Computer Science, Al Baha University, Al Baha 65527, Saudi ArabiaSchool of Computer Science & Information Technology, King Abdulaziz University, Jeddah 21589, Saudi ArabiaSchool of Computer Science & Information Technology, King Abdulaziz University, Jeddah 21589, Saudi ArabiaCollege of Computer Science & Engineering, Department of Information Systems and Technology, Jeddah University, Jeddah 23218, Saudi ArabiaCenter for Research in Data Sciences, Universiti Teknologi PETRONAS, Seri Iskandar 32610, MalaysiaSupervisory control and data acquisition (SCADA) systems monitor and supervise our daily infrastructure systems and industrial processes. Hence, the security of the information systems of critical infrastructures cannot be overstated. The effectiveness of unsupervised anomaly detection approaches is sensitive to parameter choices, especially when the boundaries between normal and abnormal behaviours are not clearly distinguishable. Therefore, the current approach in detecting anomaly for SCADA is based on the assumptions by which anomalies are defined; these assumptions are controlled by a parameter choice. This paper proposes an add-on anomaly threshold technique to identify the observations whose anomaly scores are extreme and significantly deviate from others, and then such observations are assumed to be ”abnormal”. The observations whose anomaly scores are significantly distant from ”abnormal” ones will be assumed as ”normal”. Then, the ensemble-based supervised learning is proposed to find a global and efficient anomaly threshold using the information of both ”normal”/”abnormal” behaviours. The proposed technique can be used for any unsupervised anomaly detection approach to mitigate the sensitivity of such parameters and improve the performance of the SCADA unsupervised anomaly detection approaches. Experimental results confirm that the proposed technique achieved a significant improvement compared to the state-of-the-art of two unsupervised anomaly detection algorithms.https://www.mdpi.com/2079-9292/9/6/1017SCADA securityintrusion detectionunsupervised learningIndustrial Internet of Things (IIoT)information-securitysecurity threats
collection DOAJ
language English
format Article
sources DOAJ
author Abdulmohsen Almalawi
Adil Fahad
Zahir Tari
Asif Irshad Khan
Nouf Alzahrani
Sheikh Tahir Bakhsh
Madini O. Alassafi
Abdulrahman Alshdadi
Sana Qaiyum
spellingShingle Abdulmohsen Almalawi
Adil Fahad
Zahir Tari
Asif Irshad Khan
Nouf Alzahrani
Sheikh Tahir Bakhsh
Madini O. Alassafi
Abdulrahman Alshdadi
Sana Qaiyum
Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA Data
Electronics
SCADA security
intrusion detection
unsupervised learning
Industrial Internet of Things (IIoT)
information-security
security threats
author_facet Abdulmohsen Almalawi
Adil Fahad
Zahir Tari
Asif Irshad Khan
Nouf Alzahrani
Sheikh Tahir Bakhsh
Madini O. Alassafi
Abdulrahman Alshdadi
Sana Qaiyum
author_sort Abdulmohsen Almalawi
title Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA Data
title_short Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA Data
title_full Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA Data
title_fullStr Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA Data
title_full_unstemmed Add-On Anomaly Threshold Technique for Improving Unsupervised Intrusion Detection on SCADA Data
title_sort add-on anomaly threshold technique for improving unsupervised intrusion detection on scada data
publisher MDPI AG
series Electronics
issn 2079-9292
publishDate 2020-06-01
description Supervisory control and data acquisition (SCADA) systems monitor and supervise our daily infrastructure systems and industrial processes. Hence, the security of the information systems of critical infrastructures cannot be overstated. The effectiveness of unsupervised anomaly detection approaches is sensitive to parameter choices, especially when the boundaries between normal and abnormal behaviours are not clearly distinguishable. Therefore, the current approach in detecting anomaly for SCADA is based on the assumptions by which anomalies are defined; these assumptions are controlled by a parameter choice. This paper proposes an add-on anomaly threshold technique to identify the observations whose anomaly scores are extreme and significantly deviate from others, and then such observations are assumed to be ”abnormal”. The observations whose anomaly scores are significantly distant from ”abnormal” ones will be assumed as ”normal”. Then, the ensemble-based supervised learning is proposed to find a global and efficient anomaly threshold using the information of both ”normal”/”abnormal” behaviours. The proposed technique can be used for any unsupervised anomaly detection approach to mitigate the sensitivity of such parameters and improve the performance of the SCADA unsupervised anomaly detection approaches. Experimental results confirm that the proposed technique achieved a significant improvement compared to the state-of-the-art of two unsupervised anomaly detection algorithms.
topic SCADA security
intrusion detection
unsupervised learning
Industrial Internet of Things (IIoT)
information-security
security threats
url https://www.mdpi.com/2079-9292/9/6/1017
work_keys_str_mv AT abdulmohsenalmalawi addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
AT adilfahad addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
AT zahirtari addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
AT asifirshadkhan addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
AT noufalzahrani addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
AT sheikhtahirbakhsh addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
AT madinioalassafi addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
AT abdulrahmanalshdadi addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
AT sanaqaiyum addonanomalythresholdtechniqueforimprovingunsupervisedintrusiondetectiononscadadata
_version_ 1724651460233265152

Similar Items