A brief summary of my student Colman McGuan’s summer research and the mid-term project of my machine learning course using his dataset. For more details, check out his poster

Motivation

  • Industrial Control Systems (ICS) are vulnerable to attacks due to cyber components
  • Spoofing attacks can cause damage to ICS
  • Very few simulated testbeds available for research and education (launching attacks and performing detection)

Attacks

  • We create 54 attacks of 5 different categories
    • Single-sensor, multi-sensor, single-actuator, multi-actuator, and complex
  • Attacks are strictly limited to manipulating sensor readings from each sub-processes in transit to the PLC and manipulating actuator write commands in transit from the PLC to each sub-process
  • A number of the attacks are stealthy attacks – i.e., difficult to detect

Results

  • Our model (one-class-SVM) correctly identifies 47 of 54 attacks (87%), 0 false positive. The video shows the online detection. Actual: true state of the system (1 for normal; 0 for under attack); Prediction: output of our machine learning model. The detection has an acceptable delay, very useful in practice for intervention to avoid damages, e.g., the explosion in the chemical process testbed.
  • We also tested in a manufactoring testbed called Factory I/O. You can find my demo in the following video:

Mid-term probject

The mid-term project I assigned to my students in my machine learning course - CIS 492 is to do the same things using the dataset generated by Colman. They were given a training dataset (no attacks) and a validation dataset with labels for parameter tuning. They labeled the test set and I evaluated their solutions. They used independent Gaussian analysis and multi-variate Gaussian analysis. The top 3 teams received bonus in their final grades. Below are the results from the top 1 team:
True positives: 38
False positive: 0
True negative: 19
False negative: 1
Precision: 1.0
Recall: 0.97
F1-score: 0.987