4 December 2014
Dr Leandros Maglaras of the University of Surrey talks about the work behind the paper ‘Integrated OCSVM mechanism for intrusion detection in SCADA systems’.
My field is development of intrusion detection mechanisms to enhance network security and, for this particular work, social metrics, classification, clustering and fusion techniques are combined. I am a member of the Surrey Centre for Cyber Security (SCCS), which was established by the university to organise and consolidate its cyber security activities. I am also a member of the Multimedia, Security and Forensics (MSF) Group, which focuses on the interplay between multimedia, security and forensics technologies.
At the moment, my interest is focused on improving the resilience and dependability of industrial control systems (ICSs) by automatic detection of cyber-threats, and the sharing of real-time information about attacks among critical infrastructure (CI) owners. A supervisory control and data acquisition (SCADA) system is a type of ICS used to monitor and control industrial processes that exist in the physical world. Since they are large-scale systems that can include multiple sites and large distances, the effect of an attack on such systems might have devastating consequences. Distributed intrusion detection mechanisms specifically designed for SCADA systems, which are able to ensure an adequate balance between high accuracy, low false alarm rate and reduced network traffic overhead, are needed.
In our Electronics Letters paper, an integrated intrusion detection mechanism, called IT-OCSVM, for SCADA systems is presented. The proposed mechanism combines an unsupervised learning model with social metrics in order to distinguish between normal and suspicious system traffic. The mechanism runs in a distributed way as part of a real-time perimeter intrusion detection system (PIDS), and is capable of communicating with other components of the system through dedicated messages. The PIDS has been developed under the CockpitCI project, which aims to improve the resilience and dependability of CIs.
The proposed IT-OCSVM mechanism has the capability of creating multiple one-class support vector machine (OCSVM) modules in real time based on the current system traffic. This dynamic feature allows the mechanism to adapt its operation based on the current status of the system. The automatically created OCSVM modules produce initial outputs that are used as a basis for the final alarms produced from the mechanism. Moreover, the behaviour of each significant source of the network is analysed using social metrics, and this analysis is used to weight the alarms produced for each source. The mechanism, although based on a OCSVM classifier, is capable not only of producing a reduced number of final alarms, but also of categorising them in real time as severe, medium and possible. This is accomplished by using comparative metrics of the network's structure during normal and abnormal operation, and by aggregating and categorising the alarms using k-means clustering. This enhanced performance is very important both for inducing low overheads in the communication channel and for reporting the severity of the detected attack.
Intrusion detection is an on-going battle that gets more and more sophisticated. As ICSs overcome their isolation and move towards interconnected topologies, they also become more exposed to threats that weren't even remotely conceivable when they were first designed, such as cyber-threats. The use of simple detection modules solves the problem only partially, as the attacks are becoming more advanced and thus, harder to detect. The development of integrated detection mechanisms that combine several technologies and can adapt to the status of the system are challenges that must be met in the next few years. In particular, the defence systems must be distributed, cheap and above all accurate, since false positive alarms, or mistakes regarding the origin of the intrusion mean severe costs for the system concerned.
Based on the proposed IT-OCSVM, we are now developing novel adaptive intrusion detection mechanisms that further improve accuracy and false detection rates. These are tested in a medium-sized hybrid testbed under different attack scenarios. Their computational cost and total overheads are also a matter of consideration for our research team. We are focusing on the creation of a fully adaptive detection mechanism that can be incorporated in any system that needs to be secured against cyber-attacks.
This interview is based on the letter 'Integrated OCSVM mechanism for intrusion detection in SCADA systems' (new window)
A PDF version (new window) of this interview is also available
Browse or search all papers in the latest or past issues of Electronics Letters on the IET Digital Library.