A Lightweight Online Intrusion Detection and Localization Framework for Industrial Control Systems

Salehi, Amirhosein; Ahmadi, Siavash; Aref, Mohammad Reza

doi:10.22042/isecure.2025.219359

A Lightweight Online Intrusion Detection and Localization Framework for Industrial Control Systems

Document Type : Research Article

Authors

Amirhosein Salehi ¹

Siavash Ahmadi ²

Mohammad Reza Aref ¹

¹ Information Systems and Security Lab (ISSL), Department of Electrical Engineering, Sharif University of Technology, Tehran, Iran

² Electronics Research Institute, Sharif University of Technology, Tehran, Iran

https://doi.org/10.22042/isecure.2025.219359

Abstract

As the Industrial Internet of Things (IIoT) faces increasing cyber threats, the need for effective and practical intrusion detection systems (IDS) becomes paramount. One of the key challenges in designing IDS is ensuring the online detection and identification (localization) of potential attacks in real-time. Our research addresses this challenge by developing a lightweight online intrusion detection framework tailored explicitly for water distribution systems. Our proposed framework aims to balance real-time detection/identification and maintaining accuracy criteria. Immediate alarm triggering for every anomaly detected can lead to a high false positive rate while waiting for attack confirmation can cause harmful delays. To overcome these limitations, we present a novel approach that achieves real-time detection while maintaining a low false positive rate (below 5%), making it highly applicable in real-world scenarios. We train and test our system using BATADAL datasets, demonstrating its superior performance compared to other mechanisms. Additionally, we introduce a PCA-based Concealment Detection Statistical Outlier (PCACD-SO) identification approach that enables the real-time identification of compromised sensors, actuators, or connections during an attack. The results validate the effectiveness of our lightweight online intrusion detection framework, showcasing its ability to detect cyber attacks in real-time while maintaining a low false positive rate. Furthermore, our proposed PCACD-SO identification approach enhances the system’s capability to identify and isolate compromised components swiftly, enabling prompt response and mitigation.

Keywords

Intrusion Detection

Real-Time

Industrial IoT

Cyber Attacks

[1] Zakarya Drias, Ahmed Serhrouchni, and Olivier Vogel. Analysis of cyber security for industrial control systems. In 2015 international conference on cyber security of smart cities, industrial control system and communications (ssic), pages 1–8. IEEE, 2015.
[2] Adrien B´ecue, Isabel Pra¸ca, and Jo˜ao Gama. Artificial intelligence, cyber-threats and industry 4.0: Challenges and opportunities. Artificial Intelligence Review, 54(5):3849–3886, 2021.
[3] Javed Asharf, Nour Moustafa, Hasnat Khurshid, Essam Debie, Waqas Haider, and Abdul Wahab. A review of intrusion detection systems using machine and deep learning in internet of things: Challenges, solutions and future directions. Electronics, 9(7):1177, 2020.
[4] Bruno Bogaz Zarpel˜ao, Rodrigo Sanches Miani, Cl´audio Toshio Kawakani, and Sean Carlisto De Alvarenga. A survey of intrusion detection in internet of things. Journal of Network and Computer Applications, 84:25–37, 2017.
[5] Ruei-Jie Hsieh, Jerry Chou, and Chih-Hsiang Ho. Unsupervised online anomaly detection on multivariate sensing time series data for smart manufacturing. In 2019 IEEE 12th conference on service-oriented computing and applications
(SOCA), pages 90–97. IEEE, 2019.
[6] Shoujian Yu, Rong Zhai, Yizhou Shen, Guowen Wu, Hong Zhang, Shui Yu, and Shigen Shen. Deep q-network-based open-set intrusion detection solution for industrial internet of things. IEEE Internet of Things Journal, 11(7):12536–12550, 2023.
[7] Ahmed A Abokifa, Kelsey Haddad, Cynthia Lo, and Pratim Biswas. Real-time identification of cyber-physical attacks on water distribution systems via machine learning–based anomaly detection techniques. Journal of Water Resources Planning and Management, 145(1):04018089, 2019.
[8] Claudia Rodr´ıguez-Mart´ınez, Marcos Qui˜nones-Grueiro, and Orestes Llanes-Santiago. Cyber-attack diagnosis in water distribution networks combining data-driven and structural analysis methods. Journal of Water Resources Planning and Management, 149(5):04023013, 2023.
[9] Jin Uk Ko, Kyumin Na, Joon-Seok Oh, Jaedong Kim, and Byeng D Youn. A new auto-encoder-based dynamic threshold to reduce false alarm rate for anomaly detection of steam turbines. Expert Systems with Applications, 189:116094, 2022.
[10] Siya Chen, G Jin, and Xinyu Ma. Satellite onorbit anomaly detection method based on a dynamic threshold and causality pruning. IEEE Access, 9:86751–86758, 2021.
[11] Mohsen Aghashahi, Raanju Sundararajan, Mohsen Pourahmadi, and M Katherine Banks. Water distribution systems analysis symposium–battle of the attack detection algorithms(batadal). In World environmental and water resources congress 2017, pages 101–108, 2017.
[12] Sarin E Chandy, Amin Rasekh, Zachary A Barker, and M Ehsan Shafiee. Cyberattack detection using deep generative models with variational inference. Journal of Water Resources Planning and Management, 145(2):04018093, 2019.
[13] Benedikt Eiteneuer and Oliver Niggemann. Lstm for model-based anomaly detection in cyber-physical systems. arXiv preprint arXiv:2010.15680, 2020.
[14] Enkhjargal Dorj, Chaochao Chen, and Michael Pecht. A bayesian hidden markov model-based approach for anomaly detection in electronic systems. In 2013 IEEE aerospace conference, pages 1–10. IEEE, 2013.
[15] Qin Lin, Sridha Adepu, Sicco Verwer, and Aditya Mathur. Tabor: A graphical model-based approach for anomaly detection in industrial control systems. In Proceedings of the 2018 on asia conference on computer and communications security, pages 525–536, 2018.
[16] Mashor Housh and Ziv Ohar. Model-based approach for cyber-physical attack detection in water distribution systems. Water research, 139:132–143, 2018.
[17] Claudia Rodr´ıguez-Mart´ınez, Marcos Qui˜nones-Grueiro, and Orestes Llanes-Santiago. Cyber-attack diagnosis in water distribution networks combining data-driven and structural analysis methods. Journal of Water Resources Planning
and Management, 149(5):04023013, 2023.
[18] Kaikai Pan, Peter Palensky, and Peyman Mohajerin Esfahani. Dynamic anomaly detection with high-fidelity simulators: A convex optimization approach. IEEE Transactions on Smart Grid, 13(2):1500–1515, 2021.
[19] Lina Perelman, Jonathan Arad, Mashor Housh, and Avi Ostfeld. Event detection in water distribution systems from multivariate water quality time series. Environmental science & technology, 46(15):8212–8219, 2012.
[20] Jonathan Arad, Mashor Housh, Lina Perelman, and Avi Ostfeld. A dynamic thresholds scheme for contaminant event detection in water distribution systems. Water research, 47(5):1899–1908, 2013.
[21] Jeremy Watts, Franco Van Wyk, Shahrbanoo Rezaei, Yiyang Wang, Neda Masoud, and Anahita Khojandi. A dynamic deep reinforcement learning-bayesian framework for anomaly detection. IEEE Transactions on Intelligent Transportation Systems, 23(12):22884–22894, 2022.
[22] Maged Abdelaty, Roberto Doriguzzi-Corin, and Domenico Siracusa. Daics: A deep learning solution for anomaly detection in industrial control systems. IEEE Transactions on Emerging Topics in Computing, 10(2):1117–1129, 2021.
[23] Lo¨ıc D Tsobdjou, Samuel Pierre, and Alejandro Quintero. An online entropy-based ddos flooding attack detection system with dynamic thresh-old. IEEE Transactions on Network and Service Management, 19(2):1679–1689, 2022.
[24] I Gethzi Ahila Poornima and B Paramasivan. Anomaly detection in wireless sensor network using machine learning algorithm. Computer communications, 151:331–337, 2020.
[25] Andrzej Ma´ckiewicz and Waldemar Ratajczak. Principal components analysis (pca). Computers & Geosciences, 19(3):303–342, 1993.
[26] Alessandro Erba, Riccardo Taormina, Stefano Galelli, Marcello Pogliani, Michele Carminati, Stefano Zanero, and Nils Ole Tippenhauer. Constrained concealment attacks against reconstruction-based anomaly detectors in industrial control systems. In Proceedings of the 36th Annual Computer Security Applications Conference, pages 480–495, 2020.