A Real-Time Anomaly Detection Method for Industrial Control Systems Based on Long-Short Period Deterministic Finite Automaton
发布时间:2025-03-09 点击次数:
姚羽(教授)
+
- 博士生导师 硕士生导师
- 电子邮箱:
- 职务:复杂网络系统安全保障技术教育部工程研究中心主任
- 学历:博士研究生毕业
- 性别:男
- 联系方式:yaoyu@mail.neu.edu.cn
- 学位:博士
- 毕业院校:东北大学
- 所属院系:计算机科学与工程学院
- 学科:
计算机应用技术
计算机软件与理论
计算机系统结构
- 发表刊物:IEEE Internet of Things Journal
- 影响因子:8.2
- DOI码:10.1109/JIOT.2025.3526599
- 摘要:Anomaly detection has proven effective in detecting cyber-attacks in Industrial Control Systems (ICS). However, most existing anomaly detection methods suffer from low accuracy because they ignore the effects of packet loss and network delay on time features, the sequential nature of transition time, masquerade transitions, and system recovery. Meanwhile, current Cyber-Physical Model (CPM) construction methods struggle to effectively address the state explosion problem and properly balance the removal and retention of low frequency states (LFS). In this paper, we propose a novel baseline model for ICS to detect anomalies through learning device-level polling time patterns and system-level CPM. The polling time pattern learning method reduces the effects of packet loss and network delay on time features by extracting only matching packets and replacing outliers. The CPM construction method mitigates state explosion through mixed-event discretisation, reduces the effects of network delay on transition/action times through outlier replacement, and captures the sequential nature of transition times with circular permutation sets. CPM model optimisation uses a post-pruning algorithm to balance the removal and retention of LFSs, and a CPM periodicity detection method that mitigates the effects of network delay to ensure that all industrial process periods are detected. A real-time anomaly detection method with a two-layer defence mechanism is proposed using the baseline model. Experimental results from two lab-scale ICSs with six process-related attacks confirm the effectiveness and superiority of the proposed method. It achieves average F1 scores of 98.81% and accuracy of 99.24%, outperforming the state-of-the-art work by 18.51% and 13.96% respectively.
- 关键字:Industrial Control System, SCADA System, Anomaly Detection, Cyber-physical Model, Deterministic Finite Automaton.
- 论文类型:SCI JCR Q1
- 备注:https://ieeexplore.ieee.org/document/10856846
- 文献类型:JCR 一区
- 一级学科:计算机科学与技术
- 是否译文:否