A Dynamic Network-based Intrusion Detection Model for Industrial Control Systems


Industrial Control Systems (ICS) play a crucial role in managing and controlling industrial assets. Due to their critical importance, adversaries are often highly motivated to target these systems, as a successful attack can disrupt the entire industry’s operations. In general, to improve the system’s security, proposed intrusion detection schemes often resort to traditional security mechanisms. As a consequence, due to their static nature, attackers can easily evade designed detection approaches. In light of this, this paper proposes a new dynamic network-based intrusion detection model for ICS, implemented in two phases. First, our scheme extracts network-related features to describe the current ICS environment behavior. Second, the security mechanisms are proactively selected based on the extracted network traffic behavior. As a result, our scheme can adjust the system’s configuration based on the current assessed event. Experiments on a new dataset, featuring over 14 attack categories targeting a SCADA system revealed that traditional detection methods face challenges in handling diverse attack categories. Conversely, our proposed model improved the average true-positive rates by up to 20% while also improving the range of detected attacks.

22nd IEEE International Conference On Trust, Security And Privacy In Computing And Communications