A three-tiered intrusion detection system for industrial control systems

This paper presents a three-tiered IDS which uses a supervised approach to detect cyber-attacks in ICS networks. The proposed approach does not only aim to identify malicious packets on the network but also attempts to identify the general and finer grain attack type occurring on the network. This is key in the ICS environment, as the ability to identify exact attack types will lead to an increased response rate to the incident and the defence of the infrastructure. More specifically the proposed system consists of three stages which aim to classify: 1) whether packets are malicious, 2) the general attack type of malicious packets (e.g. DoS), and 3) finer-grained cyber-attacks (e.g. Bad CRC Attack). The effectiveness of the proposed IDS is evaluated on network data collected from a real industrial gas pipeline system. Additionally, an insight is provided as to which features are most relevant to detecting such malicious behaviour. The performance of the system results in an F-measure of: 1) 87.4%, 2) 74.5%, 3) 41.2%, for each of the layers, respectively. This demonstrates that the proposed architecture can successfully distinguish whether network activity is malicious and detect which general attack was deployed.