A Clustering Approach to Industrial Network Intrusion Detection

Industrial control system (ICS) networks and supervisory control and data acquisition (SCADA) system networks are less likely to be within a strict closed network environment, which increases the likelihood of cyber-attacks. Over the last decade, intrusion detection has become an additional security measure for ICS and SCADA system networks to help prevent and minimize loss that may be sustained from cyber-attacks. ICS and SCADA network communication is typically repetitive and deterministic, which allows normal activity to be more easily modeled on the behavior of system specific events. Given this deterministic behavior, an unsupervised anomaly-based intrusion detection system may provide increased performance over the more typical misuse detection method. We propose an unsupervised machine learning approach for the implementation of a network IDS in power system applications. The approach would supplement a more complex IDS by quantifying the degree by which an event is an attack, given network data states, to improve intrusion detection and minimize false alarm rates. The clustering approach contains four key processes: data preprocessing, unsupervised learning (cluster analysis), generating features from clusters, and classifying states using the Mamdani fuzzy inference system. Data sets from a simulated power distribution system are used to illustrate the impact of the proposed approach.