October 22 @ 1:30 pm - 2:30 pm MDT
Title: FALCON: Framework for Anomaly Detection in Industrial Control Systems
Program: Master of Science in Computer Science
Advisor: Dr. Hoda Mehrpouyan, Computer Science
Committee Members: Dr. Catherine Olschanowsky, Computer Science, Dr. Casey Kennington, Computer Science, and Stephen Reese, Idaho National Laboratory
“Industrial Control Systems (ICS) are used to control physical processes in the nation’s critical infrastructures. They are composed of subsystems that control physical processes by analyzing the information received from the sensors. Based on the state of the process, the controller issues control commands to the actuators. These systems are utilized in a wide variety of operations such as water treatment plants, power, and manufacturing, etc. While safety and security of these systems are of high concern, recent reports have shown an increase in targeted attacks that are aimed at manipulating the physical processes to cause catastrophic consequences. This emphasizes the need for algorithms and tools that provide resilient and smart attack detection, and risk analysis mechanisms to protect the ICS.
To address this need for resiliency, this thesis designs and develops an anomaly detection and risk analysis framework for ICS. The proposed anomaly detection methodology utilizes dilated Convolution and Long-Short Term Memory (LSTM) layers to learn temporal as well as long term dependencies from sensors/actuators data in ICS. This data is passed through a unique feature engineering pipeline where wavelet transformation is utilized on the sensor signals to extract additional features. Additionally, this thesis explores four different variations of supervised deep learning models, as well as an unsupervised one class Support Vector Machine (SVM) model for this problem. Furthermore, an empirical analysis of a single monolithic model for all sensors/actuators in ICS vs distributed models for each segmented process is carried out.
The proposed methodology is validated utilizing sensors/actuators normal and attack data from a miniature water treatment plant known as Secure Water Treatment (SWaT) testbed. The results of our experiments show improvement over existing state-of-the-art anomaly detection algorithms with higher performance than the baselines set previously. Further, monolithic models trained on entire processes in ICS performed better than the distributed models due to their ability to learn global relationships within the data. Along with an anomaly detection methodology, this thesis also presents a Petri Net (PN) model for analyzing risks within the system. Reachability analysis on Petri Nets is conducted to identify the transitions and sensors and actuators’ values that could result in potential risks within the processes.”