University of Pireaus Digital Systems Department Anomaly Detection for Industrial Control Systems Thesis submitted for the MSc Degree of Security in Digital Systems May 2018 Author: Kapogianni Eirini Supervisors: Prof. Cristina Alcaraz, Prof. Constantinos Lamprinoudakis Acknowledgement I would first like to express my appreciation and thanks to my thesis advisor Prof. Constantinos Lamprinoudakis whose door office was always open whenever I had a question and he steered me in the right direction about my Master’s Thesis topic. I would also like to thank the expert Prof. Christina Alcaraz, who was involved in the validation survey for this research project. Without her participation, input and helpful comments and advice the validation survey could not have been successfully conducted. Finally, I would like to thank my family and my friends, Maria and Spyros, for encouraging me and supporting me throughout this experience. Page | 2 Abstract As Industrial Control Systems (ICSs) become more and more connected it follows that they need to become more secure. Traditional Intrusion Detection Systems (IDSs) do not work well due to the fact that they mostly work on a signature basis and there are not many known signatures to detect attacks on ICSs. Since the network traffic from an ICS is claimed to be static and signatures are scarce, searching for anomalies in the network to detect threats is more effective. This can be achieved using machine learning and other statistical models, teaching the system to tell regular traffic from irregularities. In this thesis we survey different anomaly detection techniques, which based on different parameters, we evaluate and point the one that can fit better. Based on the survey and the risk analysis we analyze the algorithm on which we conclude, and with real-time data-sets (normal and anomalous) we do an implementation. From this work we propose and evaluate methods to be used when creating a more data driven IDS, capable of detecting process semantic tampering within an ICS. Our results from conducted experiments exhibit a static nature of the data originating from the ICS and the result from evaluating many different proposed anomaly detections using proof of concept systems, we deem that the anomaly detection and algorithm that we conclude works well for both semantic tampering as well as on a network basis. Having an IDS using a fusion this proposed method, would benefit the security of an ICS. Page | 3 Contents Abstract ............................................................................................................................................................ 3 Figures .................................................................................................................................................................. 5 Chapter 1 ............................................................................................................................................................... 6 Machine Learning based Anomaly Detection ..................................................................................................... 6 1.1 Introduction.................................................................................................................................................. 6 1.1.1 Decision Trees......................................................................................................................................7 1.1.2 Regression trees .................................................................................................................................. 14 1.1.3 Association Rule Learners .................................................................................................................... 16 1.1.4 Bayesian Networks-Based ................................................................................................................... 19 1.1.5 Clustering Based Anomaly Detection Techniques ................................................................................. 25 1.1.6 Statistical Methods (Parametric and non-parametric) ........................................................................... 31 1.1.7 Operational Anomaly Detection ........................................................................................................... 32 1.1.8 Smoothing ............................................................................................................................................ 33 1.1.9 Markov Chains ..................................................................................................................................... 36 Dynamic Markov Chain ................................................................................................................................ 36 1.1.10 Artificial Neural Networks (ANNs) ...................................................................................................... 40 1.1.11 SVM (Support Vector Machines) Algorithm ......................................................................................... 45 1.1.12 Rule-Based ......................................................................................................................................... 48 1.1.13 Nearest Neighbor-Based ..................................................................................................................... 53 1.1.14 Fuzzy Logic ........................................................................................................................................ 56 1.1.15 Knowledge-based .............................................................................................................................. 58 Chapter 2: ........................................................................................................................................................... 63 2.1 Control System Categories ........................................................................................................................ 63 2.2 Selecting the best one ............................................................................................................................... 65 Chapter 3 ..............................................................................................................................................................67 3.1 Weka Tool ...................................................................................................................................................67 3.2 Results .......................................................................................................................................................67 3.2.1 Overview ..............................................................................................................................................67 3.2.2 SVM Multiclass Classification .................................................................................................................. 68 3.2.3 The Results .......................................................................................................................................... 69 Chapter 4 .............................................................................................................................................................74 4.1 Discussion ...................................................................................................................................................74 4.1.1 The project ...........................................................................................................................................74 4.1.2 Future work .......................................................................................................................................... 75 4.2 Conclusion .................................................................................................................................................. 75 Page | 4 Figures Figure 1.1: Multi-class Anomaly Detection Figure 1.2: One-class Anomaly Detection Figure 1.3: Association Rule Learners Figure 1.4: Schedule Overview of WSARE 3.0 algorithm Figure 1.5 CURE Algorithm’s steps Figure 1.6: ANN’s architecture Figure 1.7: Margin for Hyperplane Figure 1.8: Non-parametric Classifier Figure 1.9: Fuzzy Logic System Page | 5 Chapter 1 Machine Learning based Anomaly Detection Machine learning is the ability of a program or a system to learn and improve their performance on a certain task or group of tasks over time. Machine learning aims to answer many of the same questions as statistics or data mining. However, unlike statistical approaches which tend to focus on understanding the process that generated the data, machine learning techniques focus on building a system that improves its performance based on previous results. [33] 1.1 Introduction A model (classifier) is able to be trained from a set of labeled data instances, make classes and then classify a test instance into the mentioned classes. In other words training and then testing. This is classification. As mentioned, classification consists of two steps. The first one is the training phase that the labeled training data can be used by the classifier in order to make a model for standardization. The second step is testing. Through this operation, a test instance can be defined as normal or anomalous. Because there is a variety in the labeled data, the researchers in order to facilitate the procedure have grouped the detection techniques into two different categories. The