TABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems

Qin Lin, Sridha Adepu, Sicco Verwer, Aditya Mathur

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

103 Citations (Scopus)

Abstract

Industrial Control Systems (ICS) such as water and power are critical to any society. Process anomaly detection mechanisms have been proposed to protect such systems to minimize the risk of damage or loss of resources. In this paper, a graphical model-based approach is proposed for profiling normal operational behavior of an operational ICS referred to as SWaT (Secure Water Treatment). Timed automata are learned as a model of regular behaviors shown in sensors signal like fluctuations of water level in tanks. Bayesian networks are learned to discover dependencies between sensors and actuators. The models are used as a one-class classifier for process anomaly detection, recognizing irregular behavioral patterns and dependencies. The detection results can be interpreted and the abnormal sensors or actuators localized due to the interpretability of the graphical models. This approach is applied to a dataset collected from SWaT. Experimental results demonstrate the model's superior performance on both precision and run-time over methods including support vector machine and deep neural networks. The underlying idea is generic and applicable to other industrial control systems such as power and transportation.

Original languageEnglish
Title of host publicationASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages525-536
Number of pages12
ISBN (Print)978-1-4503-5576-6
DOIs
Publication statusPublished - 2018
Event13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018 - Incheon, Korea, Republic of
Duration: 4 Jun 20188 Jun 2018

Conference

Conference13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018
Country/TerritoryKorea, Republic of
CityIncheon
Period4/06/188/06/18

Keywords

  • Anomaly detection
  • Bayesian network
  • Cyber-physical system
  • Industrial control systems
  • SCADA security
  • Timed automata

Fingerprint

Dive into the research topics of 'TABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems'. Together they form a unique fingerprint.

Cite this