Anomaly detection using invariant rules in Industrial Control Systems

Industrial Control Systems (ICS) are intelligent control systems that integrate computing, physical processes, and communication to manage critical infrastructures such as power grids, oil and gas processing facilities, and water treatment plants. In recent years, ICS have been increasingly targeted by malicious attacks, causing severe consequences. Anomaly detection systems utilized in ICS are crucial in safeguarding ICS from potential threats by sending out an alert upon detecting any network attacks. However, existing methods for ICS anomaly detection often suffer from limitations. Supervised machine learning methods encounter the issue of imbalanced positive and negative samples, while residual-based anomaly detection methods face challenges in detecting stealthy attacks. This paper presents an unsupervised anomaly detection method for ICS using association rule mining techniques. Utilizing the proposed variation-driven predicate generation strategy, the method incorporates temporal features of sensor readings into the generated predicates, achieving the mining of invariant rules that take into account the temporal dependencies among physical variables. This approach allows for a more comprehensive exploration of the invariant patterns maintained in the dynamic processes of systems. Through experiments conducted on two public datasets, the method demonstrates high detection efficiency, meeting the real-time demands of online detection. Experimental results showcase its notable efficacy in anomaly detection, with a substantial enhancement in the recall rate. Furthermore, the method's capability to promptly issue warnings enables it to detect multiple attacks with low latency.