As networked control systems continue to be widely used in large-scale industrial productions, industrial cyber-attacks have become an inevitable problem that can cause serious damage to critical infrastructures. In practice, industrial intrusion detection has been widely acknowledged to detect abnormal communication behaviors. However, unlike traditional IT systems, networked control systems have their own communication characteristics due to specific industrial communication protocols. Thus, simple cyber-attack modeling is inadequate and impractical for high-efficiency intrusion detection because the characteristics of network control systems are less considered. Based on the status information and transmission connection in industrial communication data payloads, which can properly express the characteristics of industrial control logic, this paper associates industrial communication features with transmission connection payload and status payload. Furthermore, transmission connection features include device address, context, time, and packet length, while status features cover measurement, input, distributed state, control state, and more. After designing a convolutional neural network (CNN) and a long short-term memory network (LSTM) to extract status features and transmission connection features from industrial communication data, this paper proposes a hierarchical deep learning anomaly detection approach, which can integrate the advantages of CNN and LSTM to achieve high-efficiency detection. The experimental results clearly show that the proposed approach, having the advantages of strong detection capability and low false alarm rate, is a superior means of anomaly detection when compared to its peers.
This work is published on INTELLIGENT AUTOMATION AND SOFT COMPUTING 30.1(2021):337-350.