Applying AI-based PoLA to the problem of early intrusion detection in ICS systems

  • Peter Donnelly

    Student thesis: Doctoral Thesis


    Our ability to protect essential infrastructures is critical to a nation’s civilised sustainability. This is supported by analogue and non-routable digital devices that control critical infrastructures (CNI). Routable Technology (IT), too, seeks to defend them and defeat disturbances. CNI investments are complex, large and yield long lead-time returns. Minor outages can pose existential threats to consumers of products or services supplied. Operators can rapidly incur major losses. Analysing CNI network traffic of an industrial control system (ICS) requires shared data. This is often reluctantly disclosed. Those actually available may be inappropriate for investigation or compromise reluctant donors in some way. The motivation to generate tailored ICS network traffic that eases its analysis becomes more evident, and the need to do it at budget more tangible. A near-fidelity PoL test bench is built comprising a data recording and analysis facility. A unique approach is applied using packet capture software, embedded within a development environment, to establish the core of an automated ICS network traffic recording system. This PoL infrastructure is used to test the project’s hypothesis.: The application of AI-based PoL Analysis to the problem of early intrusion in ICS systems can significantly improve the security resilience of those systems.

    The test bench uniquely automates the acquisition, conversion, and database storage of ICS TCP/IP traffic and fuses it with measurements of physical phenomena. Data Analytics (SQL) and Machine Learning (ML) techniques using Naïve Bernoulli, Gaussian, as well as KNearest Neighbours are then applied to identify exceptional conditions in time-series ICS data. Trained ML models, enriched with simple network attack scenarios, are applied to the test datasets. Anomaly binary classification then follows. Precision and recall performance of the ML tests implies acceptability. Nevertheless, due to overfitting, data fidelity enrichment was found to be additionally required, i.e., added generalisation of training data was necessary to avoid misleading results as has sometimes been experienced. The project identifies future cost-conscious performance improvements.

    Possibly counter-intuitively to some, yet shown that the dynamic, sometimes volatile, nature of today’s definition of CNI, may differ from tomorrow’s, the project also re-iterates how the use of analogue devices, cultural change, even the regression of technology, can strengthen the security posture of CNI/ICS networks. This thinking may be uncomfortable for some of today’s CNI operators, yet also assist others who currently may be unaware of their growing CNI significance awarded them tomorrow.
    Date of Award2023
    Original languageEnglish
    SupervisorMabrouka Abuhmida (Supervisor) & Christopher Tubb (Supervisor)

    Cite this