Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Detecting ICS Attacks Using Recurrent Neural Networks

Cyber attacks aiming at critical infrastructure and automated industrial production plants can be the most disastrous in terms of consequences. But, luckily for us, the digital footprint of any physical system is governed by the laws of physics, and a neural network can learn the normal behaviour of the cyberphysical system and detect the anomalies faster that safety sensors normally do - saving time and costs.
Andrey Lavrentyev, Head of Technology Research Department, Kaspersky Lab, talked at S4x18 Conference in San Francisco about successful implementation of a recurrent neural network to a Tennessee Eastman Process.
To lean more, please visit our blog:

  • Login to see the comments

Detecting ICS Attacks Using Recurrent Neural Networks

  1. 1. Andrey  Lavrentyev Head  of  Technology  Research  Department, Future  Technologies, Kaspersky  Lab Detecting  ICS  Attacks  Using     Recurrent  Neural  Networks   (RNN)
  2. 2. Plant PLC SCADA INDUSTRIAL  DATA: • Multi-­channel  ~  104   signals   • Real-­time  flow    ~  100  ms • Big  history  ~  years • Noise,  jitter,  gaps,  faults   • Cross-­channel  correlation ICS   PLC  – Programmable  Logic  Controller SCADA  -­ Supervisory  Control  and  Data  Acquisition   system
  3. 3. Control  Loop Set  points Actuators Disturbance Controlled   variables   Cyber-­Physical System Sensors   Controller
  4. 4. Plant PLC SCADA Physical attacks Cyber attacks 0101010101010101 1010101010101010 ICS  under  Attack Attacks may target: -­ information technology (IT) or -­ operational technology (OT)
  5. 5. Attacks  on  OT  are  the  most  dangerous -­ quick damage to physical equipment -­ severe financial losses
  6. 6. How  to  detect  attacks  on  OT? A clue: In any real-­world plant, all industrial signals (sensor and actuator values, control logic parameters) are correlated and governed by physical laws An attack that modifies one signal causes corresponding changes to other signals. These correlations between signals can be established using ML
  7. 7. MLAD  -­ Machine  Learning  for  Anomaly  Detection Plant PLC SCADA Physical attacks Cyber attacks Traffic Mirroring OT Security Monitor DPI MLAD
  8. 8. Data-­Driven  Anomaly  Detection   1.  Training  under  normal  operating  conditions Recurrent  Neural  Network Data:  Multivariate  Time  Series 2.  Online  anomaly  detection  via  prediction  error ü Anomaly  interpretation  based  on  matching  errors  to   specific  signals ü Early  detection
  9. 9. Understanding  Anomalies VALUE Change PERIOD Change PHASE Change
  10. 10. LSTM  Recurrent  Neural  Network • 2  layers  (2  x  64) • Input  window  size =  prediction  horizon (w) • Regularization  – Dropout • Optimization  algorithm – RMSProp • Loss  function – MSE Activation:  ReLU Activation:  Linear
  11. 11. Anomaly  Detection
  12. 12. Tennessee  Eastman  Process  (TEP) Reactor Separator Condenser Stripper Purge Product G/H Inlet gases A, D, E and C
  13. 13. 13 TEP
  14. 14. 14 TEP
  15. 15. MLAD  Key  Features: ü Early anomaly detection in OT telemetry ü Anomaly interpretation ü No dependence on the nature of an attack ü Seamless integration with conventional ICS cybersecurity ü Additional important layer of ICS cybersecurity focused on OT protection
  16. 16. References [1] MLAD Presentation [2] RNN-­based Early Cyber-­Attack Detection for the Tennessee Eastman Process. ICML 2017 Time Series Workshop, Sydney, Australia, 2017. [3] Multivariate Industrial Time Series with Cyber-­Attack Simulation: Fault Detection Using an LSTM-­based Predictive Data Model. NIPS 2016 Time Series Workshop, Barcelona, Spain, 2016. [4] ICS Anomaly Detection Panel
  17. 17. Thank  you!