Industrial control systems (ICS) govern critical infrastructure and processes, such as power generation, chemical processing, and water treatment. Given their widespread impact and their critical nature, there is a strong incentive for adversaries to attack ICS. An adversary that gains access to an ICS network can manipulate its process values to cause physical damage and harm. Anomaly-detection methods based on machine learning (ML) can detect these manipulations from real-time data and are commonly proposed for defending ICS. To make anomaly detection more effective for ICS, this thesis investigates and proposes solutions to several challenges when applying anomaly detection to an ICS. First, it is unclear what ML models and methods are best for detecting ICS anomalies; we comprehensively evaluate prior approaches and compare their performance, identifying what strategies were most effective. Second, it is unclear if and how the outputs of ML-based anomaly-detection approaches can be used to diagnose ICS anomalies; we evaluate a variety of approaches for attributing ICS anomalies to the underlying components that were manipulated. Third, many anomaly-detection approaches proposed in prior work are based on general-purpose ML models that learn spurious relationships; we propose a method that embeds ICS-specific domain knowledge into structurally sparse ML models to improve detection, attribution, and robustness. Finally, to better understand how ML-based anomaly-detection approaches could be used more effectively for ICS in practice, we conduct an interview-based study to understand the workflows and perspectives of practitioners that work with ICS, and we recommend ways for researchers to design ML-based approaches for better adoption in ICS.

Thesis Statement: To make anomaly detection more effective for industrial control systems (ICS), we design approaches for detecting and attributing ICS anomalies and propose guidelines for choosing and configuring anomaly-detection models. In particular, we demonstrate that adopting ICS-specific models and objectives improves detection and attribution, and we propose new approaches for use cases beyond real-time detection, such as post-hoc diagnosis. Our approaches and guidelines improve effectiveness across the ICS anomaly-detection workflow: (i) when detecting anomalies; (ii) when identifying the root cause of anomalies; and (iii) when deploying, using, and maintaining anomaly-detection systems.

147 pages

Thesis Committee:
Lujo Bauer (Chair)
Eunsuk Kang
Vyas Sekar
Michael K. Reiter (Duke University)

Nicolas Christin, Head, Software and Societal Systems Department
Martial Hebert, Dean, School of Computer Science

Creative Commons License: CC-BY-NC (Attribution-Non-Commerical)

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by reports@cs.cmu.edu