Deep Learning for ICS security
Expertise: Deep learning, Neural network design and implementation, convolutional neural networks (CNN), variational Autoencoders, long short-term memorty (LSTM) networks, ICS security, Systems control, t-SNE.
Skills: MATLAB deep learning toolbox.
This research project is the subject of multiple journal transaction:
A. S. Mohamed and D. Kundur, "On the Use of Reinforcement Learning for Attacking and Defending Load Frequency Control," in IEEE Transactions on Smart Grid [link]
A. S. Mohamed and D. Kundur, "The Role of Synthetic Cyber-Physical Attack Data in Enhancing Electric Grid Defense," submitted to IEEE Transactions on Smart Grid [link coming soon]
Problem: We require systems capable of accurately detecting malicious activity, alerting to cyberattacks, and dispatching security actions. However, existing threat detection systems, though highly accurate, often produce a substantial volume of false alarms to benign anomalies, diverting attention from real threats. Consequently, alarm logs can become inundated with false alarms, diluting the focus on genuine threats.
Challenge: Hence, there is a high need for systems that, not only accurately detect threats, but also distinguish them from benign anomalies. Moreover, classifying threats according to severity is essential to empower security teams to plan appropriate actions against threats facing industrial control systems (ICS).
Method: In response to this challenge, I constructed a pipeline of deep learning methods to facilitate holistic threat detection, threat classification, and risk assessment. First, a variational autoencoder (VAE) monitors system data for anomalies. The VAE is an unsupervised deep learning technique trained to recognize patterns in typical system data, and is the state-of-the-art technique for identifying anomalies that deviate from the expected patterns. Next, a long short-term memory (LSTM) classifier is trained on anomalous data generated by my RL research project to classify anomalies as either benign or threats, with each threat further classified based on anticipated impact. LSTM networks are well-suited for the sequential time-series data of ICS systems.
This pipeline streamlines and reduces the computational complexity of threat response. Autoencoders, being smaller in size, offer faster and less resource-intensive monitoring of the continuous stream of system data. When anomalies are detected, the LSTM classifier precisely identifies the reasons behind the anomaly.
In parallel, a convolutional neural network (CNN)-based classifier assesses the risk of the attack based on the anticipated severity. This risk assessment aids security teams in planning appropriate responses to threats based on their expected severity.
Approach: I tailor-designed three neural network architectures for each of the VAE, LSTM, and CNN. Tuning the network hyperparameters aimed to strike a balance between size, memory requirements, speed, and classification time. The networks were then trained and their performance assessed, with a comprehensive discussion of their effectiveness within the context of responding to threats to ICS.
Results: The solutions resulted in eliminating around 30% of the false alarms that are generated by VAE-based detectors, resulting in an overall threat detection accracy of 98%. Detailed implementation and analysis of the results are included in the papers.