A Novel Intrusion Detection Algorithm for Industrial Control Systems Based on CNN and Process State Transition

As closed Industrial Control Systems (ICS) gradually evolve toward networking, ICS data and operational processes can be easily tampered with by attackers, causing industrial control equipment to fail or become damaged. Depending on the characteristics of ICS business logic stability, this paper proposes a novel two-level anomaly detection framework to ensure that system data and business logic are safe and reliable. Specifically, basic information is obtained from network traffic. In our framework, the first-level detection uses convolutional neural network (CNN) to feature extraction and anomaly identification. In the second-level detection, we propose a process state transfer algorithm. The feature extracted by the CNN model is invoked as the input of the algorithm to construct the normal state process transfer model of ICS. The model detects whether the current data meets the normal state transition process of the system, and may find unknown attacks or 0-day attacks. Finally, through laboratory gas pipeline network system verification, we found that the anomaly detection framework combined with the two methods has more outstanding performance than several current latest technologies.