Abnormal Logical Representation Learning for Intrusion Detection in Industrial Control Systems

As security threats to industrial control systems become more prevalent, it is imperative to deploy effective intrusion-detection systems. However, the existing methods are insufficient for addressing contemporary attacks. Rule-based methods are heavily dependent on manual settings, and the covertness of attacks poses challenges to rule effectiveness. Machine and deep learning methods exhibit low interpretability owing to their complex designs, and the semantic gap between the model and the actual operational interpretation limits their applicability. To mitigate these shortcomings, we propose an abnormal logical representation learning (ALRL) intrusion detection method for industrial control systems. ALRL contains a specific lightweight neural network and employs knowledge distillation to achieve high classification ability. More importantly, it can generate effective and concise intrusion detection rules directly from the learned knowledge of the model. The hierarchical model structure and residual connections ensure high interpretability of the rules. Experiments conducted on two publicly available industrial control datasets demonstrate that ALRL can classify attacks with an excellent performance. In addition, the logical rules generated by ALRL can effectively detect all types of attacks and exhibit good interpretability.