A Passive Testing Approach using a Semi-Supervised Intrusion Detection Model for SCADA Network Traffic

Worldwide cyber-attacks constantly threaten the security of available infrastructure relying on cyber-physical systems. Infrastructure companies use passive testing approaches such as anomaly-based intrusion detection systems to observe such systems and prevent attacks. However, the effectiveness of intrusion detection systems depends on the underlying models used for detecting attacks and the observations that may suffer from scarce data availability. Hence, we need research on a) passive testing methods for obtaining appropriate detection models and b) for analysing the impact of the scarceness of data for improving intrusion detection systems. In this paper, we contribute to these challenges. We build on former work on supervised intrusion detection of power grid substation SCADA network traffic where a real-world data set (APG data set) is available. In contrast to previous work, we use a semi-supervised model with recurrent neural network architectures (i.e., LSTM Autoencoders and sequence models). This model only considers samples of ordinary data traffic without attacks to learn an adequate detection model. We outline the underlying foundations regarding the machine learning approach used. Furthermore, we present and discuss the obtained experimental results and compare them with prior results on supervised machine learning approaches.