https://www.mdu.se/

mdu.sePublications
Change search
Link to record
Permanent link

Direct link
Dehlaghi Ghadim, AlirezaORCID iD iconorcid.org/0000-0001-5332-1033
Alternative names
Publications (6 of 6) Show all publications
Dehlaghi Ghadim, A., Helali Moghadam, M., Balador, A. & Hansson, H. (2023). Anomaly Detection Dataset for Industrial Control Systems. IEEE Access, 11, 107982-107996
Open this publication in new window or tab >>Anomaly Detection Dataset for Industrial Control Systems
2023 (English)In: IEEE Access, E-ISSN 2169-3536, Vol. 11, p. 107982-107996Article in journal (Refereed) Published
Abstract [en]

Over the past few decades, Industrial Control Systems (ICS) have been targeted by cyberattacks and are becoming increasingly vulnerable as more ICSs are connected to the internet. Using Machine Learning (ML) for Intrusion Detection Systems (IDS) is a promising approach for ICS cyber protection, but the lack of suitable datasets for evaluating ML algorithms is a challenge. Although a few commonly used datasets may not reflect realistic ICS network data, lack necessary features for effective anomaly detection, or be outdated. This paper introduces the 'ICS-Flow' dataset, which offers network data and process state variables logs for supervised and unsupervised ML-based IDS assessment. The network data includes normal and anomalous network packets and flows captured from simulated ICS components and emulated networks, where the anomalies were applied to the system through various cyberattacks. We also proposed an open-source tool, "ICSFlowGenerator," for generating network flow parameters from Raw network packets. The final dataset comprises over 25,000,000 raw network packets, network flow records, and process variable logs. The paper describes the methodology used to collect and label the dataset and provides a detailed data analysis. Finally, we implement several ML models, including the decision tree, random forest, and artificial neural network to detect anomalies and attacks, demonstrating that our dataset can be used effectively for training intrusion detection ML models.

Place, publisher, year, edition, pages
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC, 2023
Keywords
Anomaly detection dataset, industrial control system, intrusion detection, cyberattack, network flow, artificial intelligence
National Category
Computer Sciences
Identifiers
urn:nbn:se:mdh:diva-65227 (URN)10.1109/ACCESS.2023.3320928 (DOI)001121774800001 ()
Available from: 2024-01-03 Created: 2024-01-03 Last updated: 2024-01-03Bibliographically approved
Dehlaghi Ghadim, A., Markovic, T., Leon, M., Söderman, D. & Strandberg, P. E. (2023). Federated Learning for Network Anomaly Detection in a Distributed Industrial Environment. In: Proceedings - 22nd IEEE International Conference on Machine Learning and Applications, ICMLA 2023: . Paper presented at 22nd IEEE International Conference on Machine Learning and Applications, ICMLA 2023, Jacksonville, 15 December 2023 through 17 December 2023 (pp. 218-225). Institute of Electrical and Electronics Engineers Inc.
Open this publication in new window or tab >>Federated Learning for Network Anomaly Detection in a Distributed Industrial Environment
Show others...
2023 (English)In: Proceedings - 22nd IEEE International Conference on Machine Learning and Applications, ICMLA 2023, Institute of Electrical and Electronics Engineers Inc. , 2023, p. 218-225Conference paper, Published paper (Refereed)
Abstract [en]

Industrial control systems have been targeted by numerous cyber attacks over the past few decades which causes different problems related to data privacy, financial losses and operational failures. One potential approach to detect these attacks is by analyzing network data using machine learning and employing network anomaly detection techniques. However, the nature of these systems often involves their geographical dispersion across multiple zones, which poses a challenge in applying local machine learning methods for detecting anomalies. Additionally, there are instances where sharing complete operational data between different zones is restricted due to security concerns. As a result, a promising solution emerges by implementing a federated model for anomaly detection in these systems. In this study, we investigate the application of machine learning techniques for anomaly detection in network data, considering centralized, local, and federated approaches. We implemented the local and centralized methods using several simple machine-learning techniques and observed that Random Forest and Artificial Neural Networks exhibited superior performance compared to other methods. As a result, we extended our analysis to develop a federated version of Random Forest and Artificial Neural Network. Our findings reveal that the federated model surpasses the performance of the local models, and achieves comparable or even superior results compared to the centralized model, while it ensures data privacy and maintains the confidentiality of sensitive information.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers Inc., 2023
Keywords
Artificial Neural Network, Federated Learning, Machine Learning, Network Anomaly Detection, Random Forest
National Category
Computer and Information Sciences
Identifiers
urn:nbn:se:mdh:diva-66501 (URN)10.1109/ICMLA58977.2023.00038 (DOI)2-s2.0-85190154174 (Scopus ID)9798350345346 (ISBN)
Conference
22nd IEEE International Conference on Machine Learning and Applications, ICMLA 2023, Jacksonville, 15 December 2023 through 17 December 2023
Note

Conference paper; Export Date: 24 April 2024; Cited By: 0; Conference name: 22nd IEEE International Conference on Machine Learning and Applications, ICMLA 2023; Conference date: 15 December 2023 through 17 December 2023; Conference code: 198226

Available from: 2024-04-24 Created: 2024-04-24 Last updated: 2024-04-24Bibliographically approved
Dehlaghi-Ghadim, A., Balador, A., Helali Moghadam, M., Hansson, H. & Conti, M. (2023). ICSSIM — A framework for building industrial control systems security testbeds. Computers in industry (Print), 148, Article ID 103906.
Open this publication in new window or tab >>ICSSIM — A framework for building industrial control systems security testbeds
Show others...
2023 (English)In: Computers in industry (Print), ISSN 0166-3615, E-ISSN 1872-6194, Vol. 148, article id 103906Article in journal (Refereed) Published
Abstract [en]

With the advent of the smart industry, Industrial Control Systems (ICS) moved from isolated environments to connected platforms to meet Industry 4.0 targets. The inherent connectivity in these services exposes such systems to increased cybersecurity risks. To protect ICSs against cyberattacks, intrusion detection systems (IDS) empowered by machine learning are used to detect abnormal behavior of the systems. Operational ICSs are not safe environments to research IDSs due to the possibility of catastrophic risks. Therefore, realistic ICS testbeds enable researchers to analyze and validate their IDSs in a controlled environment. Although various ICS testbeds have been developed, researchers' access to a low-cost, extendable, and customizable testbed that can accurately simulate ICSs and suits security research is still an important issue.

In this paper, we present ICSSIM, a framework for building customized virtual ICS security testbeds in which various cyber threats and network attacks can be effectively and efficiently investigated. This framework contains base classes to simulate control system components and communications. Simulated components are deployable on actual hardware such as Raspberry Pis, containerized environments like Docker, and simulation environments such as GNS-3. ICSSIM also offers physical process modeling using software and hardware in the loop simulation. This framework reduces the time for developing ICS components and aims to produce extendable, versatile, reproducible, low-cost, and comprehensive ICS testbeds with realistic details and high fidelity. We demonstrate ICSSIM by creating a testbed and validating its functionality by showing how different cyberattacks can be applied.

Keywords
Cybersecurity, Industrial Control System, Testbed, Network Emulation, Cyberattack
National Category
Engineering and Technology Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-62321 (URN)10.1016/j.compind.2023.103906 (DOI)000966310200001 ()2-s2.0-85151016386 (Scopus ID)
Available from: 2023-04-24 Created: 2023-04-24 Last updated: 2023-11-06Bibliographically approved
Dehlaghi-Ghadim, A. (2023). Identification of Cyberattacks in Industrial Control Systems. (Licentiate dissertation). Västerås: Mälardalen University
Open this publication in new window or tab >>Identification of Cyberattacks in Industrial Control Systems
2023 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

As critical infrastructure increasingly relies on Industrial Control Systems (ICS), these systems have become a prime target for cyberattacks. As a result of the move towards Industry 4.0 targets, ICSs are increasingly being connected to the outside world, which makes them even more vulnerable to attacks. To enhance the ICS's security, Intrusion Detection Systems (IDS) are used in detecting and mitigating attacks. However, using real ICS installations for testing IDS can be challenging, as any interference with the ICS could have serious consequences, such as production downtime or compromised safety. Alternatively, ICS testbeds and cybersecurity datasets can be used to analyze, validate, and evaluate the IDS capabilities in a controlled environment. In addition, the complexity of ICSs, combined with the unpredictable and intricate nature of attacks, present a challenge in achieving high detection precision using traditional rule-based models. To tackle this challenge, Machine Learning (ML) have become increasingly attractive for identifying a broader range of attacks.

 

This thesis aims to enhance ICS cybersecurity by addressing the mentioned challenges. We introduce a framework for simulation of virtual ICS security testbeds that can be customized to create extensible, versatile, reproducible, and low-cost ICS testbeds. Using this framework, we create a factory simulation and its ICS to generate an ICS security dataset. We present this dataset as a validation benchmark for intrusion detection methods in ICSs. Finally, we investigate the efficiency and effectiveness of the intrusion detection capabilities of a range of Machine Learning techniques. Our findings show (1) that relying solely on intrusion evidence at a specific moment for intrusion detection can lead to misclassification, as various cyber-attacks may have similar effects at a specific moment, and (2) that AI models that consider the temporal relationship between events are effective in improving the ability to detect attack types.

Place, publisher, year, edition, pages
Västerås: Mälardalen University, 2023
Series
Mälardalen University Press Licentiate Theses, ISSN 1651-9256 ; 341
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-62403 (URN)978-91-7485-598-2 (ISBN)
Presentation
2023-06-16, Beta, Mälardalens universitet, Västerås, 13:15 (English)
Opponent
Supervisors
Available from: 2023-05-09 Created: 2023-05-05 Last updated: 2023-11-06Bibliographically approved
Strandberg, P. E., Söderman, D., Dehlaghi-Ghadim, A., Leon, M., Markovic, T., Punnekkat, S., . . . Buffoni, D. (2023). The Westermo network traffic data set. Data in Brief, 50, Article ID 109512.
Open this publication in new window or tab >>The Westermo network traffic data set
Show others...
2023 (English)In: Data in Brief, E-ISSN 2352-3409, Vol. 50, article id 109512Article in journal (Refereed) Published
Abstract [en]

There is a growing body of knowledge on network intrusion detection, and several open data sets with network traffic and cyber-security threats have been released in the past decades. However, many data sets have aged, were not collected in a contemporary industrial communication system, or do not easily support research focusing on distributed anomaly detection. This paper presents the Westermo network traffic data set, 1.8 million network packets recorded in over 90 minutes in a network built up of twelve hardware devices. In addition to the raw data in PCAP format, the data set also contains pre-processed data in the form of network flows in CSV files. This data set can support the research community for topics such as intrusion detection, anomaly detection, misconfiguration detection, distributed or federated artificial intelligence, and attack classification. In particular, we aim to use the data set to continue work on resource-constrained distributed artificial intelligence in edge devices. The data set contains six types of events: harmless SSH, bad SSH, misconfigured IP address, duplicated IP address, port scan, and man in the middle attack. 

Place, publisher, year, edition, pages
Elsevier Inc., 2023
Keywords
Cyber-physical systems, Distributed artificial intelligence, Industrial communication system, Network intrusion detection
National Category
Computer Sciences
Identifiers
urn:nbn:se:mdh:diva-64333 (URN)10.1016/j.dib.2023.109512 (DOI)001072102800001 ()2-s2.0-85170076058 (Scopus ID)
Available from: 2023-09-20 Created: 2023-09-20 Last updated: 2023-11-06Bibliographically approved
Markovic, T., Dehlaghi-Ghadim, A., Leon, M., Balador, A. & Punnekkat, S. (2023). Time-series Anomaly Detection and Classification with Long Short-Term Memory Network on Industrial Manufacturing Systems.
Open this publication in new window or tab >>Time-series Anomaly Detection and Classification with Long Short-Term Memory Network on Industrial Manufacturing Systems
Show others...
2023 (English)Report (Other (popular science, discussion, etc.))
National Category
Engineering and Technology
Identifiers
urn:nbn:se:mdh:diva-62395 (URN)
Available from: 2023-05-05 Created: 2023-05-05 Last updated: 2023-11-06Bibliographically approved
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0001-5332-1033

Search in DiVA

Show all publications