Skip to main content
Springer Nature Link
Log in

IMG: Deep Representation Graph Learning for Anomaly Detection in Industrial Control System

  • Published:
Journal of Signal Processing Systems Aims and scope Submit manuscript

Abstract

Network flow anomaly detection plays a critical role in the Industrial Control System (ICS). As industrial informatization advances, ICS encounters numerous cybersecurity challenges. Recent approaches based on machine learning and deep learning have proven successful; however, the complex relationships among ICS nodes and insufficient feature extraction capabilities hinder anomaly detection performance, presenting significant challenges to the process. In this paper, we propose a novel framework IMG (Inter-Intra MultiGraph Anomaly Detection), an unsupervised detection framework for anomalous network flow detection on multigraph. Specifically, IMG first builds a multigraph within each snapshot from network flows. Then, by employing embedding and Fourier transformation to the numerical, discrete, and temporal features of the same edge, IMG simplifies multigraph into a simple directed graph for each snapshot. Next, IMG leverages attention mechanisms combined with Graph Neural Networks (GNN) to learn node relationships within snapshots (intra-snapshot), and uses Gated Recurrent Units (GRU) combined with GNN for temporal learning between snapshots (inter-snapshot). Finally, a stacked autoencoder is employed to perform dimension reduction for anomaly detection. Experiments conducted on industrial protocol traffic datasets and traditional traffic datasets demonstrate that IMG exhibits superior anomaly detection performance compared to baseline methods.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Data Availibility

Data will be made available on reasonable.

References

  1. Zeng, Y., Pan, M., et al. (2023). Narcissus: A practical clean-label backdoor attack with limited information. In: ACM CCS.

  2. Li, C., & Qiu, M. (2019). Reinforcement learning for cyber-physical systems: with cybersecurity case studies. Chapman and Hall/CRC.

  3. Li, Y., Dai, W., Ming, Z., & Qiu, M. (2015). Privacy protection for preventing data over-collection in smart city. IEEE Transactions on Computers, 65(5), 1339–1350.

    Article  MathSciNet  MATH  Google Scholar 

  4. Qiu, M., Dai, W., & Vasilakos, A. (2016). Loop parallelism maximization for multimedia data processing in mobile vehicular clouds. IEEE Transactions on Cloud Computing, 7(1), 250–258.

    Article  MATH  Google Scholar 

  5. Qiu, M., Gai, K., & Xiong, Z. (2018). Privacy-preserving wireless communications using bipartite matching in social big data. FGCS, 87, 772–781.

    Article  MATH  Google Scholar 

  6. Qiu, M., Ming, Z., et al. (2015). Phase-change memory optimization for green cloud with genetic algorithm. IEEE Transactions on Computers, 64(12), 3528–3540.

    Article  MathSciNet  MATH  Google Scholar 

  7. Huang, H., Chaturvedi, V., et al. (2014). Throughput maximization for periodic real-time systems under the maximal temperature constraint. ACM Transactions on Embedded Computing Systems (TECS), 13(2s), 1–22.

    Article  MATH  Google Scholar 

  8. Wang, T., Han, Q., et al. (2016). On harmonic fixed-priority scheduling of periodic real-time tasks with constrained deadlines. DAC, 2016, 1–6.

  9. Qiu, M., Guo, M., Liu, M., et al. (2009). Loop scheduling and bank type assignment for heterogeneous multi-bank memory. JPDC, 69(6), 546–558.

    MATH  Google Scholar 

  10. Zhang, J., Li, H., Xu, D., Lou, Y., Ran, M., Jin, Z., & Huang, Y. (2024). Decouple and decorrelate: A disentanglement security framework combing sample weighting for cross-institution biased disease diagnosis. IEEE Internet of Things Journal. https://doi.org/10.1109/JIOT.2024.3364016

    Article  Google Scholar 

  11. Industrial Control Systems Cyber Emergency Response Team: ICS-CERT Annual Assessment Report. Online (2017). https://nsarchive.gwu.edu/sites/default/files/documents/3901095/Industrial-Control-Systems-Cyber-Emergency.pdf

  12. Hemsley, K. E., Fisher, E., et al. (2018). History of industrial control system cyber incidents. Technical report, Idaho National Lab.(INL), Idaho Falls, ID (United States).

  13. Alert, D. (2016). Cyber-attack against ukrainian critical infrastructure. Cybersecurity Infrastruct. Secur. Agency, Washington, DC, USA, Tech. Rep. ICS Alert (IR-ALERT-H-16-056-01).

  14. Administration, F. M. C. S. (2021). ESC-SSC-WSC - Regional Emergency Declaration 2021-002 - 05-09-2021. https://www.fmcsa.dot.gov/emergency/esc-ssc-wsc-regional-emergency-declaration-2021-002-05-09-2021

  15. Yoon, M. -K., & Ciocarlie, G. F. (2014). Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems. In: NDSS Workshop on Security of Emerging Networking Technologies.

  16. Mubarak, S., Habaebi, M. H., Islam, M. R., Rahman, F. D. A., & Tahir, M. (2021). Anomaly detection in ics datasets with machine learning algorithms. Computer Systems Science & Engineering, 37(1).

  17. Akpinar, K. O., & Ozcelik, I. (2019). Analysis of machine learning methods in ethercat-based anomaly detection. IEEE Access, 7, 184365–184374.

    Article  MATH  Google Scholar 

  18. Wang, W., Wang, Z., Zhou, Z., Deng, H., Zhao, W., Wang, C., & Guo, Y. (2021). Anomaly detection of industrial control systems based on transfer learning. Tsinghua Science and Technology, 26(6), 821–832.

    Article  MATH  Google Scholar 

  19. Feng, C., Li, T., & Chana, D. (2017). Multi-level anomaly detection in industrial control systems via package signatures and lstm networks. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 261–272. IEEE.

  20. Kwon, S., Yoo, H., & Shon, T. (2020). Ieee 1815.1-based power system security with bidirectional rnn-based network anomalous attack detection for cyber-physical system. IEEE Access, 8, 77572–77586.

    Article  Google Scholar 

  21. Kim, S., Jo, W., & Shon, T. (2020). Apad: Autoencoder-based payload anomaly detection for industrial ioe. Applied Soft Computing, 88, 106017.

    Article  Google Scholar 

  22. Li, Y., Zhang, L., Lv, Z., & Wang, W. (2020). Detecting anomalies in intelligent vehicle charging and station power supply systems with multi-head attention models. IEEE Transactions on Intelligent Transportation Systems, 22(1), 555–564.

    Article  MATH  Google Scholar 

  23. Ling, C., Jiang, J., et al. (2023). Deep graph representation learning and optimization for influence maximization. In: ICML.

  24. Zhang, Y., et al. (2023). 2023. Communication-efficient stochastic gradient descent ascent with momentum algorithms. In: IJCAI.

    MATH  Google Scholar 

  25. Song, Y., Li, Y., et al. (2019). Retraining strategy-based domain adaption network for intelligent fault diagnosis. IEEE TII, 16(9), 6163–6171.

    MATH  Google Scholar 

  26. Mou, X., Wang, R., Wang, T., Sun, J., Li, B., Wo, T., & Liu, X. (2023). Deep autoencoding one-class time series anomaly detection. In: ICASSP 2023-2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 1–5. IEEE.

  27. Zhou, J., Cui, G., Hu, S., Zhang, Z., Yang, C., Liu, Z., Wang, L., Li, C., & Sun, M. (2020). Graph neural networks: A review of methods and applications. AI open, 1, 57–81.

    Article  MATH  Google Scholar 

  28. Ma, X., Wu, J., Xue, S., Yang, J., Zhou, C., Sheng, Q. Z., Xiong, H., & Akoglu, L. (2021). A comprehensive survey on graph anomaly detection with deep learning. IEEE Transactions on Knowledge and Data Engineering, 35(12), 12012–12038.

    Article  MATH  Google Scholar 

  29. Kim, H., Lee, B. S., Shin, W.-Y., & Lim, S. (2022). Graph anomaly detection with graph neural networks: Current status and challenges. IEEE Access, 10, 111820–111829.

    Article  MATH  Google Scholar 

  30. Takase, S., & Okazaki, N. (2019). Positional encoding to control output sequence length. arXiv preprint arXiv:1904.07418

  31. Sundararajan, D. (2001). The Discrete Fourier Transform: Theory, Algorithms and Applications. World Scientific, ???.

  32. Chung, J., Gulcehre, C., Cho, K., & Bengio, Y. (2014). Empirical evaluation of gated recurrent neural networks on sequence modeling. arXiv preprint arXiv:1412.3555

  33. Morris, T., & Gao, W. (2014). Industrial control system traffic data sets for intrusion detection research. In: Critical Infrastructure Protection VIII: 8th IFIP WG 11.10 International Conference, ICCIP 2014, Arlington, VA, USA, March 17-19, 2014, Revised Selected Papers 8, pp. 65–78. Springer.

  34. Sharafaldin, I., Lashkari, A. H., Ghorbani, A. A., et al. (2018). Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSP, 1, 108–116.

    Google Scholar 

  35. Al-Abassi, A., Karimipour, H., Dehghantanha, A., & Parizi, R. M. (2020). An ensemble deep learning-based cyber-attack detection in industrial control system. IEEE Access, 8, 83965–83973.

    Article  Google Scholar 

  36. Hoang, N. X., Hoang, N. V., Du, N. H., Huong, T. T., Tran, K. P., et al. (2022). Explainable anomaly detection for industrial control system cybersecurity. IFAC-PapersOnLine, 55(10), 1183–1188.

    Article  MATH  Google Scholar 

  37. Wang, W., Wang, C., Guo, Y., Yuan, M., Luo, X., & Gao, Y. (2021). Industrial control malicious traffic anomaly detection system based on deep autoencoder. Frontiers in Energy Research, 8, 555145.

  38. Li, B., Wu, Y., Song, J., Lu, R., Li, T., & Zhao, L. (2020). Deepfed: Federated deep learning for intrusion detection in industrial cyber-physical systems. IEEE Transactions on Industrial Informatics, 17(8), 5615–5624.

    Article  MATH  Google Scholar 

  39. Kingma, D. P., & Ba, J. (2014). Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980

Download references

Funding

No funding was received to assist with the preparation of this manuscript.

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, Beihang University, 37 Xueyuan Rd, Beijing, 100191, China

    Binbin Ge, Bo Li, Xudong Mou & Xudong Liu

  2. High School Affiliated to Renmin University of China, Beijing, China

    Jingru Bao

  3. Zhongguancun Laboratory, Beijing, China

    Bo Li & Xudong Liu

  4. Beijing Advanced Innovation Center for Future Blockchain and Privacy Computing, Beijing, China

    Bo Li & Xudong Liu

  5. School of Information Science and Engineering, Shandong Normal University, Jinan, Shandong, China

    Jun Zhao

Authors
  1. Binbin Ge
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Jingru Bao
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Bo Li
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Xudong Mou
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Jun Zhao
    View author publications

    You can also search for this author inPubMed Google Scholar

  6. Xudong Liu
    View author publications

    You can also search for this author inPubMed Google Scholar

Contributions

Binbin Ge: Developed the conceptual model framework and designed the core algorithms for the study. Led the experimental validation process and played a major role in writing and organizing the manuscript. Jingru Bao: Focused on data collection and provided support in experimental validation, ensuring robust data was available for analysis. Bo Li: Defined the research direction and oversaw the manuscript development process, managing timelines and ensuring project milestones were met. Xudong Mou: Co-developed the algorithms and made significant contributions to manuscript revisions, enhancing the technical content and presentation. Jun Zhao: Took charge of data management and contributed to refining the manuscript through careful editing and revision. Xudong Liu: Managed the overall project’s manuscript, guiding the research focus and aligning it with strategic objectives.

Corresponding author

Correspondence to Bo Li.

Ethics declarations

Ethics Approval

Not applicable.

Informed Consent

Binbin Ge, PhD Student, School of Computer Science and Engineering, Beihang University Mar 20, 2024. Jingru Bao, Student, High School Affiliated to Renmin University of China Mar 20, 2024. Bo Li, Associate Professor, School of Computer Science and Engineering, Beihang University Mar 20, 2024. Xudong Mou, PhD Student, School of Computer Science and Engineering, Beihang University Mar 20, 2024. Jun Zhao, Assistant Professor, School of Information Science and Engineering, Shandong Normal University Mar 20, 2024. Xudong Liu, Professor, School of Computer Science and Engineering, Beihang University Mar 20, 2024.

Conflict of interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ge, B., Bao, J., Li, B. et al. IMG: Deep Representation Graph Learning for Anomaly Detection in Industrial Control System. J Sign Process Syst 96, 555–567 (2024). https://doi.org/10.1007/s11265-024-01923-w

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11265-024-01923-w

Keywords