1.   Introduction

Industrial control systems (ICS) are the general designation of several different control systems and associated instrumentations to automate industrial processes. A typical industrial control system architecture (as shown in Fig.1) normally includes supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other control system configurations such as programmable logic controllers (PLCs)^[1]. SCADA is a control system that processes dispersed plants by the communications network and high-level process supervisory management. A DCS is a computerized control system to process a plant with many distributed control systems. A PLC is an industrial digital computer to control dispersed assets by ruggedized and adapted manufacturing processes, such as robotic devices and assembly lines.

Figure  1.  Typical ICS architecture.

下载: 全尺寸图片 幻灯片

To monitor and control the machining process remotely, engineering stations are granted permission to manage servers in ICS. This leads to potential security risks that the whole system are in danger if these engineering stations are hacked^[2]. However, current ICS communication protocol focuses on real-time and stable control but ignores the potential security risks^[3], which leads to the ICS being hacked if the hacker finds a way to invade the corporate network.

Nowadays, ICS are widely used in automated production, energy, transportation, and water conservancy project and wastewater treatment. More and more frequently cyber security incidents in ICS lead to increasing attention to network security^[4]. In 2007, a SCADA system in Canada was intruded by hackers, and the water control system was paralyzed^[5]. In 2008, the train system in Poland was hacked, which led to four vehicles being derailed^[6]. In 2010, Iran's nuclear plant was invaded by the Stuxnet virus, and the centrifuge was broken due to the abnormal action in the uranium enrichment process^[7]. In 2011, the control system of China's oil refinery plant was infected by the Conficker virus, causing the communication between the control system server and the controller to be interrupted^[8]. In 2012, the Flame virus attacked energy ICS in multiple Middle Eastern countries, collecting sensitive data on the energy industry^[9]. In 2015, a power failure happened in 700000Ukrainian families, because the electrical power industrial system was hacked^[10]. The WannaCry virus that broke out in 2017 threatened a large number of corporate office networks and industrial facilities^[11]. These cases prove that the potential cybersecurity hazard in ICS has become a huge threat to social stability and national security.

Anomaly detection is a way to identify rare suspicious events or observations that deviate from normal behaviors. It is widely used in many fields and has recently been used in the field of ICS. The application of anomaly detection technology can find suspicious events, help managers or engineers find potential threats, and ensure safe and steady operation in ICS. There are a lot of studies about anomaly detection in ICS. These years, the development of machine learning (ML) leads to a new boost in research. Das et al.^[12] used a Boolean function based supervised classification method to detect anomalies in ICS. Liu et al.^[13] used the method of growing random trees for unsupervised anomaly detection in ICS. Hao et al.^[14] proposed a recurrent neural network based anomaly detection method. Perales et al.^[15] used feature engineering and LSTM (long short-term memory) in ICS anomaly detection. Mantere et al.^[16] studied network traffic features for anomaly detection in ICS. Feng et al.^[17] proposed a multi-level anomaly detection method in ICS by using an LSTM network. Kiass et al.^[18] proposed a data clustering based anomaly detection method for ICS. Inoue et al.^[19] used SVM (support vector machine) and DNN (deep neural network) to research unsupervised anomaly detection methods for ICS. Kim et al.^[20] used sequence-to-sequence neural networks for anomaly detection in ICS.

However, most of the researches failed to consider the inner link between different components. The previous researches based on ML only used the input data collected by sensors as features and ignored the importance of relationships between different devices or nodes. In ICS, the device nodes are connected by the communication links, and the managers use the terminals to remotely control the devices or collect information. These individual devices (including sensors, controllers, servers, and terminals) connected by the network constitute the industrial control system. According to the industrial control production, processing, manufacturing process, and connection between devices, there is a topology relationship between different devices. Nowadays, the majority of researches about industrial control abnormal detection focus on the abnormal action in a single node and do not use the topology relationship in ICS. In order to measure the security of ICS more comprehensively and detect the abnormal more accurately, the topological information in ICS cannot be ignored. Lots of researches in the field of industrial control showed that the key node in an industrial control network can play an important role in the field of ICS security. Wang et al.^[21] showed that the critical nodes are easier to be influenced under attack. Ur-Rehman et al.^[22] pointed out that the critical nodes are more vulnerable than the normal nodes. Based on this research, we believe that the different importance of nodes may help us detect anomalies. In this paper, we use a GCN (graph convolution network) to extract the information of connection between different devices, and use the centrality to measure the importance of nodes to improve the ability of anomaly detection.

The main contributions of this paper are as follows. To utilize the topological connection relationship of nodes in ICS, this paper uses a GCN to extract the topological information for detecting anomalies in a more holistic perspective. The centrality is used to grant the weight of nodes to distinguish the importance and influence of different nodes in ICS. We evaluate our method with different centralities and compare it with state-of-the-art methods. Experimental results on two datasets show that the performance of the proposed method is much better than that of the state-of-the-art methods.

The remainder of this paper is organized as follows. In Section 2, we review the related work about anomaly detection and the application of deep learning in ICS. Section 3 presents the method we use in this paper. In Section 4, we introduce the comparative experiments and discuss the results of experiments on the proposed method and other state-of-the-art methods. Section 5 concludes this paper.

2.   Related Work

Recently, researchers use many ML-based methods in anomaly detection in ICS. In addition to the methods mentioned above, there are many new methods based on ML that have achieved great results. Lin et al.^[23] proposed a method named TABOR, which is a graphical model based method to detect anomalies in ICS. Li et al.^[24] proposed a generative adversarial network to do anomaly detection in ICS. Zhang et al.^[25] proposed a fuzzy probability Bayesian network approach for ICS security. Yoon and Ciocarlie^[26] proposed a method to analyze the content of ICS traffic. Kravchik and Shabtai^[27] used autoencoder to research anomaly detection in ICS. Elnour et al.^[28] proposed a dual-isolation-forests-based model to detect attacks in ICS. In previous studies, researchers use the convolution neural network (CNN) to utilize the information of adjacent nodes and obtain some progress. CNN is one of the most successful models that use the discrete convolution to aggregate the neighbor information of the pixels and achieve good performance in image processing^[29-31] and audio analysis^[32-33]. There are tons of relative studies about the application of CNN in the field of anomaly detection in ICS. Kravchik and Shabtai^[34] used a one-dimensional CNN to detect cyber-attacks. Liu et al.^[35] proposed a novel algorithm using CNN and process state transition to detect intrusion in ICS. Hu et al.^[36] also used CNN in network data analysis and anomaly detection. Abdelaty et al.^[37] proposed a method named DAICS, which is a deep learning solution for anomaly detection in ICS, using the deep convolution branch. Kusakina et al.^[38] used VGG16 (one famous CNN model) to detect anomalies. However, they only use the CNN as a method to extract features and ignore the inner non-Euclidean relationship of adjacent nodes in ICS. According to the research on vulnerability mentioned earlier, when a key node is under attack, it may lead greater threats to the network^[22]. However, current methods only consider the input data and ignore the influence of network structure. In this case, the key node is hard to be detected. Therefore, a new method which considers the importance of key nodes is very necessary.

Some studies have proved that the usage of centrality has huge potential in the study of ICS security. Salama et al. used centrality to calculate the importance of nodes and evaluated the robustness of power grid resilience enhancement under cyberattack^[39]. Milanović and Zhu used a complex network theory modeling interconnected critical infrastructure systems and used the centrality to analysis the vulnerability of network^[40]. These researches show that the information of adjacent nodes in ICS can help us detect the potential attacks. Although CNN shows a strong ability to deal with Euclidean structure data, it still has a theoretical drawback on non-Euclidean structure data, because non-Euclidean structure data does not meet the translational equivariance^[41]. As shown in Fig.2(a), in the Euclidean graph, each pixel has eight neighboring pixels, therefore a CNN can use a square convolution kernel to extract spatial information. However, as shown in Fig.2(b), the topographic graph belongs to the non-Euclidean structure and the number of neighboring nodes is unfixed, therefore the traditional operation of convolution and pooling in CNN cannot be used to process directly^[42]. The inner connection in ICS is a typical non-Euclidean topographical graph. In real world, the topographic graph also widely exists in computer networks, biology, and chemistry.

Figure  2.  Example of (a) Euclidean structure data and (b) non-Euclidean structure data.

下载: 全尺寸图片 幻灯片

Due to the increasing demand for non-Euclidean structure data processing, in 2005, Gori et al.^[43] put forward the conception of graph neural network (GNN) and Scarelli et al.^[44] offered a detailed definition of GNN. However, GNN focuses on the recurrent graph neural network which has high computational complexity. In 2013, based on the theory of the spectral domain, Bruna et al.^[41] defined graph convolution based on the Fourier transform. In 2017, Kipf and Welling^[45] officially put forward GCN and used GCN to do a semi-supervised classification. The core purpose of GCN is to extract spatial information in non-Euclidean structure data. In order to achieve this purpose, there are two main methods: vertex domain and spectral domain. GCN uses the theory of the spectral domain. By defining a graph Fourier transform as well as graph convolution, Bruna et al.^[41] proved the theory of GCN. In 2017, Kipf and Welling^[45] formally put forward and created GCN structure. Compared with the traditional CNN, GCN has the ability to extract the spatial feature of the topology relationship. After the theory of GCN came out, a series of studies (such as localized spectral filtering^[46], graph long short-term memory^[47], graph attention network^[48], temporal graph convolutional network^[49], and spatial-temporal graph convolutional networks^[50]) have been carried out and facilitate a wide range of GCN applications. GCN can use the topological relationship in ICS to aggregate the information between neighboring nodes and achieve better performance in ICS' abnormal detection. The invention of GCN enhances the development of anomaly detection in ICS greatly. However, the traditional GCN does not consider the importance of different nodes. In ICS, several key nodes have a greater influence on connectivity or stability^[51]. To distinguish the importance of different nodes, centrality is a very popular measure. We believe the application of centrality can improve the performance of GCN in ICS.

3.   Methodology

Based on the research of GCN and centrality, we propose a centrality-aware graph convolution network (CAGCN), which is aware of centrality of nodes by using centrality to weight the key nodes, and use convolution to aggregate information. In this way, our method can utilize both topological connection information and node centrality information in ICS.

3.1   Graph Convolution Network

Compared with the traditional CNN, GCN can better explain the potential influence of the network structure. In the theory of GCN, the nodes in GCN will be influenced by the contiguous nodes. The closer a node is to other nodes, the greater its influence. If a node is under attack, it will influence the contiguous nodes until the whole system reaches a balance. In other words, the essence of GCN is the message passing of features in the graph network, and the effect of Laplace transformation is to aggregate the influence of features in the graph space.

3.1.1   Laplacian Operator

Laplacian is a matrix representation of a graph. Actually, the Laplacian operator can be used to evaluate the total gain under minor disturbance. The Laplacian operator is usually denoted by the symbol $\nabla$. We assume we have a graph $G=\left( V,\ E \right)$, $V$ is the node set of graph $G$ and $E$ is the edge set of $G$. In the discrete space, we have

where ${{f}_{i}}$ is the value of node $i$ and ${{N}_{i}}$ is the set of adjacent nodes of node $i$. Assuming the value of ${{E}_{ij}}$ is ${{w}_{ij}}$, we have

Because node $i$ and node $j$ are not connected, i.e., ${{w}_{ij}}=0$, we can rewrite (1) as

Let ${{d}_{i}}$ be the degree of node $i$, ${{d}_{i}}=\sum\nolimits_{j\in N}{{w}_{ij}}$, then we have

Then we get a discrete Laplace matrix ${\boldsymbol{L}}={\boldsymbol{D}}-{\boldsymbol{A}}$. Here ${\boldsymbol{D}}$ is the degree matrix and ${\boldsymbol{A}}$ is the adjacency matrix. We can call it combinatorial Laplacian.

Because ${\boldsymbol{L}}$ is a positive semi-definite matrix, we can get a normalized graph Laplacian:

where ${\boldsymbol{U}}$ is the eigenvalue of ${\boldsymbol{L}}$. we can call it symmetric normalized Laplacian. Because the Laplace matrix is symmetric, it can achieve spectral decomposition which is the core of the spectral domain of GCN.

3.1.2   Graph Fourier Transform

Mathematically, the graph Fourier transform is a mathematical transform which eigendecomposes the Laplacian matrix of a graph into eigenvalues and eigenvectors^[52]. Analogously to classical Fourier transform, the eigenvalue of Laplacian matrix after graph Fourier transform represents frequencies and an eigenvectors form what is known as a graph Fourier basis.

The definition of traditional Fourier transform is:

Here $f$ is the signal function. Note that the Laplacian operator is $\nabla$, we have

Here ${{\rm e}^{\rm -i\omega t}}$ is the eigenfunction of $\nabla$.

We assume ${\boldsymbol{L}}$ is a Laplace matrix, $V$ is the set of nodes ($N$ being the number of the nodes), and $E$ is the set of edges. A graph signal $f:V\to R$ is a function defined on the vertices of the graph $G$. The signal $f$ maps every vertex ${{\left\{ {{v}_{i}} \right\}}_{i=1,\ ...,\ N}}$ to a real number $f\left( i \right)$. Any graph signal can be projected on the eigenvectors of the Laplacian matrix, respectively. Let ${{\lambda }_{l}}$ and ${{u}_{l}}$ be the ${{l}}$-th eigenvalue and eigenvector of the Laplacian matrix, respectively, the graph Fourier transform of ${\hat{f}}\,$ is the graph signal $f$ on the vertices of $G$, and $G$ is the expansion of the term of the eigenfunction of ${\boldsymbol{L}}$. It is defined as:

where ${{\boldsymbol{u}}}_{l}^{*}={\boldsymbol{u}}_{l}^{\rm T} .$

Since ${\boldsymbol{L}}$ is a real symmetric matrix, its eigenvectors form is an orthogonal basis. Hence an inverse graph Fourier transform (IGFT) exists, and it is written as:

Analogously to the classical Fourier transform, the graph Fourier transform provides a way to represent a signal in two different domains: the vertex domain and the graph spectral domain. The eigenvectors of the normalized Laplacian matrix are also a possible base to define the forward and inverse graph Fourier transform.

Just as we mention in the traditional Fourier transform, ${{\rm e}^{\rm -i\omega t}}$ is the eigenfunction of Laplace operator, ${\boldsymbol{U}}$ is the eigenvalue matrix of ${\boldsymbol{L}}$, we can rewrite the GFT and IGFT as:

Now we can define the graph convolution as:

We can rewrite ${\boldsymbol{h}}$ as:

Using ${{\text {diag}}\left( \theta \right)}$ replace ${{\text {diag}}( {\hat{h}}( {\lambda }_{l} ))}$, we can get

Here, ${{g}_{\theta }}\left( {\boldsymbol{\Lambda}} \right)$ is the convolution kernel,

$\sigma$ is the active function and $\Theta =\left( {{\theta }_{1}},{{\theta }_{2}},...,{{\theta }_{n}} \right)$ is the learnable variable.

However, we need compute the product of ${\boldsymbol{U}}$, ${{\text {diag}}\left( \theta \right)}$, and ${{{\boldsymbol{U}}}^{\rm T}}$ with $n$ factors; therefore it leads to the computational complexity of ${O}\left( {{n}^{2}} \right)$.

In order to deal with this problem, Hammond et al.^[53] proved that ${{g}_{\theta }}\left({\boldsymbol {\Lambda}} \right)$ can be approached by $K$-order Chebyshev polynomials ${{T}_{K}}\left( x \right)$, in other words,

where ${{\lambda }_{\rm max}}$ is the max eigenvalue of the Laplace matrix ${\boldsymbol{L}}$.

Using Chebyshev polynomials:

We have

If we let ${{\lambda }_{\rm{max}}}= 2$, then

Because the range of ${\boldsymbol{I}}+{{{\boldsymbol{D}}}^{-1/2}}{\boldsymbol{A}}{{{\boldsymbol{D}}}^{1/2}}$ is between the 0 and 2, we can renormalization it as ${\tilde{\boldsymbol{D}}^{-1/2}}\tilde{\boldsymbol{A}}{\tilde{\boldsymbol{D}}^{1/2}}$, where

Assuming ${{{\boldsymbol{G}}}^{i}}$ is the $i$-th layer of a GCN network structure, and ${{{\boldsymbol{W}}}^{i}}$ is the weight matrix of the $i$-th layer network, then we can get the final GCN form:

3.2   Interpretability of GCN

Based on the importance of nodes, the process of GCN aggregating information can be explained by the message passing theory.

In an industrial control network, a more important node, compared with a less important node, contains more information. In the theory of message passing, the adjacency matrix ${\boldsymbol{A}}$ is used to describe the connection relationship between different nodes, and the essence of the adjacency matrix is to pass messages between adjacent nodes. We assume the influence of a node to itself as 1, and we can get $\tilde{{\boldsymbol{A}}}={\boldsymbol{A}}+{\boldsymbol{I}} .$

For the graph in Fig.3, the adjacency matrix ${\boldsymbol{A}}$ is

Figure  3.  Simple graph for interpretability of GCN.

下载: 全尺寸图片 幻灯片

In (2), ${{A}_{ij}}=1$ means that node $i$ is connected to node $j$. Therefore, it can be used to explain the connection relationship of nodes in the graph.

After adding self-connection, $\tilde{{\boldsymbol{A}}}$ of the graph in Fig.3 is

In (3), the connection of a node to itself is also taken into account.

On the other hand, degree matrix ${\tilde{{\boldsymbol{D}}}}$ is used to describe the influence of a node to its adjacent nodes:

For the graph in Fig.3, ${\tilde{{\boldsymbol{D}}}}$ is

In (4), the larger ${\tilde{ D}_{ij}}$ is, the greater the influence of the messages it passes to other nodes is.

Considering the final GCN form (${{{\tilde{{\boldsymbol{D}}}}}^{-1/2}}{\tilde{{\boldsymbol{A}}}}{{{\tilde{{\boldsymbol{D}}}}}^{1/2}}$) we mentioned before, if we use the message passing theory to explain the adjacency matrix and the degree matrix, the operation of spatial domain in GCN is the process of message passing.

3.3   Network Centrality

Centrality is an essential index in network analysis, which is used to estimate the importance of a node in a network. Centrality is widely used in different network analysis^[54], including social network^[55-58], Citation Network^[59-62], biological network^[63-65], transfer network^[66-68], etc. As mentioned before, the centrality shows a huge potential in the study of ICS^[39-40].

Different centralities can reflect the importance of nodes in the network from different angles, and the most common centralities are degree centrality^[69], closeness centrality^[70], and betweenness centrality^[71].

In degree centrality^[69], the node with more neighboring nodes has more importance and influence. For a node, its degree centrality is:

Here ${{k}_{i}}=\sum\nolimits_{i=1}^{n}{{a}_{ij}}$, ${{k}_{i}}$ is the amount of neighboring nodes of ${{v}_{i}}$ which can be called degree, ${{a}_{ij}}$ is the element in the $i$-th row and the $j$-th column of the adjacency matrix ${\boldsymbol{A}}$, and $n$ is the number of nodes.

The metric of degree centrality has a low computational complexity.

However, degree centrality only focuses on the local information but ignores the global information; therefore in many cases, it cannot measure the real importance of the node.

Closeness centrality^[70] uses the average distance to measure the centrality of a node in the network. The node with the shortest average distance with other nodes has the largest closeness centrality. The definition of distance for node ${{v}_{i}}$ is:

Because the closeness centrality uses the average distance to justify the importance of nodes, we can define closeness centrality as the reciprocal of ${{d}_{i}}$:

Closeness centrality is widely used, but its time complexity is very high because it needs to traverse all the nodes to count the shortest distance of every node.

Betweenness centrality^[71] counts the shortest path of all the nodes and quantifies the number of times a node acts as a bridge along the shortest path between two other nodes. The definition of betweenness centrality is:

where ${{g}_{st}}$ is the total number of all the shortest paths from node ${{v}_{s}}$ to node ${{v}_{t}}$, $g_{st}^{i}$ is the number of times of node ${{v}_{i}}$ as a bridge along the shortest path between ${{v}_{s}}$ and ${{v}_{t}}$, and $n$ is the total number of nodes.

Betweenness centrality is very important in the computer networking field because a computer will always select the shortest path in the Internet communication. Similar to closeness centrality, the time complexity of betweenness centrality is quite high; therefore there are many studies about the optimization of fast calculation of betweenness centrality^[72].

Besides these common centralities, there are other centralities that attract the attention of researchers, such as eccentricity^[73], semi-local centrality^[74], eigenvector centrality^[75], and information indices^[76]. These centralities can measure the importance of nodes at different angles.

3.4   Proposed Centrality-Aware Graph Convolution Network

We propose a centrality-aware graph convolution network (CAGCN) based on the previous researches on GCN and centrality.

In the traditional GCN:

where ${\boldsymbol{A}}$ is the adjacency matrix and ${\boldsymbol{D}}$ is the degree matrix. Normally, ${\boldsymbol{A}}$ is used to describe the value of edge, and ${\boldsymbol{D}}$ is used to describe the value of mode.

However, just as we mentioned before, the importance of a different node in ICS is uncertain and a more important key node may have more influence than a less important node.

In order to solve this problem, we use a centrality-aware adjacency matrix ${{\boldsymbol{A}}}'$ to replace the traditional adjacency ${\boldsymbol{A}}$. Our adjacency matrix ${{\boldsymbol{A}}}'$ includes two pieces of different information: the adjacent node information from original adjacency matrix ${\boldsymbol{A}}$ and the node centrality information from centrality matrix ${\boldsymbol{C}}$. In GCN, an adjacency matrix ${\boldsymbol{A}}$ is a 0-1 matrix:

We define ${\boldsymbol{C}}$ as the centrality matrix, then we can get a new centrality-aware adjacency matrix ${{\boldsymbol{A}}}'$:

Just like the normal GCN, we get the new degree matrix $\mathit{\boldsymbol{D'}}$. Now we have the new GCN structure:

where $\sigma$ is the active function, ${{{\boldsymbol{W}}}^{i}}$ is the weight matrix of the $i$-th layer of the network, and ${{{\boldsymbol{G}}}^{i}}$ is the $i$-th layer of CAGCN network structure.

Because the proposed CAGCN is also a variant of GCN, the interpretability mentioned earlier still applies.

Just as we mentioned before, the definition of network centrality is not unique. For exploring the suitable centrality in ICS, we choose several different centralities and create a mixed centrality. This mixed centralities can be defined as follows:

where ${K}_{\rm {DC}}$, ${K}_{\rm {CC}}$, and ${K}_{\rm {BC}}$ are the coefficients used to adjust the ratio of degree centrality, closeness centrality, and betweenness centrality, respectively. This ratio can be set manually or learned by our CAGCN network during training.

After we choose the centrality to use, we can define a new centrality matrix ${\boldsymbol{C}}$. For $i=j$, ${{C}_{ij}}$ is the value of the chosen centrality. By introducing a mixed centrality, our CAGCN can have better versatility in different network environments.

4.   Evaluation

In this section, we conduct experiments by answering the following research questions.

$\bullet$ RQ1. Compared with the state-of-the-art methods, whether the proposed method can have better precision when detecting anomalies in ICS?

$\bullet$ RQ2. Whether the proportion of underreporting of some attacks in the process of anomaly detection by the proposed model is acceptable?

$\bullet$ RQ3. How well does the proposed model perform comprehensively in terms of the trade-off between precision and sensitivity?

$\bullet$ RQ4. How to understand changes in features during centrality-based message passing and use this to understand the proposed model?

4.1   Datasets

To evaluate the performance of the proposed CAGCN, we test our model in the Secure Water Treatment (SWaT) dataset^[77] and the Water Distribution (WADI) dataset^[78]. The SWaT dataset and the WADI dataset are the most common ICS anomaly detection datasets. The abbreviations for sensors and actuators appearing in the SWaT dataset and the WADI dataset are summarized in Table 1. The details of the datasets are as follows.

Table  1.  Abbreviations of Sensors and Actuators in the Datasets

Abbreviation	Definition
AIT	Analyzer indicator transmitter
DPIT	Inferential pressure indicator transmitter
FIT	Flow indicator transmitter
FS	Flow switch
LIT	Level indicator transmitter
LT	Level transmitter
MCV	Motorized consumer valve
MV	Motorized valve
P	Pump
PIT	Pressure indicator transmitter

下载: 导出CSV 

| 显示表格

4.1.1   The SWaT Dataset

The SWaT dataset is an industrial control systems anomaly detection dataset provided by the Singapore University of Technology and Design^[77]. SWaT is a water treatment site launched in 2015 for cybersecurity research. The data collection process was implemented on a six-stage SWaT testbed, as shown in Fig.4. Nowadays, the SWaT dataset is one of the most popular real-world public cybersecurity datasets. Lots of researchers use the SWaT dataset to test their models' performances in complex real-world environments^[30].

Figure  4.  Secure Water Treatment (SWaT) testbed.

下载: 全尺寸图片 幻灯片

As shown in Fig.5, SWaT has six main processes according to the physical and control components of the water treatment facility. The details of the sensors and actuators in every processing stage are summarized in Table 1A in the supplementary file ¹.

Figure  5.  Processes of the SWaT testbed.

下载: 全尺寸图片 幻灯片

This system can produce five gallons of clean water per minute. It has a layered communication network, programmable logic controllers (PLCs), human machine interfaces (HMIs), a supervisory control and data acquisition (SCADA) workstation, and a historian server used to record data. Authors of the SWaT dataset collected network traffic and all the physical properties obtained from all the sensors and actuators in their experiment environment. The details of attacks to the system are shown in Table 2A in the supplementary file ¹.

The SWaT project team has built a scaled down version of a real-world industrial water treatment system and collected data for 11 days. The system operated 24 hours per day during the entire 11-day period. The system ran without any attacks during the first seven days, then the system was under attack in the remaining four days.

In the SWaT dataset, 496800 samples were collected in the first seven days and 449919 samples were collected when attacks were inserted to the system in the last four days. Among the samples collected in the last four days, 396019 of them are normal and the other 53900 samples are attack samples. All features in the network traffic were obtained from 51 sensors and actuators. In this dataset, data was labeled as normal or anomaly by the authors of the dataset.

The SWaT dataset includes the 51 features which can be used to build the feature matrix. The SWaT dataset also provides the connection relationship between different devices, which can be used to build the adjacency matrix in GCN. The feature matrix and adjacency matrix are used as the input in our model.

4.1.2   The WADI Dataset

The WADI dataset^[78] is another high-quality real-world ICS anomaly detection dataset provided by the authors of the SWaT dataset. WADI is a natural extension of SWaT. The authors of the WADI dataset also collected normal and attack data on their testbed, as shown in Fig.6.

Figure  6.  The water distribution (WADI) testbed.

下载: 全尺寸图片 幻灯片

Similar to SWaT, WADI also has a layered communication network, PLCs, HMIs, an SCADA workstation, and a historian server used to record data. The data was collected from all the sensors and actuators in their experimental environment. As shown in Fig.7, WADI has four main processes, and the details of the sensors and actuators in every processing stage are summarized in Table 3A, and attack details of the WADI dataset are shown in Table 4A in the supplementary file ².

Figure  7.  Processes of the WADI testbed.

下载: 全尺寸图片 幻灯片

Compared with the SWaT dataset, the WADI dataset includes more features and samples. In the WADI dataset, 789371 samples with 123 features were collected in the first fourteen days without attacks. In the last two days, 172801 samples with cyberattacks were collected. We can also build the feature matrix and adjacency matrix from the WADI dataset.

4.2   Metrics

We use precision, recall, and F1 score to evaluate the model performance^[28].

To explain precision, recall, and F1 score, we use $TP$, $FP$, and $FN$ in the following ways:

● $TP$ (true positive): anomaly in actual is classified as anomaly in prediction.

● $FP$ (false positive): normal in actual is classified as an anomaly in prediction.

● $FN$ (false negative): anomaly in actual is classified as normal in prediction.

Precision is the ratio of the correctly predicted positive anomaly data to the total predicted positive anomaly data.

Recall is the ratio of the correctly predicted positive anomaly data to all the data in actual anomaly class.

F1 score can be thought as a weighted average of the model precision and recall, with a maximum of 1 and a minimum of 0.

4.3   Experimental Setup

Our experiment was conducted on a workstation with Intel Core i9-7900X CPU @3.30 GHz, 128 G RAM, 1 TB SSD, 4 TB HDD, NVIDIA Titan XP GPU. The details are shown in Table 2.

Table  2.  Experimental Environment

Type	Value
CPU	Intel Core i9-7900X @3.30 GHz
Memory	128 GB
Storage	1 TB SSD and 4 TB HDD
GPU	NVIDIA Titan XP
GPU memory	12 GB
Operating	System Ubuntu 18.04 LTS
Python version	Python 3.6
CUDA version	CUDA 10
cuDNN version	cuDNN 7.4
TensorFlow version	TensorFlow 1.13.1

下载: 导出CSV 

| 显示表格

In order to analyze the value of the centralities in different network structures, we used five kinds of centralities in our experiment: degree centrality, closeness centrality, betweenness centrality, mixed centrality (the ratio of degree centrality, closeness centrality, and betweenness centrality is 1:1:1), and the self-learning centrality (the ratio of degree centrality, closeness centrality, and betweenness centrality is the self-learning variable in our network which could be updated in the training process). We used a randomly 3:1:1 split of training set, validation set and test set on the both datasets. We also used cross validations to test the robustness of our result. This 3:1:1 partitaioning ratio of the both datasets is also used in the comparison methods below. We uploaded the code to a GitHub code repository ³.

4.4   Comparison Methods

We compared our method with several state-of-the-art methods using the SWaT dataset and the WADI dataset.

In the selection of comparative methods, we covered as many types of models as possible: traditional neural network models, generative adversarial models, auto-encoders-based models, tree-based models, etc.

We compared our proposed CAGCN method with nine existing methods: DIF^[28], MAD-GAN^[24], AE^[27], 1D-CNN^[27], SVM^[19], DNN^[19], PCA-Reconstruction^[27], Windowed-PCA^[27], and DAICS^[37].

DIF is a dual-isolation-forests-based attack detection framework. MAD-GAN is a multivariate anomaly detection method based on a generative adversarial network. AE is a method based on auto-encoders. 1D-CNN is a method using one-dimensional CNN to detect anomalies. SVM is a method based on support vector machine. DNN is a method using a deep neural network. PCA-Reconstruction and Windowed-PCA are two methods based on principal component analysis (PCA). DAICS is a deep learning solution for anomaly detection in ICS using deep convolutional branch.

4.5   RQ1: Precision of Proposed Method

The results of the experiment based on the SWaT dataset and the WADI dataset are shown in Fig.8.

Figure  8.  Precision of the proposed method and the compared methods on datasets SWaT and WADI.

下载: 全尺寸图片 幻灯片

As for the precision results on the SWaT dataset, CAGCN with self-learning centrality (CAGAN-SLC) achieves the highest precision result (0.991). CAGCN with degree centrality (CAGCN-DC), CAGCN with closeness centrality (CAGCN-CC), CAGCN with betweenness centrality (CAGCN-BC), and CAGCN with 1:1:1 mixed centrality (CAGCN-MC) achieve at least 0.989 in precision. As for the compared methods, MAD-GAN achieves 0.990 and DNN gets 0.983 in our experiment. The other methods show a significantly low predictive ability. AE gets the lowest score with 0.726.

As for the precision results on the WADI dataset, CAGCN-SLC gets the highest result in precision (0.942). CAGCN-DC, CAGCN-CC, CAGCN-BC, and CAGCN-MC achieve at least 0.916 in precision. As for the compared methods, DAICS achieves 0.908, DNN gets 0.880, MAD-GAN gets 0.869, and the other compared methods get low results between 0.510 and 0.869.

Based on the results mentioned above, we believe that our model can have better precision when detecting anomalies in ICS.

4.6   RQ2: Sensitivity of Proposed Method

We used the evaluation metric recall, introduced earlier, to evaluate the sensitivity of the proposed method and the compared methods, because this evaluation metric directly calculates the proportion of true positive attacks in all attacks.

The recall results on the SWaT dataset and the WADI dataset are shown in Fig.9.

Figure  9.  Recall of the proposed method and the compared methods on datasets SWaT and WADI.

下载: 全尺寸图片 幻灯片

As for the recall results on the SWaT dataset, CAGCN-SLC also achieves the highest score (0.872). The following is CAGCN-DC (0.861). CAGCN-CC, CAGCN-BC, and CAGCN-MC get a similar level at 0.85. On the other hand, DAICS gets a good recall score at 0.861. 1D-CNN, Windowed-PCA, and DIF get the recall score of 0.854, 0.841, and 0.835, respectively. The recall scores of the other compared methods are below 0.8.

As for the recall results on the WADI dataset, CAGCN-SLC also achieves the highest score (0.952). The following is CAGCN-CC (0.940). CAGCN-DC, CAGCN-BC, and CAGCN-MC obtain similar results of 0.76. The recall score of MAD-GAN is 0.948. This score is very close to the best CAGCN method. The recall scores of 1D-CNN and DAICS are about 0.721 and 0.731, respectively. The other compared methods only get recall scores between 0.510 and 0.681.

Based on the results above, the proportion of underreporting attacks in the process of anomaly detection of the proposed model is acceptable and better than that of most of the compared methods.

4.7   RQ3: F1 Score of Proposed Method

F1 score can find the best trade off between precision and recall of the proposed method.

The F1 score results on the SWaT dataset and the WADI dataset are shown in Fig.10.

Figure  10.  F1 score of the proposed method and the compared methods on datasets SWaT and WADI.

下载: 全尺寸图片 幻灯片

As for the F1 score results on the SWaT dataset, all the F1 scores of our CAGCN method are over 0.915 and the highest one is CAGCN-SLC (0.928). DIF achieves the best performance among all the compared methods (0.882). According to our results, the F1 scores of our CAGCN method are much better than those of the compared methods.

As for F1 score results on the WADI dataset, CAGCN-SLC also gets the best score (0.947). CAGCN-CC gets a similarly good result of 0.945. CAGCN-DC, CAGCN-BC, and CAGCN-MC gain similar results around 0.83. MAD-GAN has a F1 score of 0.907. The other compared methods get F1 scores between 0.510 (SVM) and 0.804 (DAICS).

Based on the results above, in terms of the trade-off between precision and sensitivity, the overall performance of the proposed model is better than the overall performance of the compared methods.

4.8   RQ4: Interpretability of Proposed Method

According to our result, LIT401 is a key node with high centrality. We compared the value of LIT401 and the adjacent node before and after attack 26. As shown in Table 3, when the system was under attack, the original feature of LIT401 decreases dramatically (1.720 to 0.700) whereas the original features of LIT301 and LIT501 do not change at all. As for the features after message passing, because the LIT401 passes the message to its adjacent nodes, the features of LIT301 and LIT501 both decrease (2.302 to 2.251, 1.80 to 1.785). These results prove that the change of key node could lead to a wide change in the whole network, therefore the model can identify this fluctuation easily. Then our model is able to detect the anomaly of LIT401.

Table  3.  Changes to Values Before and After Message Passing in an Attack Case

Value	LIT301	LIT401	LIT501
Original values (before attack)	2.216	1.720	1.733
Original values (after attack)	2.216	0.700	1.733
Values after message passing (before attack)	2.302	1.782	1.800
Values after message passing (after attack)	2.251	0.762	1.785

下载: 导出CSV 

| 显示表格

Just as mentioned before, the application of GCN can be deemed as the process of message passing. GCN can catch the process of message passing in attacks and pay more attention to the key nodes in industrial control networks. On the other hand, the introduction of centrality also improves the ability to detect attacks in key nodes. Due to the application of GCN and centrality, the performance of our method is better than that of the compared methods.

5.   Conclusions

In this paper, we created a centrality-aware graph convolution network to detect anomalies in industrial control systems (ICS). Our method combines the merits of GCN and centrality by using the centrality of nodes to improve the detective ability of GCN. The topological information is extracted by a graph convolution operation and a node's importance is granted by its centrality. According to the results, it is clear that compared with state-of-the-art methods, our CAGCN method, especially CAGCN-SLC, achieves better performance on two ICS datasets. Our results imply that the topological relationship in ICS should not be ignored in anomaly detection.

We used three common centralities (degree centrality, closeness centrality, and betweenness centrality) and the combination of these centralities to enhance the performance of GCN. Our results proved that the application of centrality can improve the performance of anomaly detection in ICS. Our CAGCN method with self-learning combination centrality achieved the best performance among all the compared methods.

In future, we will try more different centralities to test the learning ability of our model as well as design a more effective centrality for mining the inner information in ICS. We also plan to test our method in more kinds of datasets to verify the robustness of our method. We have updated our code in GitHub and provided some cases about how to use our model to improve the performance of other GCN models.