A three-tiered intrusion detection system for industrial control systems

This article presents three-tiered intrusion detection systems, which uses a supervised approach to detect cyber-attacks in industrial control systems networks. The proposed approach does not only aim to identify malicious packets on the network but also attempts to identify the general and ﬁner grain attack type occurring on the network. This is key in the industrial control systems environment as the ability to identify exact attack types will lead to an increased response rate to the incident and the defence of the infrastructure. More speciﬁcally, the proposed system consists of three stages that aim to classify: (i) whether packets are malicious; (ii) the general attack type of malicious packets (e.g. Denial of Service); and (iii) ﬁner-grained cyber-attacks (e.g. bad cyclic redundancy check, attack). The effectiveness of the proposed intrusion detection systems is evaluated on network data collected from a real industrial gas pipeline system. In addition, an insight is provided as to which features are most relevant in detecting such malicious behaviour. The performance of the system results in an F -measure of: (i) 87.4%, (ii) 74.5% and (iii) 41.2%, for each of the layers, respectively. This demonstrates that the proposed architecture can successfully distinguish whether network activity is malicious and detect which general attack was deployed.


Introduction
Critical national infrastructure concepts such as manufacturing, smart grids, water treatment plants, gas and oil refineries, and healthcare are heavily dependent on industrial control systems (ICSs).Such systems include supervisory control and data acquisition (SCADA) systems, which are computer systems responsible for gathering and analysing real-time data, distributed control systems which is a specially designed automated control system that consists of geographically distributed control elements, and other smaller control systems such as programmable logic controllers which are industrial solidstate computers that monitor inputs and outputs and make logicbased decisions for automated processes or machines [1].Historically, ICS networks and their components were protected from cyberattacks as they ran on proprietary hardware/software and were connected in isolated networks with no external connection to the Internet [2].However, as the world is becoming more interconnected, there has been a need to connect different ICS networks together and to the Internet, allowing remote access and monitoring functionalities of these systems.As a result, ICS are now subject to a range of security vulnerabilities [2].According to Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the number of cyber-attacks against ICS systems has significantly increased over the past few years [3], some of which were of high impact.Such attacks included the Stuxnet attack [4] which targeted the Iranian nuclear enrichment plant and led to physical damages and delayed operations, the Ohio Nuclear Power Plant attack [5] which crashed the safety parameter display system, and the Ukrainian Power grid attack [6] which left approximately 225,000 people without electricity.
Given the importance of these systems, they are an attractive target to attackers.Thus, developing mechanisms that can automatically detect cyber-attacks in these networks is crucial.Intrusion detection systems (IDS) which monitor and identify malicious behaviour on network traffic have been extensively researched and used in traditional IT infrastructures.However, limited effort has been conducted in the designing and implementation of IDS that are specifically tailored for ICSs [7].Such tools play a key role in the understanding the cyber-attack that has occurred and can aid a faster and more efficient incident response rate.
ICS networks consist of specific characteristics which make the development of IDSs challenging.First, ICSs have their own protocols (e.g.Modbus, DNP3) which traditional IDSs neglect.Moreover, as these systems are part of critical national infrastructure and handle sensitive processes, accessing the necessary data to test and evaluate a proposed IDS may pose as a challenge.Because of its cyber-physical nature, it is important to have access not only to network/protocol information but also to information related to physical process controls.However, the hardware of these systems is very expensive, limiting the ability to set up ICS testbeds [7].
Applying traditional IDSs to ICS environments would be inefficient as they come with several limitations: (i) most conventional IDSs are signature/rule/event-based which limits the number of attacks they can detect and are inefficient against zero-day attacks; (ii) popular IDSs such as SNORT and Bro are only efficient on traditional IP-only networks and have not been designed to take into consideration ICS-specific protocols [8] and (iii) existing IDSs lack sufficient generality and flexibility to adapt to other systems [7].
To address the aforementioned limitations, this work examines the viability of applying supervised machine learning to detect cyber-attacks in ICSs.A machine learning-based IDS is adaptable and more flexible, as they can automatically learn the general characteristics from data, and thus can form decisions on unseen data [9].In addition, this approach does not require attack signatures or pre-defined rules to detect attacks, and therefore, it can be effective against zero-day attacks.As a result, this article proposes a threetiered IDS for the ICS environment which: (i) learns the normal behaviour of the system and identifies malicious activity on ICS/ SCADA networks; (ii) identifies the general attack type that has occurred; and (iii) specifies the attack type even further by classifying packets from (ii) as a specific attack type.Being able to detect the generic type of the attack helps security engineers to quickly understand the threat they have to combat.This is because there are many forms of such attacks, that is, Denial of Service (DoS) [e.g.ping flood, ping of death, bad cyclic redundancy check (CRC)].However, if this detection can be expanded to also identify the exact type of attack which has occurred, it is possible to respond even more efficiently and launch the appropriate countermeasures.To demonstrate the effectiveness of the proposed method, an annotated Gas Pipeline dataset [10], which contains labelled packets from 7 generic attack categories and 35 specific attack categories, was used.
Previous research has mainly attempted to use machine learning algorithms to distinguish between benign and malicious ICS traffic and only one paper has attempted to identify the general attack type that has occurred.Specifically, Beaver et al. [11] investigate how supervised machine learning can be used to distinguish malicious behaviour in a gas pipeline ICS.They classify malicious packets as one of seven main attack types.However, further analysis on Beaver's et al. [11] gas pipeline dataset showed that there was not enough randomness among normal and attack behaviours [12].As a result, the machine learning algorithms detected the attacks with very high accuracy (98-100%).This report [13] contains the details that classify this dataset unsuitable for IDS research due to obvious correlations between particular parameters and the result to be predicted.
Moreover, the main motivation of this article is not only to detect general attack types but also to distinguish between 35 finer-grained attacks.
According to the Cyber Security Incident Response Guide [14], and National Cyber Security Centre, one of the toughest challenges for organizations is to identify the type of cyber-attack which is occurring on the network without having to perform an in-depth investigation, which can be a very time-consuming process.This is particularly difficult in cases such as ICSs, where the different types of attacks can be very similar (e.g. the slight modification of the pressure values may not be detected) and can have the same initial symptoms.Therefore, in the context of ICS, given that an attack against these systems may have severe consequences and result in hardware damage, injury, environmental impact, or even loss of life, launching specific countermeasures to mitigate these attacks as soon as they occur is critical.As a result, having a mechanism to not only automatically identify malicious packets and their general attack type (e.g.DoS), but also, provides information regarding the exact type of attack (e.g.solenoid attack) is key to a faster, more efficient, and targeted incident response to defend a critical infrastructure.Particularly, the general attack type helps in identifying the implications of the attack.For instance, if a DoS is detected it is consequent that a blackout might be caused.However, knowing the exact attack that is occurring in the system, for instance, a 'Negative Pressure Attack' has been identified, rather than a 'Naive Malicious Response Injection' can significantly assist in locating the attack and defending against it significantly faster by launching countermeasures.

A contributions
Therefore, this article expands on Beaver's et al. [11] approach in the following ways: • The data used to support the experiments provided in this article were presented by Morris et al. [10], who document approaches for sharing data for the ICS IDS research community.This dataset was also collected from a gas pipeline ICS but is considered as being more realistic than Beaver et al., as it contains more randomness among benign and malicious scenarios.• The main contribution of this article is not only to distinguish benign/malicious packets or to identify the general attack type of the malicious packets but to attempt to detect the specific type of the attack that has been deployed by classifying malicious packets as 1 of 35 attack types.As machine learning offers early attack detection, this information would add significant value during incident response by rapidly reducing the time needed to launch-specific countermeasures, and therefore, decreasing the impact of the cyber-attack.• In comparison to Beaver et al. [11], Morris' et al. [10] dataset contains more features, and thus in this article, their importance towards identifying malicious behaviour is investigated.• In this article, 10 supervised machine learning classifiers are evaluated based on previous ICS IDS research [11,15,16].

Related work
Several studies concerning ICS security have attempted to investigate how both supervised and unsupervised machine-learning techniques can be used to support the adaptive capabilities of automated IDSs.
In addition to Beaver's et al. [11] evaluations, Nader et al.
[17] use one-class classification techniques which are the Support Vector Data Description and the Kernel Principal Component Analysis for intrusion detection in SCADA systems.They demonstrate that their approach can successfully detect intrusions; however, they do not identify the type of attack which has occurred.Bigham et al. [18] investigate how statistical Bayesian networks can be adopted to reduce false positive rates and increase the accuracy of anomaly detection systems in SCADA networks.Moreover, Shengyi et al. [19] applied common path mining techniques to develop a hybrid intrusion detection system for power grids.The IDS uses features of signature and specification-based IDSs and is able to classify system behaviour over time, normal control operations, and cyber-attacks.Nevertheless, this work is based on synchrophasor measurement data, which can limit the applicability of this system.
Feng et al. [7] developed a multi-level anomaly detection system for ICS, which uses packet signatures and LSTM networks, to successfully detect anomalies in gas pipeline systems.Though do not attempt to classify specific attack types.Parthasarathy and Kundur [20] developed a bloom filter-based IDS for smart grid SCADA, where the regular communication patterns of SCADA and the physical states of power systems have been used to implement lightweight IDS that detects malicious activity.Goh et al. [21] proposed a novel unsupervised approach to detect cyber-attacks in cyberphysical systems using recurrent neural networks.They demonstrated that this approach can successfully detect most cyber-attacks with very low false-positive rates.Moreover, Maglaras and Jiang [22] demonstrated that one-class support vector machine (OCSVM) can be promising in detecting anomalies in SCADA communication networks; however, they need to evaluate the proposed system further.Maglaras et al. [23] also used OCSVM to implement novel IDS named as K-OCSVM, which has the capability of detecting occurring attacks with high accuracy.
In addition, Pan et al. [24] employed a Bayesian network to graphically encode the causal relations among the available information to create patterns with temporal state transitions, which are used as rules in a proposed intrusion detection framework for electric power systems.They demonstrated that the IDS was effective in detecting anomalies on the electric system.Kravich et al. [2] used convolutional neural networks to detect cyber-attacks in a secure water treatment plant.They demonstrated that this approach can successfully detect the majority of attacks with low false-positive rates.Linda et al. [25] developed an IDS using a combination of neural networks which successfully detected network intrusions in a critical infrastructure testbed.Ghaeini et al. [26], employed supervised machine learning algorithms to implement a stateful detector that focuses on identifying stealthy attacks on ICSs.
Furthermore, Gao et al. [27] also developed a neural networkbased IDS which monitors the physical behaviour of a SCADA system and detects artefacts of command and response injection attacks.Inoue et al. [28] compare the efficiency of deep neural networks and OCSVM to detect anomalies in cyber-physical systems.They found that deep neural networks is more efficient and generates lower false-positive rates.Jones et al. [29], proposed an SVMlike algorithm which finds a description in a signal temporal logic formula of the known region of behaviours.This approach often creates a readable description of the known behaviours; however, if the system behaviour does not allow for a short description in signal temporal logic, this method will not work.
Finally, there are a few commercially available solutions that employ machine-learning algorithms to detect cyber-attacks provided by companies such as Darktrace [30] and Veracode [31].However, there is no transparency of the methodology and algorithms employed by these companies, and therefore it is not possible to directly compare this work with these products.Finally, in their documentation, they focus mainly on identifying malicious activity and do not attempt to classify the attack that is occurring on the network.
To summarize these approaches, Table 1 shows existing IDSs for ICS and categorizes them according to detection method, attack type [binary (malicious/benign), general attack (e.g.DoS, reconnaissance), specific attack (e.g.setpoint attack, pump attack), and validation dataset].We can see that although significant work has been undertaken to identify malicious and benign traffic, only two previous papers have attempted to drill into the attack traffic in more detail to categorize them as general types, and none to date have identified specific attacks.We argue that this information can significantly enhance the incident response process, as knowing the specific attack may lead to launching the most effective and targeted countermeasures.
Regarding the work of the two aforementioned papers that have attempted to classify general attack types, one of them uses a dataset that is not suitable for IDS research, the other one is based on synchrophasor data which limits its ability to generalize to other systems.Finally, although previous research has also attempted to distinguish between benign and malicious traffic, the majority of the methods used are tailored to specific features derived from the specific ICSs (e.g.attributes from train's brake system).As a result, these are not comparable to this work.To the best of our knowledge, this article is the first to use machine learning to not only detect the presence of a cyber-attack but also to detect finer-grained attacks in a Gas Pipeline system.

System overview
Figure 1 provides an overview of the proposed IDS architecture.In more detail, on the left, there are various ICS components which generate network data.The data are then being picked up from the IDS tool which constantly listens to the network traffic.The first stage includes the data preprocessing, where the relevant features are being extracted from the network data.At the second stage, the machine-learning algorithm will classify the packets as benign or malicious.If the tool classifies the packet as malicious, then the third and fourth layer will attempt to identify the general attack type and the specific attack type.As a result, in the event of an attack, the output of the proposed system is as follows: (i) benign/malicious; (ii) if malicious the system classifies the packet into one of the seven general attack types it has been trained on and (iii) it will also attempt to identify the specific attack.Knowing both the general attack type and specific attack that is occurring in the ICS environment is critical to better understand the risk and implications of the attack, but also to locate it and defend against it.In order to identify which algorithms are best suited for the implementation of the proposed system, a series of experiments were conducted and discussed in the following sections.

Gas pipeline ICS testbed
Mississippi State University's in-house SCADA lab implemented a scaled-down version of a real gas pipeline system (see Figure 2).The system consists of three major components: sensors/actuators, a communication network and a supervisory control; and operates in three main modes: automatic, manual and off.Its main communication protocol is serial Modbus RTU.This system was used to Gas pipeline and water storage tank [18] Supervised þ À À Electricity management system [24] Hybrid Train's brake system [26] Supervised þ À (focused on one attack ZeRA)  generate both benign and malicious data in Turnipseed [12], where more information on the system's specifications can be found.

Data collection
A new framework for collecting data was used to generate the dataset discussed in this work.This new method allowed the creation of a more randomized, realistic and representative dataset.Specifically, to create a more authentic benign dataset, auto IT scripts to simulate real operator activity and to switch between the different operational modes were used.Specific details regarding the generation of the new more realistic dataset are discussed in Morris et al. [10].
Similarly, in order to generate the malicious dataset, scripts that randomized and parameterized the launch of a range of attacks were used [12].The provided dataset represents network packets that were delivered to either the RTU or MTU unit.Each instance in the dataset contains mainly network and payload information.

Cyber-attacks in ICS ecosystems
Multiple studies [12,[32][33][34] have demonstrated that ICSs are most vulnerable to attacks that fall under four general categories: interception, interruption, modification and fabrication.Specifically: • Interception: Attackers are able to gain information about the devices, their network behaviour, their normal operation, the system information, etc.An example of such an attack is man-inthe-middle.• Interruption: Attackers use such attacks in order to disrupt and, most of the time, make communications between the devices in the ICS network completely unavailable.An example of such an attack is a DoS.• Modification: These attacks allow attackers to alter the values, parameters, or states in a system.For example, in the gas pipeline system, an attacker would have the capability to modify the setpoint parameters which control the pressure levels, causing severe damage to the system.• Fabrication: The attacker is able to craft new packets that may seem to be legitimate, but contain altered values that intend on causing damage to the system.Popular cyber-attacks that fall under the aforementioned categories and thus included within [12]  Such attacks may further be broken down into finer-grained attack types.Table 2 describes the 35 specific attacks that were deployed on the ICSs and their effects.

Final dataset
Figures 3-5 show the overall distribution of packets across all classes for each experiment.More specifically, the dataset consists of 60,048 malicious and 214,580 benign packets (Fig. 3). Figure 4 demonstrates the distribution of packets across the seven general attack types, with the (4) 'Malicious Parameter Command Injection' attack having the highest number of packets (20,412) and the (6) 'DoS' attack having the lowest (2,176).Similarly, Fig. 5 demonstrates the distribution of packets across the 35 specific attack types, with (35) 'Slow attacks' having the highest number of packets (2,204) and (20) 'Device scan attack' having the lowest (666).

Supervised machine learning
The experiments presented in this article were performed using Weka [35], a popular and widely used suite of machine learning software.

Feature selection
In order to perform machine learning classification experiments, it is essential to identify which attributes best describe the dataset.In this case, the instances within the dataset contain attributes associated with the RTU's network and payload information.The complete set of features used to evaluate a series of machine-learning classifiers is shown in Table 3.However, for the experiments conducted in this article, features that represented identifying properties were removed (i.e.address and time) to ensure that the model was not making decisions dependent on the specific device or time.
To gain a better insight as to which features are most relevant for distinguishing attack types, a selection filter (InfoGainAttributeEval) was applied.This filter evaluates the worth of an attribute by measuring the information gain with respect to the class.The filter was applied to all attributes for all three different experiments.The results are shown in Table 4.
The results demonstrate that for all three experiments the top three most important features are the 'CRC, the Modbus frame length, and function code values'.Specifically, the CRC allows the system to check for errors within a frame that is sent to either the master or the slave device.An attacker could potentially transmit altered/malicious CRC values to cause attacks such as DoS.The 'Modbus frame' feature is fixed for each command or response query.In the gas pipeline system, a set of write and read commands are used to repeatedly perform block writes and block reads from specific registers.To detect attacks, frames that are not of specific length may be detected as anomalous [12].Finally, during normal behaviour, the function codes used in the gas pipeline system are usually represented as read (0 Â 03) and write (0 Â 16) commands.However, there exist 256 possible function codes.Some of these function codes can potentially be used for malicious purposes.For example, the 0 Â 08 function code is generally used for diagnostics purposes, but it can be used to force a slave device into a listen only mode.
Conversely, for all three experiments, the bottom three features are 'pump state, solenoid value and control scheme'.Each of these features is represented by binary values.For example, the 'pump state' indicates off (0) or on (1) state.The system can be put into a critical state if an attacker was able to change the system mode to manual and turn the pump on, causing serious physical damage [12].The 'solenoid' value also has two possible values: closed (0) or opened (1).Similar attacks to the pump may be performed, affecting the system's pressure and causing damage.Finally, the 'control scheme' in the gas pipeline determines whether the system will be controlled by the 'pump' or by the 'solenoid'.
Intuitively, given that the top three features have specific values under normal behaviour, but can accept a range of other values which may indicate abnormal behaviour, such features justifiably influence the classifier in distinguishing whether an attack has occurred.On the other hand, the lowest three features are represented only by binary values which are easier to mask attacks, making it more difficult for the classifier to distinguish malicious behaviour.Understanding which features are most relevant to the classifier is important as it identifies which features must be present in order to best discriminate between the classes.Features which are least relevant to the classification problem may add noise and lead to inaccurate predictions.

Classification experiments
To explore how well classification algorithms can detect cyberattacks in the ICS environment, the evaluation methodology described in Anthi et al. [36] was used.
More specifically, in order to perform classification experiments, a random subset of 60% of each dataset described in 'Use case'     section was selected for training, with the remaining 20% used for testing and 20% used for evaluating the performance of the trained models even further on an unseen dataset.When using the percentage-split function in Weka, the software splits the data so that the distribution of classes in the original dataset is reflected in each dataset produced in the split.In this case, the training datasets for each experiment reflect similar distributions of classes as noted in Figs 3-5.
According to the 'no free lunch' theorem [37], there is no universally best learning algorithm.That is, the choice of algorithm should be based on its performance for that particular problem and the properties of data that characterize the problem.As a result, a variety of classifiers distributed as part of Weka were evaluated.
More specifically, for the specific classification problems considered in this work, 10 classifiers were selected based on their ability to support multi-class classification and high-dimensional feature space.The classifiers included: • generative models that consider conditional dependencies in the dataset or assume conditional independence (e.g.Bayesian Network, Naive Bayes) and • discriminative models that aim to maximize information gain or directly maps data to their respective classes without modeling any underlying probability or structure of the data (e.g.J48 Decision Tree, Support Vector Machine).Moreover, the aforementioned algorithms were also chosen as they produce classifications models that can be easily interpreted, allowing a better understanding of the classification results.

Results
Tables 5 and 6 report the overall weighted-averaged performance for all 10 classifiers for both the testing and validation datasets, respectively.To gain a better insight into the performance of the classifiers across the experiments, the confusion matrices in Tables 7  and 8, which show how the predicted classes for individual packets compare against the actual ones, were analysed.

Detecting cyber-attacks
When detecting malicious behaviour, the Random Forest achieved the best classification performance with an F-measure of 87.4%.Overall, the confusion matrix in Table 7 demonstrates some confusion.This could be explained by the fact that the attacks that were performed during data collection involve altering the values of the core features of the gas pipeline in a discrete manner, for example, changing the 'pump state' from being on or off.

Classifying general attack types
When distinguishing the type of attack among seven attack types, the J48 classifier achieved the best classification performance with an F-measure of 74.5%.Overall, the confusion matrix in Table 8 also demonstrates some confusion.In particular, the first ('Naive Malicious Response injection') and the second ('Complex malicious response injection') attacks and the third ('Malicious state command injection') and fourth ('Malicious parameter command injection') are often misclassified.This misclassification can be explained by the fact that such attack types are based upon other attacks, and although they have incurred minor modifications, their compositions are similar.
On the other hand, the fifth ('Malicious function code injection'), sixth '(DoS') and seventh ('Reconnaissance') incur very little confusion.This may be explained by the fact that although normal function codes are usually represented by two values, an attacker can inject up to 256 different values.As a result, this can be easily detected.Finally, reconnaissance activity can also be easily distinguished as it is significantly different from all the other attacks in the dataset.

Classifying specific attack types
When distinguishing the specific type of attack among 35 attack types, the J48 classifier achieved the best classification performance with an F-measure of 41.2%.Intuitively, this is due to the fact that the classifiers (which are often used for binary classification) are faced with a multi-class classification problem.Thus, further experiments are required to determine whether other approaches, such as ensemble learning, or dividing the dataset according to each attack and evaluating models on each attack type, improve the performance.
The confusion matrix for this classification is too large to be included in this article.However, all attacks from the first to the seventeenth (Table 2) are often misclassified as the eighteenth attack ('Bad CRC Attack').Decision Tree classifiers operate by splitting the data based on rule/decision boundaries.In the first two experiments, these algorithms seemed to perform very well.However, due to the way it operates, when the algorithm is presented with 35 classes, it creates too many boundaries while not having enough distinct features to base its decisions upon.This might explain why in this experiment its performance is quite poor.Nevertheless, detecting whether a 'Device scan attack, Force listen attack', 'Read Id attack' and a 'Negative pressure attack' has occurred or not demonstrated very little confusion, with all packets being correctly classified.

Use case
Although the architecture of the system proposed in this work has been evaluated on a Gas Pipeline dataset, such an approach can also be applied to other ICSs (e.g.water treatment plants).Intuitively, the features used to evaluate the machine learning classifiers in this article will change depending on the features used to describe the packets collected from other ICS environments.
Moreover, the experiments presented in this article were conducted in an offline setting.This allowed us to investigate the feasibility of the machine-learning approaches.Nevertheless, the positive findings reported herein demonstrate that the proposed system can be implemented as a lightweight machine-learning tool, which can sit on a pipeline to monitor ICS networks and detect attacks in realtime.In more detail, the system can use a network packet sniffer to monitor packets and extract the relevant attributes in order to support the automated classification of malicious packets and their attack types.These results can significantly help in locating the cyberattack and launching specific countermeasures.

Conclusion
In this article, a novel three-tiered IDS for the ICS environment is presented.The system consists of three stages as follows: (i) identifies malicious packets on the network when an attack is occurring; (ii) classifies the type of the attack that has been deployed from seven main attack types and (iii) specifies the attack type even further by classifying packets from (ii) as 1 of 35 attack types.Currently, only two previous papers have attempted to drill into the attack traffic in more detail to categorize them as general types, and none to date have identified specific attacks.Knowing both the general attack type and specific attack that is occurring in the network is extremely important, as they help understand the risk, impact, and what function has been affected.As a result, they significantly enhance the response and defence time.
To evaluate the performance of the proposed system a range of supervised machine learning classifiers were applied on data from a gas pipeline ICS.The performance of the system's three core functions results in an F-measure of: (i) 87.4% (Random Forest); (ii) 74.5% (J48) and (iii) 41.2% (J48).This demonstrates that the proposed architecture can successfully distinguish between malicious and benign behaviour and detect the general type of attack which has occurred.Although the performance of classifying specific attacks is lower than expected, this initial analysis is promising, as this is the first step towards identifying an appropriate classification approach for specific attacks.This is key in ICS ecosystems, as knowing the exact attack that is occurring can significantly help in locating the cyber-attack and launching even more specific countermeasures.
In addition to classification experiments, the study provides an insight as to which features are most relevant in detecting malicious behaviour and distinguishing among different attack types in ICSs.The findings demonstrate that 'CRC, Modbus frame length, and function code' are the top three most important features which indicate malicious activity in a gas pipeline system.An analysis of the features that are most relevant to the classifier is important as it identifies which features must be present in order to best discriminate between the classes.On the other hand, it least relevant features may add noise and lead to inaccurate predictions.Although the reported results are intuitive, further research and evaluation are required to generalize these findings across other ICS systems.

Figure 1 :
Figure 1: Architecture of the proposed three-tier IDS system for ICS.

Figure 3 :
Figure 3: Distribution of packets across attack detection.

Figure 4 :
Figure 4: Distribution of packets across seven general attack types.

Figure 5 :
Figure 5: Distribution of packets across 35 specific attack types.

Table 1 :
summary of current work on IDSs for ICS

Table 2 :
[12]ty-five cyber-attacks in which compromise ICS systems' vulnerability[12]slave device.The data about the device are not recorded, but is performed as if it were being recorded.
24 Function code scan attack Recon Scans for possible functions that are being used on the system.The data about the device are not recorded, but is performed as if it were being recorded 25-26 Rise/Fall attacks CMRI Sends back pressure readings which create trends on the pressure reading's graph 27-28 Slope attacks CMRI Randomly increases/decreases pressure reading by a random slope 29-31 Random value attacks NMRI Random pressure measurements are sent to the master 32 Negative pressure attack NMRI Sends back a negative pressure reading from the slave 33-34 Fast attacks CMRI Sends back a high set point then a low set point which changes 'fast' 35 Slow attacks CMRI Sends back a high set point then a low set point which changes 'slow'

Table 3 :
Twenty packet features

Table 4 :
Ranked features following info gain ratio attribute filtering

Table 5 :
Weighted average classification results across 10 classifiers on a testing dataset Notes: They highlight the best performing classifiers for each problem.

Table 6 :
Weighted average classification results across 10 classifiers on an unseen validation dataset They highlight the best performing classifiers for each problem.

Table 7 :
Attack detection confusion matrix (random forest)