CISPA
Browse
cispa_all_3226.pdf (5.51 MB)

Constrained Concealment Attacks against Reconstruction-based Anomaly Detectors in Industrial Control Systems

Download (5.51 MB)
conference contribution
posted on 2023-11-29, 18:14 authored by Alessandro Erba, Riccardo Taormina, Stefano Galelli, Marcello Pogliani, Michele Carminati, Stefano Zanero, Nils Ole TippenhauerNils Ole Tippenhauer
Recently, reconstruction-based anomaly detection was proposed as an effective technique to detect attacks in dynamic industrial control networks. Unlike classical network anomaly detectors that observe the network traffic, reconstruction-based detectors operate on the measured sensor data, leveraging physical process models learned a priori. In this work, we investigate different approaches to evade prior-work reconstruction-based anomaly detectors by manipulating sensor data so that the attack is concealed. We find that replay attacks (commonly assumed to be very strong) show bad performance (i.e., increasing the number of alarms) if the attacker is constrained to manipulate less than 95% of all features in the system, as hidden correlations between the features are not replicated well. To address this, we propose two novel attacks that manipulate a subset of the sensor readings, leveraging learned physical constraints of the system. Our attacks feature two different attacker models: A whitebox attacker, which uses an optimization approach with a detection oracle, and a blackbox attacker, which uses an autoencoder to translate anomalous data into normal data. We evaluate our implementation on two different datasets from the water distribution domain, showing that the detector's Recall drops from 0.68 to 0.12 by manipulating 4 sensors out of 82 in WADI dataset. In addition, we show that our blackbox attacks are transferable to different detectors: They work against autoencoder-, LSTM-, and CNN-based detectors. Finally, we implement and demonstrate our attacks on a real industrial testbed to demonstrate their feasibility in real-time.

History

Preferred Citation

Alessandro Erba, Riccardo Taormina, Stefano Galelli, Marcello Pogliani, Michele Carminati, Stefano Zanero and Nils Tippenhauer. Constrained Concealment Attacks against Reconstruction-based Anomaly Detectors in Industrial Control Systems. In: Annual Computer Security Applications Conference (ACSAC). 2020.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

Annual Computer Security Applications Conference (ACSAC)

Legacy Posted Date

2020-09-25

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3226, title = "Constrained Concealment Attacks against Reconstruction-based Anomaly Detectors in Industrial Control Systems", author = "Erba, Alessandro and Taormina, Riccardo and Galelli, Stefano and Pogliani, Marcello and Carminati, Michele and Zanero, Stefano and Tippenhauer, Nils Ole", booktitle="{Annual Computer Security Applications Conference (ACSAC)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC