Skip to main content
SpringerLink
Log in

Why Anomaly-Based Intrusion Detection Systems Have Not Yet Conquered the Industrial Market?

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13291))

Included in the following conference series:

Abstract

In this position paper, we tackle the following question: why anomaly-based intrusion detection systems (IDS), despite providing excellent results and holding higher (potential) capabilities to detect unknown (zero-day) attacks, are still marginal in the industry, when compared to, e.g., signature-based IDS? We will try to answer this question by looking at the methods and criteria for comparing IDS as well as a specific problem with anomaly-based IDS. We will propose 3 new criteria for comparing IDS. Finally, we focus our discussion under the specific domain of IDS for critical Industrial control systems (ICS).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For instance, https://www.stratosphereips.org/zeek-anomaly-detector.

References

  1. Denning, D.: An intrusion detection model. In: Proceedings of the Seventh IEEE Symposium on Security and Privacy, pp. 119–131 (1986)

    Google Scholar 

  2. Tavallaee, M., Stakhanova, N., Ghorbani, A.A.: Toward credible evaluation of anomaly-based intrusion-detection methods. Toward Credible Evaluation of Anomaly-Based Intrusion-Detection Methods, vol. 40, issue 5, pp. 516–524. Institute of Electrical and Electronics Engineers, NY Publisher, New-York (2010)

    Google Scholar 

  3. Conti, M., Donadel, D., Turrin, F.: A Survey on Industrial Control System Testbeds and Datasets for Security Research (2021). arXiv: 2102.05631

  4. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutor. 16(1), 303–336 (2014). (Conference Name: IEEE Communications Surveys Tutorials)

    Google Scholar 

  5. Snort official web site. Snort - Network Intrusion Detection & Prevention System (2021). https://www.snort.org/

  6. Zeek official web site. The Zeek Network Security Monitor (2021). https://zeek.org/

  7. Suricata official web site. Suricata (2021). https://suricata-ids.org/

  8. ClamavNet official web site. ClamavNet (2021). https://www.clamav.net/

  9. Hurley, J., Munoz, A., Sezer, S.: ITACA: flexible, scalable network analysis. In: 2012 IEEE International Conference on Communications (ICC), pp. 1069–1073 (2012). ISSN: 1938–1883

    Google Scholar 

  10. Pan, S., Morris, T., Adhikari, U.: A specification-based intrusion detection framework for cyber-physical environment in electric power system. Int. J. Network Secur. 17, 174–188, 105124 (2015)

    Google Scholar 

  11. Bostani, H., Sheikhan, M.: Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach. Comput. Commun. 98, 52–71, 105124 (2017)

    Google Scholar 

  12. Korba, A.A., Nafaa, M., Ghanemi, S.: Hybrid intrusion detection framework for Ad hoc networks. Int. J. Inf. Secur. Privacy 10(4), 1–32 (2016)

    Google Scholar 

  13. Lavin, A., Ahmad, S.: Evaluating real-time anomaly detection algorithms - the numenta anomaly benchmark. In: 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 38–44 (2015)

    Google Scholar 

  14. Hu, J.: Host-based anomaly intrusion detection. In: Stavroulakis, P., Stamp, M., (eds.) Handbook of Information and Communication Security, pp. 235–255. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-04117-4_13

  15. Orans, L., D’Hoinne, J., Chessman, J.: Gartner - Market Guide for Network Detection and Response (2020). https://www.gartner.com/doc/reprints?id=1-1Z8C9OAX&ct=200612&st=sb

  16. Garner-Hype. 2 Megatrends Dominate the Gartner Hype Cycle for Artificial Intelligence (2020)

    Google Scholar 

  17. wikipedia. Comparison of antivirus software (2021). https://en.wikipedia.org/w/index.php?title=Comparison_of_antivirus_software&oldid=1003484641. (Page Version ID: 1003484641)

  18. Wainer, J., Barsottini, C.G.N., Lacerda, D., de Marco, L.R.M.: Empirical evaluation in computer science research published by ACM. Inf. Software Technol. 51(6), 1081–1085 (2009)

    Google Scholar 

  19. Osorio, A., Dias, M., Cavalheiro, G.G.H.: Tangible assets to improve research quality: a meta analysis case study. In: Bianchini, C., Osthoff, C., Souza, P., Ferreira, R. (eds.) WSCAD 2018. CCIS, vol. 1171, pp. 117–132. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41050-6_8

  20. Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the KDD CUP 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, pp. 1–6 (2009). ISSN: 2329–6275

    Google Scholar 

  21. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)

    Article  Google Scholar 

  22. Aldweesh, A., Derhab, A., Emam, A.Z.: Deep learning approaches for anomaly-based intrusion detection systems: a survey, taxonomy, and open issues. Knowl.-Based Syst. 189, 105124 (2020)

    Article  Google Scholar 

  23. Darpa. KDD Cup 1999 Data (1999)

    Google Scholar 

  24. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, pp. 108–116. SCITEPRESS - Science and Technology Publications, Funchal, Madeira, Portugal (2018)

    Google Scholar 

  25. Singapore University of Technology and Design. Secure Water Treatment (2015). https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/

  26. Brown, C.D., Davis, H.T.: Receiver operating characteristics curves and related decision measures: a tutorial. Chemomet. Intell. Lab. Syst. 80(1), 24–38, 105124 (2006)

    Google Scholar 

  27. Szczepański, M., Choraś, M., Pawlicki, M., Kozik, R.: Achieving explainability of intrusion detection system by hybrid oracle-explainer approach. In: 2020 International Joint Conference on Neural Networks (IJCNN), pp. 1–8 (2020). ISSN: 2161–4407

    Google Scholar 

  28. Debar, H., Dacier, M., Wespi, A.: A revised taxonomy for intrusion-detection systems. Ann. Des Télécommun. 55(7), 361–378, 105124 (2000)

    Google Scholar 

  29. Ghorbani, A.A., Lu, W., Tavallaee, M.: Evaluation criteria. In: Ghorbani, A.A., Wei, L., Tavallaee, M. (eds.) Network Intrusion Detection and Prevention. ADIS, vol. 47, pp. 161–183. Springer, US, Boston, MA (2010). https://doi.org/10.1007/978-0-387-88771-5_7

  30. Duval, A.: Explainable Artificial Intelligence (XAI). MA4K9 Scholarly Report, Mathematics Institute, The University of Warwick (2019)

    Google Scholar 

  31. Gunning, D.: Explainable Artificial Intelligence (XAI). Machine learning, p. 18 (2016)

    Google Scholar 

  32. Carvalho, D.V., Pereira, E.M., Cardoso, J.S.: Machine learning interpretability: a survey on methods and metrics. Electronics 8(8), 832 (2019). Number: 8 Publisher: Multidisciplinary Digital Publishing Institute

    Google Scholar 

  33. Ribeiro, M.T., Singh, S., Guestrin, C.: Why should i trust you?: explaining the predictions of any classifier. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2016, pp. 1135–1144. Association for Computing Machinery, New York, NY, USA (2016)

    Google Scholar 

  34. Cheng, H., et al.: Multimedia Event Detection and Recounting, p. 12 (2014)

    Google Scholar 

  35. Mitchell, R., Chen, I.-R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. 46(4), 55:1–55:29 (2014)

    Google Scholar 

  36. Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using Model-based Intrusion Detection for SCADA Networks (2006)

    Google Scholar 

  37. Yu, C., et al.: The implementation of IEC60870-5-104 based on UML statechart and QT state machine framework. In: 2015 IEEE 5th International Conference on Electronics Information and Emergency Communication, pp. 392–397 (2015)

    Google Scholar 

  38. Wickramasinghe, C.S., Marino, D.L., Amarasinghe, K., Manic, M.: Generalization of deep learning for cyber-physical system security: a survey. In: IECON 2018–44th Annual Conference of the IEEE Industrial Electronics Society, pp. 745–751 (2018). ISSN: 2577–1647

    Google Scholar 

  39. Beyerer, J., Maier, A., Niggemann, O.: Machine Learning for Cyber Physical Systems: Selected papers from the International Conference ML4CPS 2020. Springer (2021). Google-Books-ID: r8kQEAAAQBAJ

    Google Scholar 

  40. Fovino, I.N., Carcano, A., Masera, M., Trombetta, A.: Design and implementation of a secure modbus protocol. In: Palmer, C., Shenoi, S. (eds.) ICCIP 2009. IAICT, vol. 311, pp. 83–96. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04798-5_6

  41. Aarts, F., Kuppens, H., Tretmans, J., Vaandrager, F., Verwer, S.: Improving active Mealy machine learning for protocol conformance testing. Mach. Learn. 189–224 (2013). https://doi.org/10.1007/s10994-013-5405-0

  42. Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P.W., Iyer, R.K.: Semantic security analysis of SCADA networks to detect malicious control commands in power grids. In: Proceedings of the first ACM workshop on Smart Energy Grid Security, SEGS 2013, pp. 29–34. Association for Computing Machinery, Berlin, Germany (2013)

    Google Scholar 

  43. Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 126–135. Association for Computing Machinery, New Orleans, Louisiana, USA (2014)

    Google Scholar 

  44. Barbosa, R.R.R.: Anomaly detection in SCADA systems: a network based approach (2014)

    Google Scholar 

  45. Caselli, M., Zambon, E., Kargl, F.: Sequence-aware Intrusion Detection in Industrial Control Systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, CPSS 2015, pp. 13–24. Association for Computing Machinery, Singapore, Republic of Singapore (2015. )

    Google Scholar 

  46. Kerkers, M.: Assessing the Security of IEC 60870-5-104 Implementations using Automata Learning. Library Catalog: essay.utwente.nl Publisher: University of Twente (2017)

    Google Scholar 

  47. Udd, R., Asplund, M., Nadjm-Tehrani, S., Kazemtabrizi, M., Ekstedt, M.: Exploiting bro for intrusion detection in a SCADA System. In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, CPSS 2016, pp. 44–51. Association for Computing Machinery, Xi'an, China (2016)

    Google Scholar 

  48. Kaouk, M., Flaus, J.-M., Potet, M.-L., Groz, R.: A review of intrusion detection systems for industrial control systems. In 2019 6th International Conference on Control, Decision and Information Technologies (CoDIT), pp. 1699–1704 (2019). ISSN: 2576–3555

    Google Scholar 

  49. Khan, I.A., et al.: Efficient behaviour specification and bidirectional gated recurrent units-based intrusion detection method for industrial control systems. Electron. Lett. 56(1), 27–30 (2019). Publisher: IET Digital Library

    Google Scholar 

  50. Olufowobi, H., Young, C., Zambreno, J., Bloom, G.: SAIDuCANT: specification-based automotive intrusion detection using controller area network (CAN) timing. IEEE Trans. Veh. Technol. 69(2), 1484–1494 (2020). (Conference Name: IEEE Transactions on Vehicular Technology)

    Google Scholar 

  51. Mitchell, R., Chen, I-R.: Behavior-rule based intrusion detection systems for safety critical smart grid applications. IEEE Trans. Smart Grid 4(3), 1254–1263 (2013). (Conference Name: IEEE Transactions on Smart Grid)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. EDF R&D, Palaiseau, France

    S. Seng & Y. Laarouchi

  2. Télécom SudParis, Institut Polytechnique de Paris, Palaiseau, France

    S. Seng & J. Garcia-Alfaro

Authors
  1. S. Seng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. J. Garcia-Alfaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Y. Laarouchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to J. Garcia-Alfaro .

Editor information

Editors and Affiliations

  1. University of Montreal, Montreal, QC, Canada

    Esma Aïmeur

  2. Télécom SudParis, Palaiseau, France

    Maryline Laurent

  3. IRT SystemX, Palaiseau, France

    Reda Yaich

  4. University of Montreal, Montreal, QC, Canada

    Benoît Dupont

  5. Télécom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Seng, S., Garcia-Alfaro, J., Laarouchi, Y. (2022). Why Anomaly-Based Intrusion Detection Systems Have Not Yet Conquered the Industrial Market?. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-08147-7_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-08146-0

  • Online ISBN: 978-3-031-08147-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation