Abstract
In this position paper, we tackle the following question: why anomaly-based intrusion detection systems (IDS), despite providing excellent results and holding higher (potential) capabilities to detect unknown (zero-day) attacks, are still marginal in the industry, when compared to, e.g., signature-based IDS? We will try to answer this question by looking at the methods and criteria for comparing IDS as well as a specific problem with anomaly-based IDS. We will propose 3 new criteria for comparing IDS. Finally, we focus our discussion under the specific domain of IDS for critical Industrial control systems (ICS).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For instance, https://www.stratosphereips.org/zeek-anomaly-detector.
References
Denning, D.: An intrusion detection model. In: Proceedings of the Seventh IEEE Symposium on Security and Privacy, pp. 119–131 (1986)
Tavallaee, M., Stakhanova, N., Ghorbani, A.A.: Toward credible evaluation of anomaly-based intrusion-detection methods. Toward Credible Evaluation of Anomaly-Based Intrusion-Detection Methods, vol. 40, issue 5, pp. 516–524. Institute of Electrical and Electronics Engineers, NY Publisher, New-York (2010)
Conti, M., Donadel, D., Turrin, F.: A Survey on Industrial Control System Testbeds and Datasets for Security Research (2021). arXiv: 2102.05631
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutor. 16(1), 303–336 (2014). (Conference Name: IEEE Communications Surveys Tutorials)
Snort official web site. Snort - Network Intrusion Detection & Prevention System (2021). https://www.snort.org/
Zeek official web site. The Zeek Network Security Monitor (2021). https://zeek.org/
Suricata official web site. Suricata (2021). https://suricata-ids.org/
ClamavNet official web site. ClamavNet (2021). https://www.clamav.net/
Hurley, J., Munoz, A., Sezer, S.: ITACA: flexible, scalable network analysis. In: 2012 IEEE International Conference on Communications (ICC), pp. 1069–1073 (2012). ISSN: 1938–1883
Pan, S., Morris, T., Adhikari, U.: A specification-based intrusion detection framework for cyber-physical environment in electric power system. Int. J. Network Secur. 17, 174–188, 105124 (2015)
Bostani, H., Sheikhan, M.: Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach. Comput. Commun. 98, 52–71, 105124 (2017)
Korba, A.A., Nafaa, M., Ghanemi, S.: Hybrid intrusion detection framework for Ad hoc networks. Int. J. Inf. Secur. Privacy 10(4), 1–32 (2016)
Lavin, A., Ahmad, S.: Evaluating real-time anomaly detection algorithms - the numenta anomaly benchmark. In: 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 38–44 (2015)
Hu, J.: Host-based anomaly intrusion detection. In: Stavroulakis, P., Stamp, M., (eds.) Handbook of Information and Communication Security, pp. 235–255. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-04117-4_13
Orans, L., D’Hoinne, J., Chessman, J.: Gartner - Market Guide for Network Detection and Response (2020). https://www.gartner.com/doc/reprints?id=1-1Z8C9OAX&ct=200612&st=sb
Garner-Hype. 2 Megatrends Dominate the Gartner Hype Cycle for Artificial Intelligence (2020)
wikipedia. Comparison of antivirus software (2021). https://en.wikipedia.org/w/index.php?title=Comparison_of_antivirus_software&oldid=1003484641. (Page Version ID: 1003484641)
Wainer, J., Barsottini, C.G.N., Lacerda, D., de Marco, L.R.M.: Empirical evaluation in computer science research published by ACM. Inf. Software Technol. 51(6), 1081–1085 (2009)
Osorio, A., Dias, M., Cavalheiro, G.G.H.: Tangible assets to improve research quality: a meta analysis case study. In: Bianchini, C., Osthoff, C., Souza, P., Ferreira, R. (eds.) WSCAD 2018. CCIS, vol. 1171, pp. 117–132. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41050-6_8
Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the KDD CUP 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, pp. 1–6 (2009). ISSN: 2329–6275
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)
Aldweesh, A., Derhab, A., Emam, A.Z.: Deep learning approaches for anomaly-based intrusion detection systems: a survey, taxonomy, and open issues. Knowl.-Based Syst. 189, 105124 (2020)
Darpa. KDD Cup 1999 Data (1999)
Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, pp. 108–116. SCITEPRESS - Science and Technology Publications, Funchal, Madeira, Portugal (2018)
Singapore University of Technology and Design. Secure Water Treatment (2015). https://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/
Brown, C.D., Davis, H.T.: Receiver operating characteristics curves and related decision measures: a tutorial. Chemomet. Intell. Lab. Syst. 80(1), 24–38, 105124 (2006)
Szczepański, M., Choraś, M., Pawlicki, M., Kozik, R.: Achieving explainability of intrusion detection system by hybrid oracle-explainer approach. In: 2020 International Joint Conference on Neural Networks (IJCNN), pp. 1–8 (2020). ISSN: 2161–4407
Debar, H., Dacier, M., Wespi, A.: A revised taxonomy for intrusion-detection systems. Ann. Des Télécommun. 55(7), 361–378, 105124 (2000)
Ghorbani, A.A., Lu, W., Tavallaee, M.: Evaluation criteria. In: Ghorbani, A.A., Wei, L., Tavallaee, M. (eds.) Network Intrusion Detection and Prevention. ADIS, vol. 47, pp. 161–183. Springer, US, Boston, MA (2010). https://doi.org/10.1007/978-0-387-88771-5_7
Duval, A.: Explainable Artificial Intelligence (XAI). MA4K9 Scholarly Report, Mathematics Institute, The University of Warwick (2019)
Gunning, D.: Explainable Artificial Intelligence (XAI). Machine learning, p. 18 (2016)
Carvalho, D.V., Pereira, E.M., Cardoso, J.S.: Machine learning interpretability: a survey on methods and metrics. Electronics 8(8), 832 (2019). Number: 8 Publisher: Multidisciplinary Digital Publishing Institute
Ribeiro, M.T., Singh, S., Guestrin, C.: Why should i trust you?: explaining the predictions of any classifier. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2016, pp. 1135–1144. Association for Computing Machinery, New York, NY, USA (2016)
Cheng, H., et al.: Multimedia Event Detection and Recounting, p. 12 (2014)
Mitchell, R., Chen, I.-R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. 46(4), 55:1–55:29 (2014)
Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using Model-based Intrusion Detection for SCADA Networks (2006)
Yu, C., et al.: The implementation of IEC60870-5-104 based on UML statechart and QT state machine framework. In: 2015 IEEE 5th International Conference on Electronics Information and Emergency Communication, pp. 392–397 (2015)
Wickramasinghe, C.S., Marino, D.L., Amarasinghe, K., Manic, M.: Generalization of deep learning for cyber-physical system security: a survey. In: IECON 2018–44th Annual Conference of the IEEE Industrial Electronics Society, pp. 745–751 (2018). ISSN: 2577–1647
Beyerer, J., Maier, A., Niggemann, O.: Machine Learning for Cyber Physical Systems: Selected papers from the International Conference ML4CPS 2020. Springer (2021). Google-Books-ID: r8kQEAAAQBAJ
Fovino, I.N., Carcano, A., Masera, M., Trombetta, A.: Design and implementation of a secure modbus protocol. In: Palmer, C., Shenoi, S. (eds.) ICCIP 2009. IAICT, vol. 311, pp. 83–96. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04798-5_6
Aarts, F., Kuppens, H., Tretmans, J., Vaandrager, F., Verwer, S.: Improving active Mealy machine learning for protocol conformance testing. Mach. Learn. 189–224 (2013). https://doi.org/10.1007/s10994-013-5405-0
Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P.W., Iyer, R.K.: Semantic security analysis of SCADA networks to detect malicious control commands in power grids. In: Proceedings of the first ACM workshop on Smart Energy Grid Security, SEGS 2013, pp. 29–34. Association for Computing Machinery, Berlin, Germany (2013)
Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 126–135. Association for Computing Machinery, New Orleans, Louisiana, USA (2014)
Barbosa, R.R.R.: Anomaly detection in SCADA systems: a network based approach (2014)
Caselli, M., Zambon, E., Kargl, F.: Sequence-aware Intrusion Detection in Industrial Control Systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, CPSS 2015, pp. 13–24. Association for Computing Machinery, Singapore, Republic of Singapore (2015. )
Kerkers, M.: Assessing the Security of IEC 60870-5-104 Implementations using Automata Learning. Library Catalog: essay.utwente.nl Publisher: University of Twente (2017)
Udd, R., Asplund, M., Nadjm-Tehrani, S., Kazemtabrizi, M., Ekstedt, M.: Exploiting bro for intrusion detection in a SCADA System. In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, CPSS 2016, pp. 44–51. Association for Computing Machinery, Xi'an, China (2016)
Kaouk, M., Flaus, J.-M., Potet, M.-L., Groz, R.: A review of intrusion detection systems for industrial control systems. In 2019 6th International Conference on Control, Decision and Information Technologies (CoDIT), pp. 1699–1704 (2019). ISSN: 2576–3555
Khan, I.A., et al.: Efficient behaviour specification and bidirectional gated recurrent units-based intrusion detection method for industrial control systems. Electron. Lett. 56(1), 27–30 (2019). Publisher: IET Digital Library
Olufowobi, H., Young, C., Zambreno, J., Bloom, G.: SAIDuCANT: specification-based automotive intrusion detection using controller area network (CAN) timing. IEEE Trans. Veh. Technol. 69(2), 1484–1494 (2020). (Conference Name: IEEE Transactions on Vehicular Technology)
Mitchell, R., Chen, I-R.: Behavior-rule based intrusion detection systems for safety critical smart grid applications. IEEE Trans. Smart Grid 4(3), 1254–1263 (2013). (Conference Name: IEEE Transactions on Smart Grid)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Seng, S., Garcia-Alfaro, J., Laarouchi, Y. (2022). Why Anomaly-Based Intrusion Detection Systems Have Not Yet Conquered the Industrial Market?. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_23
Download citation
DOI: https://doi.org/10.1007/978-3-031-08147-7_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08146-0
Online ISBN: 978-3-031-08147-7
eBook Packages: Computer ScienceComputer Science (R0)