Ines Ortega-Fernandez

Ines Ortega-Fernandez

PhD | Technical Manager of Data Analytics & AI - Security and Privacy Department (GRADIANT)

Machine Learning Approaches and Explainability for Real-Time Cyberattack Detection

Published:

Recommended citation: I. Ortega-Fernandez (2024). Machine Learning Approaches and Explainability for Real-Time Cyberattack Detection. Doctoral thesis, University of Vigo.

Details

  • Thesis Title: Machine Learning Approaches and Explainability for Real-Time Cyberattack Detection
  • Supervisors: Marta Sestelo and Juan C. Burguillo
  • International and Industrial mention

Abstract

The emergence of Industry 4.0, also known as connected industry, has blurred the boundary between IT (Information Technology) and OT (Operational Technology) domains. This integration has led to increased exposure of industrial environments to cyberattacks, data privacy risks, and software system vulnerabilities, significantly expanding the number of potential entry points for cyberattackers. Each connected device, be it a sensor, actuator, or control system, can become a vulnerability if not appropriately secured or monitored. Besides, the complexity and diversity of the systems in Industry 4.0 environments make it difficult to detect and respond to security incidents. Traditional security solutions may not be effective against sophisticated attacks designed to exploit industrial systems; in particular, Denial-of-service (DoS) attacks pose one of the most significant threats to Industrial Control Systems (ICS), as they can impact both the communication network and the cyber-physical layer.

A common approach to securing information networks is Intrusion Detection Systems (IDS). Anomaly-based IDS have gained popularity in recent years due to their ability to detect and mitigate unknown or zero-day attacks, whereas signature-based IDS can only respond to known attacks. Industrial systems operate under vastly different conditions compared to traditional networks, with much stricter requirements for real-time performance and availability. However, they usually exhibit a stable pattern of behaviour that can be leveraged by machine learning algorithms for the detection of advanced cyberattacks.

This thesis, which is presented as a compendium of articles, has as its primary goal the research and development of novel machine learning methods for detecting advanced cyberattacks and intrusions in industrial networks, with a focus on their unique conditions and characteristics. The research begins by examining various types of Denial of Service (DoS) attacks and their effects on smart grids, a type of industrial control system where IT integration with the electrical distribution network enhances power distribution and management. Through this investigation, the impact of advanced DoS attacks in the industry was assessed, setting them as a promising research path given the ease of implementation of the attack, their applicability to different industrial settings, and the high impact on the behaviour of legitimate devices.

Subsequently, an advanced Intrusion Detection System (IDS) was designed, evaluated and validated, enabling near real-time processing and analysis of industrial network traffic. This IDS has three principal features: its capability for near real-time, passive network traffic collection that does not interfere with industrial devices’ operations; the employment of unsupervised neural network techniques for anomaly detection, outperforming other state-of-the-art methods; and the validation of our approach in a real industrial setting within the Galician food industry. This validation assessed the IDS’s false positive rate and the practicality of the proposed IDS architecture in a near real-time context.

Furthermore, this thesis introduces a novel approach to provide complete explainability of the decision-making processes of deep neural networks, enabling the determination of how each variable influences the detection of cyber attacks. This approach utilises a neural network architecture based on Generalized Additive Models, resulting in a deep learning model that is both highly accurate and interpretable, surpassing other GAM-based neural network implementations in terms of interpretability while having a similar accuracy. This method has been released as an open-source package for the software environment for statistical computing R to promote reproducible research and facilitate continuous development and improvement of the developed methodology.