A Lightweight Online Intrusion Detection and Localization Framework for Industrial Control Systems

As the Industrial Internet of Things (IIoT) faces increasing cyber threats, the need for effective and practical intrusion detection systems (IDS) becomes paramount. One of the key challenges in designing IDS is ensuring the online detection and identification (localization) of potential attacks in real-time. Our research addresses this challenge by developing a lightweight online intrusion detection framework tailored explicitly for water distribution systems. Our proposed framework aims to balance real-time detection/identification and maintaining accuracy criteria. Immediate alarm triggering for every anomaly detected can lead to a high false positive rate while waiting for attack confirmation can cause harmful delays. To overcome these limitations, we present a novel approach that achieves real-time detection while maintaining a low false positive rate (below 5%), making it highly applicable in real-world scenarios. We train and test our system using BATADAL datasets, demonstrating its superior performance compared to other mechanisms. Additionally, we introduce a PCA-based Concealment Detection Statistical Outlier (PCACD-SO) identification approach that enables the real-time identification of compromised sensors, actuators, or connections during an attack. The results validate the effectiveness of our lightweight online intrusion detection framework, showcasing its ability to detect cyber attacks in real-time while maintaining a low false positive rate. Furthermore, our proposed PCACD-SO identification approach enhances the system’s capability to identify and isolate compromised components swiftly, enabling prompt response and mitigation.