Detect Insider Attacks in Industrial Cyber-physical Systems Using Multi-physical Features-based Fingerprinting

Abstract

ICPS software and hardware suffer from low update frequency, making it easier for insiders to bypass external defenses and launch concealed destructive attacks. To address these concerns, we design a device fingerprinting method based on multi-physical features, augmenting current intrusion detection techniques in the ICPS environment. In this article, we use the sorting system as an example, demonstrating that the proposed device fingerprinting technology has generality in the intrusion detection of ICPS control flow. Specifically, we first formalize the physical model of the sorting system to analyze the critical device features. Then, we extract these physical features from the sensor data collected in a physical testbed. Utilizing featurized data, we train a classifier that generates fingerprints in real-time in the production environment. Moreover, we develop a differential detection model based on device fingerprints to discover stealthy insider attacks efficiently. We evaluate the proposed method in a real-world testbed. Experiment results show that the detecting performance of classifiers approaches 100% when the the number of component types is small.