https://www.mdu.se/

mdu.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Machine Learning-Driven Intrusion Detection and Identification in Industrial Control Systems
Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Research Institutes of Sweden, Sweden.ORCID iD: 0000-0001-5332-1033
Linköping University, Sweden.
Stockholm University, Sweden.
Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Research Institutes of Sweden, Sweden.
Show others and affiliations
2025 (English)In: Proceedings - 33rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, PDP 2025, Institute of Electrical and Electronics Engineers (IEEE) , 2025, p. 552-559Conference paper, Published paper (Refereed)
Abstract [en]

Using machine learning to detect and identify cyberattacks in Industrial Control Systems (ICS) offers a promising solution for uncovering zero-day attacks that traditional rulebased models cannot detect. However, applying ML-based intrusion detection in ICS environments presents challenges, including limited availability of attack data and difficulty in accurately identifying attack types. This paper addresses these challenges by proposing two key strategies. First, we demonstrate that the predictable traffic patterns of ICS networks enable the use of semi-supervised learning models for attack detection. We validate this approach using a benchmark dataset, showing that semi-supervised models achieve comparable performance to fully supervised models while relying solely on training with normal network data. Second, we propose a sequence-based approach for attack identification, using temporal data to improve the accuracy of identifying specific attack types. Our experiments reveal that incorporating historical network parameters improves the attack identification. Our research underscores the potential of semisupervised learning for effective attack detection and highlights the importance of incorporating network temporal properties to improve attack identification. 
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE) , 2025. p. 552-559
Series
Parallel, Distributed and Network-Based Processing (PDP), ISSN 2377-5750
Keywords [en]
Industrial Control Systems, Intrusion Detection Systems, Machine Learning, Semi-supervised and Unsupervised Learning, Sequence-based Anomaly Detection
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:mdh:diva-71457DOI: 10.1109/PDP66500.2025.00084Scopus ID: 2-s2.0-105005025392ISBN: 9798331524937 (print)OAI: oai:DiVA.org:mdh-71457DiVA, id: diva2:1960754
Conference
33rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, PDP 2025, Turin, 12 March 2025 through 14 March 2025
Available from: 2025-05-23 Created: 2025-05-23 Last updated: 2026-02-16Bibliographically approved
In thesis
1. Machine Learning-Based Network Intrusion Detection for Industrial Control
Open this publication in new window or tab >>Machine Learning-Based Network Intrusion Detection for Industrial Control
2025 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The growing connectivity of Industrial Control Systems (ICS) has increased their exposure to cyber threats, posing serious risks to both critical infrastructure (e.g., power plants, water systems) and industrial operations. Although Machine Learning (ML)-based Intrusion Detection Systems (IDS) show potential to detect complex and novel attacks, their practical application in ICS environments remains challenging. This thesis investigates the feasibility, design considerations, and barriers to applying ML-based IDS in ICSs. Key challenges include limited labeled data, high sensitivity to false alarms, distributed architectures, and constrained hardware. Through empirical evaluations and prototype implementations, we show how tailored ML and system design strategies can address these issues.

Our first goal is to enable experimentation with cybersecurity and intrusion detection in industrial systems. The thesis introduces ICSSIM, a novel framework for creating flexible, scalable, and cost-effective ICS testbeds.  It also presents ICSFlowGenerator, a tool for analyzing network traffic and computing customized network flow parameters. Using this tool, the thesis presents ICS-Flow, a new dataset developed to train and evaluate anomaly detection models, which serves as a realistic benchmark for assessing ML-based intrusion detection in ICS networks. 

In addition, the thesis tackles several technical deployment barriers. To support distributed ICS architectures and minimize the reliance on central servers, federated learning is explored as a decentralized training strategy. It also investigates semi-supervised learning techniques for detecting anomalies using only normal traffic.  To reduce the burden of false alarms, we integrate a decision support system with the IDS to filter alerts and suggest mitigation actions. Furthermore, the thesis emphasizes the importance of temporal traffic patterns in identifying attack types and evaluates the efficiency and resource demands of various ML models on ICS-representative hardware. Collectively, these contributions advance the practical application of ML-based intrusion detection in ICSs.
Abstract [sv]

Digitaliseringen och ökande uppkoppling av industriella styrsystem (ICS) har medfört ökad exponering för cyberhot och innebär allvarliga risker för både kritisk infrastruktur (t.ex. kraftverk, vattensystem) och industriella verksamheter. Även om intrångsdetekteringssystem (IDS) baserade på maskininlärning (ML) har potential att upptäcka komplexa och nya attacker, är deras praktiska tillämpning i ICS-miljöer fortfarande utmanande. I den här avhandlingen analyseras genomförbarheten, designöverväganden och hinder för att applicera ML-baserade IDS i ICS. Centrala utmaningar omfattar begränsad mängd annoterad data, hög känslighet för falsklarm, distribuerade arkitekturer och hårdvarubegränsningar. Genom empiriska utvärderingar och prototypimplementeringar visar vi hur skräddarsydda ML- och systemdesignstrategier kan adressera dessa problem.

Det första målet är att möjliggöra cybersäkerhetsexperiment och detektion av intrång i industriella system. Avhandlingen introducerar ICSSIM, ett nytt ramverk för att skapa flexibla, skalbara och kostnadseffektiva ICS-testbäddar. Vi har dessutom utvecklat ICSFlowGenerator, ett verktyg för att analysera nätverkstrafik och beräkna anpassade nätverksflödesparametrar. Med hjälp av detta verktyg har vi skapat ICS-Flow, en ny datamängd (dataset) för att träna och utvärdera anomalidetekteringsmodeller. ICS-Flow fungerar som en realistisk benchmark för att bedöma ML-baserad intrångsdetektering i ICS-nätverk. 

Med stöd av ICS-Flow adresserar avhandlingen flera tekniska hinder vid driftsättning. För att stödja distribuerade ICS-arkitekturer och minimera beroendet av centrala servrar utforskas en decentraliserad träningsstrategi. Vi undersöker även semi-övervakade inlärningstekniker för att detektera anomalier med enbart normal trafik. För att minska risken för falsklarm integrerar vi ett beslutsstödssystem med IDS:en för att filtrera larm och föreslå åtgärder. Vidare betonar avhandlingen betydelsen av tidsberoende trafikmönster för att identifiera attacktyper och utvärderar effektivitet och resurskrav för olika ML-modeller på ICS-representativ hårdvara. Sammantaget främjar dessa bidrag den praktiska tillämpningen av ML-baserad intrångsdetektering för ICS.
Place, publisher, year, edition, pages
Västerås: Mälardalens universitet, 2025. p. 286
Series
Mälardalen University Press Dissertations, ISSN 1651-4238 ; 440
National Category
Computer Systems Control Engineering Embedded Systems Communication Systems
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-73132 (URN)978-91-7485-718-4 (ISBN)
Public defence
2025-10-23, Delta och digitalt, Mälardalens universitet, Västerås, 13:30 (English)
Opponent
Supervisors
Available from: 2025-08-28 Created: 2025-08-28 Last updated: 2025-10-10Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Dehlaghi Ghadim, AlirezaEricsson, NiclasBalador, AliHansson, Hans

Search in DiVA

By author/editor
Dehlaghi Ghadim, AlirezaEricsson, NiclasBalador, AliHansson, Hans
By organisation
Embedded Systems
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 498 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Mälardalen University Library
|
DiVA Log in