Security analysis and performance evaluation of a combined CNN-LSTM with self-similarity and hurst parameter for ICS traffic

Abstract

As the integration of IoT devices with SCADA systems increases, concerns about cyber security have become significant. This thesis addresses the challenge of data imbalance in developing an effective intrusion detection system (IDS) for SCADA systems. To tackle this issue, we employ the DeepInsight package in Python to convert traffic data into grayscale images. Four publicly available SCADA datasets are analyzed using exploratory data analysis (EDA) and principal component analysis (PCA). Our research evaluates two detectors: the first utilizes the Hurst parameter to differentiate between normal and attack image data, while the second employs a state-of-the-art CNN-LSTM algorithm—the Hurst Detector leverages self-similarity to identify abnormal network traffic data in conjunction with the CNN-LSTM model. For feature extraction, we propose a CNN and PCA approach applied to the converted grayscale images of the Morris Power dataset. The model includes input, hidden, and output layers with activation functions, while the RNN LSTM modifies the LSTM, dense, and output layers by incorporating appropriate activation functions. Additional layers for Batch Normalization (BN) and dropout enhance the model's performance. The performance of the detectors is evaluated using standard metrics, including accuracy, precision, recall, and F1-score. Results indicate that the combination of self-similarity Hurst index and Deep Learning (DL) achieves a detection accuracy of 98.2% for attacks, while the combined detectors utilizing CNN-LSTM achieve an accuracy of 99.92%. These findings provide valuable insights for security researchers and practitioners seeking to enhance cyber security in SCADA systems. Through an enhanced approach, this DL model has the potential to strengthen SCADA system security and effectively mitigate cyber attacks.