A Framework for Improving the Accuracy of Unsupervised Intrusion Detection for SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems are a salient part of the control and monitoring of critical infrastructures such as electricity generation, distribution, water treatment and distribution, and gas and oil production. Recently, such systems have increased their connectivity by using public networks and standard protocols (e.g. TCP/IP). However, while enhancing productivity, this will expose these systems to cyber threat. This is because many widely-used protocols in these systems such as MODBUS, DNP3 and EtherNET/IP are lacking authentication, and therefore command injection and data injection are potential threat. An unsupervised intrusion detection technique (with unlabelled data) is an appropriate method to address this issue because labelling the huge amount of data produced by such systems is a costly and time-consuming process. However, unsupervised learning algorithms suffer from low detection accuracy. This paper proposes a framework that can be used as an add-on component for any unsupervised approach to improve its performance. Experimental results confirm that the framework demonstrated a significant improvement in three unsupervised intrusion detection algorithms.