This file was created by the TYPO3 extension bib --- Timezone: CEST Creation date: 2024-05-08 Creation time: 18-22-05 --- Number of references 2 inproceedings 2022_kus_ensemble 2022 12 8 RWTH-2022-10809 Industrial intrusion detection promises to protect networked industrial control systems by monitoring them and raising an alarm in case of suspicious behavior. Many monolithic intrusion detection systems are proposed in literature. These detectors are often specialized and, thus, work particularly well on certain types of attacks or monitor different parts of the system, e.g., the network or the physical process. Combining multiple such systems promises to leverage their joint strengths, allowing the detection of a wider range of attacks due to their diverse specializations and reducing false positives. We study this concept's feasibility with initial results of various methods to combine detectors. rfc https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-ensemble-poster.pdf RWTH Aachen University 38th Annual Computer Security Applications Conference (ACSAC '22), December 5-9, 2022, Austin, TX, USA RWTH Aachen University Austin, TX, USA 38th Annual Computer Security Applications Conference (ACSAC '22) December 5-9, 2022 10.18154/RWTH-2022-10809 1 DominikKus KonradWolsing JanPennekamp EricWagner MartinHenze KlausWehrle inproceedings 2022_kus_iids_generalizability 2022 5 30 73-84 Anomaly-based intrusion detection promises to detect novel or unknown attacks on industrial control systems by modeling expected system behavior and raising corresponding alarms for any deviations. As manually creating these behavioral models is tedious and error-prone, research focuses on machine learning to train them automatically, achieving detection rates upwards of 99 %. However, these approaches are typically trained not only on benign traffic but also on attacks and then evaluated against the same type of attack used for training. Hence, their actual, real-world performance on unknown (not trained on) attacks remains unclear. In turn, the reported near-perfect detection rates of machine learning-based intrusion detection might create a false sense of security. To assess this situation and clarify the real potential of machine learning-based industrial intrusion detection, we develop an evaluation methodology and examine multiple approaches from literature for their performance on unknown attacks (excluded from training). Our results highlight an ineffectiveness in detecting unknown attacks, with detection rates dropping to between 3.2 % and 14.7 % for some types of attacks. Moving forward, we derive recommendations for further research on machine learning-based approaches to ensure clarity on their ability to detect unknown attacks. anomaly detection; machine learning; industrial control system internet-of-production, rfc https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-kus-iids-generalizability.pdf ACM Proceedings of the 8th ACM Cyber-Physical System Security Workshop (CPSS '22), co-located with the 17th ACM ASIA Conference on Computer and Communications Security (ASIACCS '22), May 30-June 3, 2022, Nagasaki, Japan 978-1-4503-9176-4/22/05 10.1145/3494107.3522773 1 DominikKus EricWagner JanPennekamp KonradWolsing Ina BereniceFink MarkusDahlmanns KlausWehrle MartinHenze