Hidden Markov Model-Based Attack Detection for Networked Control Systems Subject to Random Packet Dropouts
The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with...
Saved in:
| Published in | IEEE transactions on industrial electronics (1982) Vol. 68; no. 1; pp. 642 - 653 |
|---|---|
| Main Authors | , , |
| Format | Journal Article |
| Language | English |
| Published |
New York
IEEE
01.01.2021
The Institute of Electrical and Electronics Engineers, Inc. (IEEE) |
| Subjects | |
| Online Access | Get full text |
| ISSN | 0278-0046 1557-9948 |
| DOI | 10.1109/TIE.2020.2965467 |
Cover
| Abstract | The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method. |
|---|---|
| AbstractList | The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method. |
| Author | Huang, Biao Feng, Dongqin Lu, Genghong |
| Author_xml | – sequence: 1 givenname: Genghong orcidid: 0000-0001-5149-7430 surname: Lu fullname: Lu, Genghong email: olivialu@zju.edu.cn organization: State Key Laboratory of Industrial Control Technology, Institute of Cyber-Systems and Control, Zhejiang University, Hangzhou, China – sequence: 2 givenname: Dongqin surname: Feng fullname: Feng, Dongqin email: dongqinfeng@zju.edu.cn organization: State Key Laboratory of Industrial Control Technology, Institute of Cyber-Systems and Control, Zhejiang University, Hangzhou, China – sequence: 3 givenname: Biao orcidid: 0000-0001-9082-2216 surname: Huang fullname: Huang, Biao email: bhuang@ualberta.ca organization: Faculty of Chemical and Materials Engineering, University of Alberta, Edmonton, AB, Canada |
| BookMark | eNp9kD1PwzAQhi1UJNrCjsRiiTnFdhzHHktbaKUWEC1z5DgXKf2Ii-2A-u9J1YqBgVtuuPe50z091KltDQjdUjKglKiH1WwyYISRAVMi4SK9QF2aJGmkFJcd1CUslREhXFyhnvdrQihPaNJF62lVFFDjhXYb-4UXtoBt9Kg9FHgYgjYbPIYAJlS2xqV1-AXCt3WbdjyydXB2i5cHH2Dn8bLJ120QB4vfdV3YHX5rcQh47OzeNsFfo8tSbz3cnHsffTxNVqNpNH99no2G88gwRUNEaRLHTBjCDWgtZaqUKInUohQyNXkOKS9yIeO4UCovJYtLEKaUVKhYCk1o3Ef3p717Zz8b8CFb28bV7cmM8YRzoRQRbUqcUsZZ7x2UmamCPv4ZnK62GSXZ0WvWes2OXrOz1xYkf8C9q3baHf5D7k5IBQC_cakEi9v6AYTehP4 |
| CODEN | ITIED6 |
| CitedBy_id | crossref_primary_10_1109_TVT_2023_3313162 crossref_primary_10_3390_pr12092053 crossref_primary_10_1109_ACCESS_2024_3446047 crossref_primary_10_1016_j_isatra_2021_09_017 crossref_primary_10_1016_j_oceaneng_2023_115179 crossref_primary_10_1007_s10586_021_03413_1 crossref_primary_10_1109_TIE_2022_3148736 crossref_primary_10_1109_TNSE_2022_3161479 crossref_primary_10_1049_cth2_12776 |
| Cites_doi | 10.1007/s10845-017-1315-5 10.1109/ICDCS.Workshops.2008.40 10.1016/S0098-1354(03)00075-9 10.1145/2899015.2899016 10.1109/TIE.2015.2478743 10.1109/JPROC.2006.887288 10.1016/S0167-9473(02)00177-9 10.1162/neco.1996.8.1.129 10.1016/j.ress.2018.07.002 10.1007/978-3-319-17127-2_2 10.1109/TNSM.2015.2448656 10.1002/aic.14661 10.1007/978-3-319-99073-6_27 10.1109/MSP.2011.67 10.1007/978-94-011-5014-9_12 10.1080/00207721.2014.906683 10.1002/for.965 10.1109/JSYST.2015.2487684 10.1109/CRISIS.2012.6378942 10.1021/ie800386v 10.1080/07350015.1994.10524545 10.1016/j.jprocont.2018.12.010 10.1016/j.future.2013.06.030 10.1016/j.jprocont.2007.07.006 10.1111/j.2517-6161.1977.tb01600.x 10.1109/TSG.2014.2298195 10.1109/CDC.2013.6760152 10.1145/1966913.1966959 10.1109/ALLERTON.2009.5394956 10.1109/ACC.2013.6580475 |
| ContentType | Journal Article |
| Copyright | Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2021 |
| Copyright_xml | – notice: Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2021 |
| DBID | 97E RIA RIE AAYXX CITATION 7SP 8FD L7M |
| DOI | 10.1109/TIE.2020.2965467 |
| DatabaseName | IEEE All-Society Periodicals Package (ASPP) 2005–Present IEEE All-Society Periodicals Package (ASPP) 1998–Present IEEE/IET Electronic Library (IEL) (UW System Shared) CrossRef Electronics & Communications Abstracts Technology Research Database Advanced Technologies Database with Aerospace |
| DatabaseTitle | CrossRef Technology Research Database Advanced Technologies Database with Aerospace Electronics & Communications Abstracts |
| DatabaseTitleList | Technology Research Database |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE/IET Electronic Library (IEL) (UW System Shared) url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Engineering |
| EISSN | 1557-9948 |
| EndPage | 653 |
| ExternalDocumentID | 10_1109_TIE_2020_2965467 8962333 |
| Genre | orig-research |
| GrantInformation_xml | – fundername: National Natural Science Foundation of China grantid: 61433006 funderid: 10.13039/501100001809 |
| GroupedDBID | -~X .DC 0R~ 29I 4.4 5GY 5VS 6IK 97E 9M8 AAJGR AARMG AASAJ AAWTH ABAZT ABQJQ ABVLG ACGFO ACGFS ACIWK ACKIV ACNCT AENEX AETIX AGQYO AGSQL AHBIQ AI. AIBXA AKJIK AKQYR ALLEH ALMA_UNASSIGNED_HOLDINGS ASUFR ATWAV BEFXN BFFAM BGNUA BKEBE BPEOZ CS3 DU5 EBS EJD HZ~ H~9 IBMZZ ICLAB IFIPE IFJZH IPLJI JAVBF LAI M43 MS~ O9- OCL P2P RIA RIE RNS TAE TN5 TWZ VH1 VJK AAYXX CITATION 7SP 8FD L7M |
| ID | FETCH-LOGICAL-c291t-1153326c04ceaa887996f08a6f687cbbe74db6833d99bf823fe6cf8169386a013 |
| IEDL.DBID | RIE |
| ISSN | 0278-0046 |
| IngestDate | Mon Jun 30 10:09:48 EDT 2025 Wed Oct 01 00:27:06 EDT 2025 Thu Apr 24 22:54:14 EDT 2025 Wed Aug 27 02:31:10 EDT 2025 |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 1 |
| Language | English |
| License | https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html https://doi.org/10.15223/policy-029 https://doi.org/10.15223/policy-037 |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c291t-1153326c04ceaa887996f08a6f687cbbe74db6833d99bf823fe6cf8169386a013 |
| Notes | ObjectType-Article-1 SourceType-Scholarly Journals-1 ObjectType-Feature-2 content type line 14 |
| ORCID | 0000-0001-9082-2216 0000-0001-5149-7430 |
| PQID | 2454469906 |
| PQPubID | 85464 |
| PageCount | 12 |
| ParticipantIDs | ieee_primary_8962333 crossref_citationtrail_10_1109_TIE_2020_2965467 proquest_journals_2454469906 crossref_primary_10_1109_TIE_2020_2965467 |
| ProviderPackageCode | CITATION AAYXX |
| PublicationCentury | 2000 |
| PublicationDate | 2021-Jan. 2021-1-00 20210101 |
| PublicationDateYYYYMMDD | 2021-01-01 |
| PublicationDate_xml | – month: 01 year: 2021 text: 2021-Jan. |
| PublicationDecade | 2020 |
| PublicationPlace | New York |
| PublicationPlace_xml | – name: New York |
| PublicationTitle | IEEE transactions on industrial electronics (1982) |
| PublicationTitleAbbrev | TIE |
| PublicationYear | 2021 |
| Publisher | IEEE The Institute of Electrical and Electronics Engineers, Inc. (IEEE) |
| Publisher_xml | – name: IEEE – name: The Institute of Electrical and Electronics Engineers, Inc. (IEEE) |
| References | ref35 ref13 ref34 ref37 ref15 ref31 ref30 ref33 ref11 ref32 ref1 ref17 ref16 filonov (ref10) 0 diebold (ref18) 1994; 1 herr (ref2) 2015; 8 ref24 ref23 falliere (ref3) 2011 ref26 ref25 ref20 dempster (ref29) 1977; 39 ref22 ref21 ref28 govindarasu (ref14) 2014; 5 ref27 mo (ref12) 0 filardo (ref19) 1994; 12 ref8 gu (ref7) 2014 ref9 ref4 ref6 ref5 hink (ref36) 0 |
| References_xml | – ident: ref37 doi: 10.1007/s10845-017-1315-5 – ident: ref25 doi: 10.1109/ICDCS.Workshops.2008.40 – ident: ref17 doi: 10.1016/S0098-1354(03)00075-9 – ident: ref35 doi: 10.1145/2899015.2899016 – ident: ref22 doi: 10.1109/TIE.2015.2478743 – ident: ref24 doi: 10.1109/JPROC.2006.887288 – ident: ref32 doi: 10.1016/S0167-9473(02)00177-9 – ident: ref31 doi: 10.1162/neco.1996.8.1.129 – ident: ref23 doi: 10.1016/j.ress.2018.07.002 – year: 0 ident: ref10 article-title: RNN-based early cyber-attack detection for the Tennessee Eastman process – ident: ref11 doi: 10.1007/978-3-319-17127-2_2 – ident: ref16 doi: 10.1109/TNSM.2015.2448656 – ident: ref21 doi: 10.1002/aic.14661 – ident: ref6 doi: 10.1007/978-3-319-99073-6_27 – ident: ref1 doi: 10.1109/MSP.2011.67 – volume: 8 start-page: 301 year: 2015 ident: ref2 article-title: Cyber weapons and export control: Incorporating dual use with the prep model publication-title: National Security Law & Policy – ident: ref28 doi: 10.1007/978-94-011-5014-9_12 – start-page: 1 year: 0 ident: ref12 article-title: False data injection attacks in control systems publication-title: Proc Preprints 1st Workshop Secure Control Syst – year: 2014 ident: ref7 article-title: Method for preventing Stuxnet attacks – ident: ref26 doi: 10.1080/00207721.2014.906683 – ident: ref20 doi: 10.1002/for.965 – ident: ref5 doi: 10.1109/JSYST.2015.2487684 – ident: ref4 doi: 10.1109/CRISIS.2012.6378942 – ident: ref27 doi: 10.1021/ie800386v – volume: 12 start-page: 299 year: 1994 ident: ref19 article-title: Business-cycle phases and their transitional dynamics publication-title: J Bus Econ Statist doi: 10.1080/07350015.1994.10524545 – start-page: 29 year: 2011 ident: ref3 article-title: W32. Stuxnet dossier – start-page: 1 year: 0 ident: ref36 article-title: Machine learning for power system disturbance and cyber-attack discrimination publication-title: Proc Int Symp Resilient Control Syst – ident: ref30 doi: 10.1016/j.jprocont.2018.12.010 – ident: ref9 doi: 10.1016/j.future.2013.06.030 – ident: ref33 doi: 10.1016/j.jprocont.2007.07.006 – volume: 39 start-page: 1 year: 1977 ident: ref29 article-title: Maximum likelihood from incomplete data via the EM algorithm publication-title: J Roy Stat Soc B Meth doi: 10.1111/j.2517-6161.1977.tb01600.x – volume: 5 start-page: 580 year: 2014 ident: ref14 article-title: Model-based attack detection and mitigation for automatic generation control publication-title: IEEE Trans Smart Grid doi: 10.1109/TSG.2014.2298195 – ident: ref15 doi: 10.1109/CDC.2013.6760152 – ident: ref34 doi: 10.1145/1966913.1966959 – ident: ref13 doi: 10.1109/ALLERTON.2009.5394956 – volume: 1 start-page: 144 year: 1994 ident: ref18 article-title: Regime switching with time-varying transition probabilities publication-title: Business Cycles Durations Dynamics and Forecasting – ident: ref8 doi: 10.1109/ACC.2013.6580475 |
| SSID | ssj0014515 |
| Score | 2.437012 |
| Snippet | The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes)... |
| SourceID | proquest crossref ieee |
| SourceType | Aggregation Database Enrichment Source Index Database Publisher |
| StartPage | 642 |
| SubjectTerms | Algorithms Computer worms Control systems Cybersecurity Dropouts expectation maximization (EM) algorithm Hazards hidden Markov model (HMM) Hidden Markov models Industrial electronics Markov chains Networked control systems Parameter estimation Process control Stuxnet attack time-varying transition probabilities Transition probabilities |
| Title | Hidden Markov Model-Based Attack Detection for Networked Control Systems Subject to Random Packet Dropouts |
| URI | https://ieeexplore.ieee.org/document/8962333 https://www.proquest.com/docview/2454469906 |
| Volume | 68 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVIEE databaseName: IEEE/IET Electronic Library (IEL) (UW System Shared) customDbUrl: eissn: 1557-9948 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0014515 issn: 0278-0046 databaseCode: RIE dateStart: 19820101 isFulltext: true titleUrlDefault: https://ieeexplore.ieee.org/ providerName: IEEE |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1NT9wwEB0BJ3oACkUs0MqHXiqR3ZB4HftI-dBSCYQQSNwi2xkfYEkQeDn013cmya7aUlXcIiWWLI0zM88z8x7A14rlbD0hVUTtE4k-TRxKlYTCShconmnPA84Xl2pyK3_cje-W4GAxC4OIbfMZDvmxreVXjZ_xVdlIGwrWeb4My0VhulmtRcVAjju1gowZYwn0zUuSqRndnJ8SEMzSYWZ4dKf4IwS1mipvHHEbXc7W4WK-r66p5GE4i27of_5F2fjejW_AWp9miqPuXHyEJaw34cNv5INbcD9h9pBa8LRO8ypYFG2afKegVomjGK1_ECcY20atWlBmKy67hnF6fdy1t4ue7VyQ8-HbHBEbcW3rqnkUV7QcozhhCYZZfPkEt2enN8eTpFdeSHxmDmNyyFlgpnwqPVpLfohQUUi1VUHpwjuHhayc0nleGeOCzvKAygfNxC5aWcoqt2GlbmrcAaGk9VwatSaQvyB8pDHIPHXkO6yUaAYwmhuj9D0tOatjTMsWnqSmJPOVbL6yN98Avi1WPHWUHP_5doutsfiuN8QA9uf2Lvt_9qXM5JiwMUVntfvvVXuwmnFHS3sBsw8r8XmGnyklie5LexZ_AeD23Lw |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1Nb9QwEB2VcoAeykdBbGnBBy5IZDdNvI59LP3QFrorhLZSb5HtjA-0JFXr7aG_vjNJdgUUIW6REkuWxpmZ55l5D-BDxXK2npAqovaJRJ8mDqVKQmGlCxTPtOcB5-lMTc7kl_Px-Rp8Ws3CIGLbfIZDfmxr-VXjF3xVNtKGgnWeP4LHY0IVRTettaoZyHGnV5AxZyzBvmVRMjWj-ckRQcEsHWaGh3eK34JQq6rywBW38eX4GUyXO-vaSi6Gi-iG_u4P0sb_3fpz2OwTTbHfnYwXsIb1S9j4hX5wC35MmD-kFjyv09wKlkW7TD5TWKvEfozWX4hDjG2rVi0otxWzrmWcXh90De6i5zsX5H74PkfERny3ddX8FN9oOUZxyCIMi3jzCs6Oj-YHk6TXXkh8ZvZissd5YKZ8Kj1aS56IcFFItVVB6cI7h4WsnNJ5Xhnjgs7ygMoHzdQuWlnKK1_Det3U-AaEktZzcdSaQB6DEJLGIPPUkfewUqIZwGhpjNL3xOSsj3FZtgAlNSWZr2Tzlb35BvBxteKqI-X4x7dbbI3Vd70hBrCztHfZ_7U3ZSbpXCmKz2r776vew5PJfHpanp7Mvr6Fpxn3t7TXMTuwHq8XuEsJSnTv2nN5D6RM4A0 |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Hidden+Markov+Model-Based+Attack+Detection+for+Networked+Control+Systems+Subject+to+Random+Packet+Dropouts&rft.jtitle=IEEE+transactions+on+industrial+electronics+%281982%29&rft.au=Lu%2C+Genghong&rft.au=Feng%2C+Dongqin&rft.au=Huang%2C+Biao&rft.date=2021-01-01&rft.pub=IEEE&rft.issn=0278-0046&rft.volume=68&rft.issue=1&rft.spage=642&rft.epage=653&rft_id=info:doi/10.1109%2FTIE.2020.2965467&rft.externalDocID=8962333 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0278-0046&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0278-0046&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0278-0046&client=summon |