LAUSR

With the integration of the modern industrial control systems (ICS) with the Internet technology, ICS can make full use of the rich resources on the Internet to facilitate remote process control. However, every coin has two sides. More exposure to the outside IT world has made ICS an attractive target for hackers, so it becomes urgent to protect the security of ICS. Skilled attackers can penetrate control networks and then manipulate sensor readings or control signals persistently until the system crashes, while still keeping themselves undetected by following the expected behavior of the system closely. This kind of attacks are referred to as stealthy attacks. As far as we know, many existing intrusion detection techniques only investigate the magnitudes of behavior residuals, so they cannot detect this kind of stealthy attacks. In this paper, we discover that residuals generated during stealthy attacks exhibit significant skewness compared to attack-free residuals. Based on the new observation, we propose an effective and fast technique to detect stealthy attacks against ICS based on residual skewness analysis. Skewness coefficients can distinguish the counterfeited residuals from the attack-free residuals effectively. A larger absolute value of the skewness coefficient generally indicates the occurrence of a more intense stealthy attack. Finally, we conduct comprehensive experiments to verify the effectiveness and efficiency of the proposed stealthy attack detection approach.