A Process-Informed Approach to Network Intrusion Detection for Industrial Control System
Pordelkhaki, Moojan (2025) A Process-Informed Approach to Network Intrusion Detection for Industrial Control System. Doctoral thesis, Birmingham City University.
Preview |
Text
Moojan_Pordelkhaki_ PhD Thesis_Final Version_Final Award October 2025.pdf - Accepted Version Download (2MB) |
Abstract
The highly-connected nature of Industrial Control Systems (ICS) has significantly increased the possibility of cybersecurity threats to these systems. Waterfall company’s 2023 report showed 218 ICS security incidents, with 25% resulting in tangible consequences, including operational disruptions and equipment damage. This data underscores the criticality of robust ICS security measures. Given that ICS manage essential services, potential compromises could lead to severe disruptions, impacting public health and safety and economic stability. Network Intrusion Detection System (NIDS) are crucial for securing ICS, providing early threat detection, enhanced network visibility, and invaluable support during incident response. Machine Learning (ML) significantly enhances NIDS capabilities by analysing vast amounts of data to discern normal network behaviour and identify attack patterns. This enables ML-powered NIDS to adapt to evolving threats and identify anomalies with greater accuracy than traditional rule-based systems, all while reducing the occurrence of false positives.
This thesis investigates the potential of integrating both network traffic data and physical process data in the training of ML-based network intrusion detection model. It is hypothesised that this combined approach will yield a more effective detection performance compared to models trained solely on network traffic data. To enable the network intrusion detection model to function solely on network traffic during runtime, the Learning Using Privilege Information (LUPI) paradigm is adapted as a key element of the proposed Process Informed Network Intrusion Detection for Industrial Control Systems (PINIDS) framework. The initial phase involves supervised training of a network intrusion detection model using both network traffic and process data. Subsequently, the trained model can be deployed to detect potential intrusions by analysing network data during runtime.
The effectiveness of PINIDS framework for intrusion detection is evaluated using the SWaT dataset, focusing on brute force and unauthorised command message attacks. Various machine learning techniques adopted to the LUPI paradigm are investigated, including Knowledge Transfer (SVM+), Margin Transfer, Transfer Learning, and Distillation. The findings demonstrate enhanced precision and recall balance, leading to improved detection accuracy and reduced false positives and false negatives. Notably, SVM+ achieved a significant 21.47% improvement in F1-score and 49.19% in precision compared to classical ML models, exhibiting consistent performance across experimental runs. While Margin Transfer yielded a modest average improvement in F1-score and precision of 3.3%, it lacked robustness. Distillation proved highly effective, particularly for the DNN model, with a 12.23% F1-score improvement and substantial precision enhancement. Both distilled Deep Neural Network (DNN) and Convolutional Neural Network (CNN) models demonstrated robust performance. Although pre-trained and baseline CNN models performed comparably, the former exhibited a 7.058% F1-score improvement, reduced detection time, and greater stability. These results highlight the potential of transfer learning techniques for enhancing intrusion detection systems.
While Deep Learning algorithms, such as CNN, generally outperform ML algorithms like Support Vector Machines, our findings demonstrate that Machine Learning-based LUPI methods surpass Deep Neural Network-based LUPI approaches in ICS application with limited training data. The feature-based teaching method employed by SVM+ contributes to its superior performance compared to Deep Neural Network models in this study, effectively leveraging input variable influence for decision-making.
| Item Type: | Thesis (Doctoral) |
|---|---|
| Additional Information: | Cyber Physical Systems, Industrial Control Systems, Cybersecurity, Artificial Intelligence, Machine Learning, Neural Network, Learning Using Privilege Information (LUPI) |
| Dates: | Date Event 22 October 2025 Accepted |
| Subjects: | CAH11 - computing > CAH11-01 - computing > CAH11-01-01 - computer science CAH11 - computing > CAH11-01 - computing > CAH11-01-05 - artificial intelligence |
| Divisions: | Architecture, Built Environment, Computing and Engineering > Computer Science Doctoral Research College > Doctoral Theses Collection |
| Depositing User: | Louise Muldowney |
| Date Deposited: | 27 Oct 2025 15:24 |
| Last Modified: | 27 Oct 2025 15:24 |
| URI: | https://www.open-access.bcu.ac.uk/id/eprint/16696 |
Actions (login required)
 |
View Item |
Tools
Tools
