In this paper, we present a study that proposes a three-stage classifier
model which employs a machine learning algorithm to develop an intrusion
detection and identification system for tens of different types of attacks
against industrial SCADA networks. The machine learning classifier is trained
and tested on the data generated using the laboratory prototype of a gas
pipeline SCADA network. The dataset consists of three attack groups and seven
different attack classes or categories. The same dataset further provides
signatures of 35 different types of sub-attacks which are related to those
seven attack classes. The study entailed the design of three-stage machine
learning classifier as a misuse intrusion detection system to detect and
identify specifically each of the 35 attack subclasses. The first stage of the
classifier decides if a record is associated with normal operation or an attack
signature. If the record is found to belong to an attack signature, then in the
second stage, it is classified into one of seven attack classes. Based on the
identified attack class as determined by the output from the second stage
classifier, the attack record is provided for a third stage sub-attack
classification, where seven different classifiers are employed. The output from
the third stage classifier identifies the sub-attack type to which the record
belongs. Simulation results indicate that designs exploring specialization to
domains or executing the classification in multiple stages versus single-stage
designs are promising for problems where there are tens of classes. Comparison
with studies in the literature also indicated that the multi-stage classifier
performed markedly better.
[Journal_ref: ]