Evasion attack against Multivariate Singular Spectrum Analysis based IDS

Abstract

Machine learning-based intrusion detection systems (IDS) are being developed to detect industrial control systems (ICS) attacks. Such IDSs monitor sensor measurements to detect abnormal structural changes in the behavior of physical dynamics of the ICS. State-of-the-art IDS are based on the multivariate singular spectrum analysis (MSSA) technique that detects structural changes in the timeseries of sensor measurements. However, adversaries can exploit MSSA. We focus on the attackers that aim to compromise the most critical component of ICS and remain undetected by IDS. As critical components of ICS are the most secure, it is difficult for the attacker to manipulate the critical sensor measurements by executing a replay attack and hiding his attack from IDS. In this paper, we propose an evasion attack technique against MSSA-based IDS. In an evasion attack, an attacker manipulates a few sensor measurements that are easily manipulable instead of manipulating sensors in the critical components as a replay attacker does. To perform such a task, we develop a crafting method that crafts successive measurements which reduce the departure score of the MSSA. Further, we consider both accessibility and manipulation constraints for a realistic evaluation. We use the TE-process simulator to generate two attack scenarios for validating the evasion attack technique: stealthy attack (SA) and direct damage attack (DDA). Our experimental results show that manipulating measurements of only 13 and 20 sensors are enough to conceal SA and DDA, respectively.