Intrusion Detection of Industrial Control System Based on Double-layer One-class Support Vector Machine

Abstract In this paper, the stealthy attack detection in industrial control system (ICS) is studied, and a new detection method is proposed from the perspective of signal analysis. The method consists of a double-layer one-class support vector machine model (DL-OCSVM), where the first-layer model is the standard OCSVM, and the second-layer model is obtained by incremental learning based on the former. The wavelet decomposition is used to extract the physical characteristics of the ICS. The KKT condition and the adjacent classification interval are adopted to reduce the training samples, improving the learning rate and system scalability. In addition, the designed boundary samples are employed for incremental learning, avoiding overfitting and reducing false positives rate (FPR). The experimental results show that the proposed method has high detection rate and low FPR for stealthy attacks, and is more suitable for precision machining process.