Ad Utility Paper
Ad Utility Paper
Abstract—Attacks on critical infrastructures’ Supervisory these systems are not resilient as one would expect. Stuxnet [3]
Control and Data Acquisition (SCADA) systems are beginning was firstly identified as a complex malware that targeted
to increase. They are often initiated by highly skilled attackers, the SCADA systems on Iran’s nuclear plant. In Maroochi,
who are capable of deploying sophisticated attacks to exfiltrate
data or even to cause physical damage. In this paper, we rehearse Australia a disgruntled engineer penetrated a sewage control
the rationale for protecting against cyber attacks and evaluate system and caused approximately 264,000 gallons of raw
a set of Anomaly Detection (AD) techniques in detecting attacks sewage leak to nearby rivers [4]. Also, in late 2015, a major
by analysing traffic captured in a SCADA network. For this attack on Ukraine’s power grid infrastructure resulted on a
purpose, we have implemented a tool chain with a reference im- power outage caused by the BlackEnergy trojan [5].
plementation of various state-of-the-art AD techniques to detect
attacks, which manifest themselves as anomalies. Specifically, in SCADA systems monitor and control infrastructures includ-
order to evaluate the AD techniques, we apply our tool chain on a ing power plants, water utility, energy and gas pipelines, which
dataset created from a gas pipeline SCADA system in Mississippi makes them highly critical. Providing protection in terms of
State University’s lab, which include artefacts of both normal security, safety and resilience in such networks is inherently
operations and cyber attack scenarios. Our evaluation elaborate considered to be of a vital importance. Traditionally, most of
on several performance metrics of the examined AD techniques
such as precision; recall; accuracy; F-score and G-score. The these systems were air gaped from other networks, but in sev-
results indicate that detection rate may change significantly when eral cases, access to these devices may be still available over
considering various attack types and different detections modes a public network (e.g., Internet) as a requirement to improve
(i.e., supervised and unsupervised), and also provide indications usability via providing operators the potential to remotely
that there is a need for a robust, and preferably real-time AD access of devices. While the automation and interconnectivity
technique to introduce resilience in critical infrastructures.
Index Terms—Communication networks, critical infrastruc- contribute to increase the efficiency and reduce operations
ture protection, resilience, anomaly detection, SCADA systems costs, they expose these systems to new threats. For instance,
the potential existence of a vulnerability in a system on the top
layers of the Purdue model [6] may allow attackers to exploit
I. I NTRODUCTION them and to gradually take control of systems or devices that
Attacks on critical infrastructures have increased over the operate in the lower levels, such as SCADA systems; this could
years. In particular, attacks targeting Supervisory Control and cause failure and hence serious disruptions.
Data Acquisition (SCADA) industrial control systems rose Therefore, it is crucial that any challenge to the SCADA
100% in 2014 compared to the previous year as highlighted systems and supporting communications infrastructure is
in a report by Dell [1]. Similarly, a recent report published promptly detected and acted upon. To do this it is necessary
by the industrial control systems cyber emergency response to detect a range of challenges, including those that manifest
team (ICS-CERT) showed that while industrial control system themselves as anomalies. For example, data injection attacks
(ICS) vendors have been targeted by various types of malicious may be used to change measurement values of some devices,
actors, over half of the attacks reported in 2014 involved in order to hinder the operation of the system [7]. Further,
advanced persistent threats (APTs) [2]. Moreover, major vul- a major concern is the intrinsic weakness of communica-
nerabilities in SCADA systems enabled attacks on various tion protocols used in SCADA systems that monitor and
critical infrastructures in the past, which demonstrated that control field devices in critical infrastructure installations.
The remote terminal units (RTUs) interface, which generally
This work is sponsored by UK-EPSRC funded TI3 project, grant agree- control and collect information that determine the system
ment no. EP/L026015/1: A Situation-aware Information Infrastructure; and state and master terminal units (MTUs) which handles the
the European Union under Grant SEC-2013.2.5-4: Protection systems for
utility networks – Capability Project, Project Number: 608090, Hybrid Risk supervisory controls, can also be attacked to spoof information
Management for Utility Providers (HyRiM). by exploiting the lack of authentication provided by current
protocols (e.g., Modbus, DNP3 and Profibus) and lead to has occurred; Remediate the effects of the adverse event or
unexpected behaviours [8]. Recent research has focused on condition; Recover to original and normal operations; Diag-
anomaly detection (AD) techniques to improve the resilience nose the fault that was the root cause; and Refine behaviour
and security of critical infrastructures [9], [10], [11]. In the for the future based on past D2 R2 +DR cycles.
context of SCADA systems, a few anomaly detection tech- Anomaly detection is a technique that can be applied within
niques have been adopted and redefined [12], [13], [14] and a resilience framework in order to promptly provide indica-
they are further classified with respect to their operational tions and warnings about adverse events or conditions that
mode, i.e., supervised and unsupervised. However, choosing an may occur. Specifically, we demonstrate in [10] a resilience
appropriate technique for use with SCADA systems requires framework for critical infrastructures that may support the
the examination of their effectiveness in detecting anomalous detection of anomalies at the different levels of infrastruc-
SCADA operations, e.g., traffic between RTU and MTU. ture and services. Therefore, a first step towards achieving
From an operational perspective, supervised techniques require resilience consist the identification of abnormal behaviours
training data to build the model and evaluate the fitness of the in such environments. This can be accomplished within the
new test data with respect to this model. On the other hand, detection process of our resilience strategy, where several
unsupervised techniques try to partition the feature spaces into resilience metrics are collected and forwarded to AD instances.
normal and anomalous regions without training data, and AD The diverse nature of data in critical infrastructures’ networks
techniques in this mode are much more flexible and easy to compared with data stemming from IT systems, and the
use since they do not require upfront human intervention and existence of major threats such as APTs render the task of
training [15], [16]. evaluating existing AD techniques to be of vital importance.
The main goal of this paper is to pinpoint the importance The evaluation of them will provide indications for the ap-
of AD techniques as a step towards achieving resilience; plicability of them in environments as the examined one, and
evaluate AD techniques in the context of SCADA systems initiate future research in that direction.
and discuss their advantages and disadvantages. Specifically,
we evaluate the K-means (KM)1 and Naı̈ve Bayesian (NB)2
techniques that are used in supervised mode, and the Principal se
no
De
ag
Component Analysis using Singular Value Decomposition d
en t
Di
(PCA-SVD)3 and Gaussian Mixture Model (GMM)4 that are
ec
De
t
used in unsupervised mode to analyse network transactions
between RTU and MTU from Mississippi State Universitys
Re m
in-house SCADA gas pipeline. r
ve
e
The rest of the paper is organised as follows: Section II o c di
Re
Re at e
elaborates on our resilience strategy and its association with
f
in
e
AD techniques. Section III discusses the experimental method
and the properties of the dataset we have used. Section IV
describes the outcomes of our analysis and discusses the Fig. 1: D2 R2 +DR strategy [17]
obtained results, while section V summarises and concludes
the paper. III. M ETHOD
The approach we have taken to evaluate the AD techniques
II. R ESILIENCE AND A NOMALY D ETECTION is described bellow:
In this section, we briefly elaborate on our resilience strat- • Obtain the most significant features from the original
egy and how anomaly detection may serve as an important dataset via pre-processing methods (discussed below).
component to apply resilience in critical infrastructures. We Our approach include the normalization and principal
define resilience as ”the ability of a network or system to component analysis of the dataset. These features are
provide and maintain an acceptable level of service in the face then converted into a time series and fed into a detector
of various faults and challenges to normal operation” [17]. implementing the AD techniques.
The D2 R2 +DR strategy is capable of achieving the afore- • We further split the dataset into 8 different traces. The
mentioned via the Defend, Detect, Remediate, Recover, and first one consists of a combined trace, which includes the
Diagnose and Refine processes (see Figure 1). Defend, Detect, class of normal data and seven anomalous classes. The
Remediate, and Recover consist processes of an internal loop rest of the seven traces include each the normal class and
process and Diagnose and Refine processes of an outer loop. one of anomalous classes. The latter is used to evaluate
In more detail, it is: Defend against challenges and threats to the efficacy of the individual techniques to detect specific
normal operation; Detect when an adverse event or condition type of anomalies.
1 https://en.wikipedia.org/wiki/K-means
• Each trace is then submitted to a detector along with
clustering
2 http://scikit-learn.org/stable/modules/naive bayes.html
ground truth information to assess the applied AD tech-
3 https://en.wikipedia.org/wiki/Principal component analysis nique based on its likelihood to identify anomalies in
4 http://scikit-learn.org/stable/modules/mixture.html the traces over time. Depending on their mode, AD
techniques may require a training phase (e.g., supervised
learning). In this case, a random selection of the feature
vector is used as training data, and the rest is used to
generate the anomaly time series used for the evaluation.
• The output of the detector that includes a time series of
probabilities is then compared with the ground truth, and
yields an evaluation of the AD techniques.
More details with regard to the dataset and each of the
aforementioned steps are provided in subsequent subsections.
A. Dataset
The dataset we used was collected using a simulation of real
anomalies and normal activity on a gas pipeline. Specifically,
it constitutes Modbus traffic5 stemming from a serial line and
including read and write commands for a PLC6 . It contains
three categorical features including payload information, net- Fig. 2: Identification of anomalies using FCM with K=8
work information and ground truth. The payload information
indicates the gas pipeline’s state, settings and parameters.
The network information provides pattern of communications include ”response injection”, ”reconnaissance”, ”denial-of-
and ground truth details, i.e., if the transaction is normal or service” and ”command injection”. The response injection
anomalous. In total 274627 instances and twenty raw features is further divided into naı̈ve malicious response injection
are provided. We refer the reader to [18], [19] for a detailed (NMRI) and complex malicious response injection (CMRI).
description of the individual features, dataset and test bed The former leverage the ability to inject response packets
architecture that was used to capture the data. in the network but lack information about the process being
We first employ a pre-processing stage, which includes monitored. The latter on the other hand are more sophisticated
normalization of data using Z-score7 and principal component and attempt to mask the real state of the physical process being
analysis (PCA) to select a subset of relevant features for subse- controlled. Similarly, the command injection is further divided
quent analysis. The PCA allow us to extract new, orthogonal into malicious state command injection (MSCI), malicious
(independent) features that are a linear combination of the parameter command injection (MPCI) and malicious function
original ones. Basically, these new set of features are called code command injection (MFCI). MSCI change the state of
principal components and obtained in such a manner that the the process control system to drive the system from safe
first principal component accounts for as much as possible of state to critical state by malicious command. MPCI change
the variation in the original data then the second component PLC set points and MFCI injects command which misuse
and so on. We select 14 principal components as new derived protocol network parameter. DoS attack target communication
features for our analysis because they represent most variation link. Each sample is labelled with its ground truth from (0-7)
in original dataset, therefore they are most significant. where 0 represents normal class and 1-7 is for each class of
Furthermore, we employ soft clustering approach using anomalies.
Fuzzy C-means (FCM) [20] to identify natural groupings of
data. As oppose to hard clustering, in FCM the data points can C. Evaluation Metrics
belong to more than one cluster, and association with each of A single metric alone is not sufficient to make a firm conclu-
the points are membership grades that indicate the degree to sion about performance of the underlying anomaly detection
which the data points belong to the different cluster. Figure 2 technique [21]. Therefore, we evaluated the effectiveness of
illustrates the inherent structure of the data. It can be seen that each technique using several metrics. Each input entry sub-
the data is not easily separable into 8 classes, but instead it mitted to the detector describes the features of the monitored
separates them into 4 classes where blue color indicates the trace during a given time period (bin), and subsequently the
normal class. This is an important step in understanding the detector computes the deviation from normal traffic. Therefore,
dataset with respect to the number of classes. the performance can be assessed by determining the difference
B. Description of Anomalies between the class it produces for a given input and the class it
should have. Correctly identified negatives are true negatives
In total, the dataset contains seven different type of anoma-
(TN), incorrectly identified negatives are false positives (FP),
lies that are divided into four main categories. These anomalies
correctly identified positives are true positives (TP) and incor-
5 http://www.modbus.org/ rectly identified positives are false negatives (FN). From this
6 https://en.wikipedia.org/wiki/Programmable logic controller output it allows computation of the true-positive rate (TPR,
7 The result of Z-score normalization is that the features will be rescaled sensitivity or recall; TP /(TP + FN )), the false-positive rate
so that they will have the properties of a standard normal distribution with
µ = 0 and σ = 1, where µ is the mean (average) and σ is the standard (FPR; FP /(FP + FN )), the precision (TP /(TP + FP )), the
deviation from the mean. accuracy (TP + TN /TP + TN + FP + FN ), the F-score
K-Means NB PCA-SVD EMGM
1
0.8
Precision (%)
0.6
0.4
0.2
0
NMRI CMRI MSCI MPCI MFCI DoS Recon
Anomaly types
(a) Precision comparison of ADTs for individual anomaly types
0.8
Accuracy (%)
0.6
0.4
0.2
0
NMRI CMRI MSCI MPCI MFCI DoS Recon
Anomaly types
(b) Accuracy comparison of AD techniques for individual anomaly types
Fig. 3: Performance comparison of AD techniques
(2× (Precision × Recall ) / (Precision + Recall )), and the TABLE I: Comparison of AD techniques (combined dataset)
√
G-mean ( Precision × Recall ). Accuracy is the degree to
which the detector classifies data samples correctly; precision Method ADT Recall Precision Accuracy F-score G-mean
mean (G-mean), which provide a more rounded measure of GMM 0.4416 0.7309 0.4516 0.5583 0.5745
the performance of a particular detector by accounting for all
of the outcomes to some degree.
IV. A NALYSIS OF R ESULTS original data, particularly the scope of attack scenarios, while
One of the main issues with the raw dataset was that it con- being better suited to use with AD techniques. Henceforth,
tained missing values, and thus, required from us to perform a we call this new derived feature-set as combined dataset since
set of pre-processing tasks in order to make the dataset suitable it contains artefacts of the normal data and all seven types
for use in our AD implementations. Otherwise, the results of of anomalies. Subsequently, we used the combined dataset
the analysis would not be indicative of the actual performance as an input to our AD implementations. However, some of
of the examined AD techniques. Specifically, we pre-process the operations regarding AD techniques required an excessive
the raw dataset by applying Z-score and principal component amount of time and memory to complete due to the size of
analysis techniques such that it remains representative of the the combined dataset (275,000 rows). Therefore, in order to
TABLE II: Performance metrics of AD techniques per type of anomaly
Attack Scenario ADT # of correct #of correct #of total Recall Precision Accuracy F-score G-mean
normal anomalous predicted
detections detections anomalies
K-means 1465 5193 9728 0.1849 0.5338 0.1731 0.2614 0.3040
NB 6000 23168 23168 0.8102 1 0.7723 0.8715 0.8788
NMRI
PCA-SVD 703 15534 20831 0.4510 0.7457 0.5178 0.6112 0.6214
GMM 6000 5011 5011 0.3059 1 0.1670 0.2863 0.4087
K-means 3902 4554 12652 0.2013 0.3599 0.1518 0.2135 0.2338
NB 12000 23168 23168 0.8373 1 0.7723 0.8715 0.8788
CMRI
PCA-SVD 2901 5193 14292 0.1927 0.3634 0.1731 0.2345 0.2508
GMM 181 13639 25458 0.3290 0.5357 0.4546 0.4919 0.4935
K-means 3000 23193 26193 0.7276 0.8855 0.7731 0.8255 0.8274
NB 3000 23193 26193 0.7276 0.8855 0.7731 0.8255 0.8274
MSCI
PCA-SVD 5837 16520 16683 0.6210 0.9902 0.5507 0.7078 0.7384
GMM 3000 20618 23618 0.6561 0.8730 0.6873 0.7691 0.7746
K-means 10000 23193 33193 0.6639 0.6987 0.7731 0.7340 0.7350
NB 9970 23477 33507 0.6689 0.7007 0.7826 0.7394 0.7405
MPCI
PCA-SVD 9672 23552 33880 0.6645 0.6952 0.7851 0.7374 0.7387
GMM 5204 26819 41615 0.6405 0.6445 0.894 0.749 0.7590
K-means 2000 15516 17516 0.5152 0.8858 0.5172 0.6531 0.6769
NB 4000 13639 13639 0.5188 1 0.4546 0.6251 0.6743
MFCI
PCA-SVD 2000 16474 18474 0.5434 0.8917 0.5491 0.6797 0.6998
GMM 4000 6807 6807 0.3179 1 0.2269 0.3699 0.4763
K-means 2000 15874 15874 0.5586 1 0.5291 0.6921 0.7274
NB 984 24373 25389 0.7924 0.9600 0.8124 0.8801 0.8831
DoS
PCA-SVD 1984 16492 16508 0.5774 0.9990 0.5497 0.7092 0.7411
GMM 1501 3181 3680 0.1463 0.8644 0.1060 0.1889 0.3027
K-means 2164 22681 23517 0.7529 0.9645 0.7560 0.8476 0.8539
NB 2971 13639 13668 0.5033 0.9979 0.4546 0.6247 0.6735
Reconnaissance
PCA-SVD 1386 16474 18088 0.5412 0.9108 0.5491 0.6852 0.7072
GMM 509 23193 25684 0.7182 0.9030 0.7731 0.8330 0.8355
overcome the time and memory constraints, we shuffled the a separate set of a datasets. Each dataset included normal
data in the combined dataset and selected a subset of it (30%) data and data from one of the anomalies. The benefit of this
to perform the training of supervised AD techniques. separation is that there are much more samples of a given
Table I depict the results of the binary classification for the attack in each subset compared with the combined dataset, as
combined dataset. Basically, in this approach all anomalous well as a higher degree of variability within the features. Each
classes are combined into a single anomaly class to be discrim- dataset is then used as an input to the detector. All datasets
inated from the normal communications. Both the precision were run with the selected four AD techniques. Figure 3a
and accuracy results indicate that the supervised techniques and Figure 3b illustrates the precision and accuracy for each
(KM and NB) perform better in classifying anomalies when technique in detecting individual categories of anomalies,
compared with the unsupervised techniques (PCA-SVD and respectively. The results show that all techniques produced
GMM). Specifically, the PCA-SVD becomes less accurate high precision for individual categories with one exception -
in detecting anomalies since it manages to accomplish only that of response injection attacks. However, when it comes to
17% of accuracy. On the contrary, the NB technique shows accuracy, the NB and KM outperform other techniques, having
both a high precision and accuracy level, i.e., 81% and 90%, both a level of accuracy and precision over 80%. These results
respectively. are similar to what we have seen for a combined dataset.
In order to further investigate the performance of the AD Table II list the output metrics for each type of anomalies
techniques in identifying the individual attacks, we created and shows that the supervised techniques have become less
accurate in detecting individual type of anomalies. From these so that very large data volumes can be processed in near real-
results, it is strongly implied that there is a skewing of results time.
when running the detector with no prior training. The issue lies
ACKNOWLEDGMENTS
within the nature of the supervised technique considering each
sample to be individual entities to be labelled as anomalous, The authors would like to thank T. Morris and the Missis-
whereas there could be many samples corresponding to a sippi State University SCADA Laboratory for providing the
single anomaly to be classified. Given the discrete nature of dataset.
attacks, certain features can also be removed to improve the R EFERENCES
accuracy in supervised mode given the fact that certain features
[1] Dell, “Dell Annual Security Threat Report 2015,” https://software.dell.
are more revealing about attack than others. However, the com/docs/2015-dell-security-annual-threat-report-white-paper-15657.
feature selection and their analysis is beyond the scope of pdf, 2015.
this work. [2] National Cybersecurity and Communications Integration Center, “ICS-
CERT Monitor,” https://ics-cert.us-cert.gov/sites/default/files/Monitors/
An examination of the precision and recall results reveals ICS-CERT Monitor Sep2014-Feb2015.pdf, 2015.
the exact anomaly types that are being classified incorrectly. [3] N. Falliere, L. O. Murchu, and E. Chien, “W32. stuxnet dossier,” White
The precision rate for denial-of-service, reconnaissance, MFCI paper, Symantec Corp., Security Response, vol. 5, 2011.
[4] J. Slay and M. Miller, Lessons learned from the maroochy water breach.
and MSCI is over 80%. But for NMRI and CMRI, they Springer, 2007.
are below the acceptable level. Furthermore, some attack [5] ESET, “The security review: BlackEnergy, Internet Explorer
types such as MFCI are detected with low recall rate and and Fitbit,” http://www.welivesecurity.com/2016/01/18/
security-review-blackenergy-internet-explorer-fitbit/#, 2016.
high precision. This is related to the fact that the samples [6] L. Obregon, “Secure Architecture for Industrial Control
considered to be these types of anomalies were indeed from Systems,” https://www.sans.org/reading-room/whitepapers/ICS/
these categories, but suffered in detecting all samples that were secure-architecture-industrial-control-systems-36327, 2015.
[7] P.-Y. Chen, S.-M. Cheng, and K.-C. Chen, “Smart attacks in smart grid
from each type of an attack. This could be due to a bad value communication networks,” Communications Magazine, IEEE, vol. 50,
in a network transaction such as an incorrect CRC value in no. 8, pp. 24–29, 2012.
a write function command, which would cause the RTU to [8] A. Carcano, I. N. Fovino, M. Masera, and A. Trombetta, “Scada
malware, a proof of concept,” in Critical Information Infrastructure
ignore the command and in turn may cause a denial-of-service. Security. Springer, 2008, pp. 211–222.
The result also shows that the recall is lowest for the MPCI [9] S. Shirazi, S. Simpson, A. Marnerides, M. Watson, A. Mauthe, and
and MSCI. The low recall lies in the fact that the system is D. Hutchison, “Assessing the impact of intra-cloud live migration on
anomaly detection,” in Cloud Networking (CloudNet), 2014 IEEE 3rd
forced to be placed in normal conditions at the time of anomaly International Conference on, Oct 2014, pp. 52–57.
injection, hence, very close similarity between normal and [10] A. Gouglidis, S. Shirazi, S. Simpson, P. Smith, and D. Hutchison,
anomalous conditions for these types of attacks. “A multi-level collaborative framework for critical infrastructures re-
silience,” 2016.
V. C ONCLUSION [11] A. K. Marnerides, P. Smith, A. Schaeffer-Filho, and A. Mauthe, “Power
consumption profiling using energy time-frequency distributions in smart
In this work, the performance of various AD techniques grids,” Communications Letters, IEEE, vol. 19, no. 1, pp. 46–49, 2015.
[12] W. Gao, T. Morris, B. Reaves, and D. Richey, “On scada control system
applied to SCADA communication is evaluated in terms of command and response injection and intrusion detection,” in eCrime
their ability to identify various attacks. We have analysed the Researchers Summit (eCrime), 2010. IEEE, 2010, pp. 1–9.
communication between an RTU and MTU in a gas pipeline [13] I. Marton, A. Sánchezb, S. Carlosa, and S. Martorella, “Application of
data driven methods for condition monitoring maintenance,” CHEMI-
system. The data in our evaluation were developed by the CAL ENGINEERING, vol. 33, pp. 301–306, 2013.
Mississippi State University, and include artefacts of benign [14] E. Damiani, “Composite intrusion detection in process control net-
RTU transactions and various attack transactions generated works,” 2009.
[15] P. Laskov, P. Düssel, C. Schäfer, and K. Rieck, “Learning intrusion de-
specifically for conducting research in the area of critical tection: supervised or unsupervised?” in Image Analysis and Processing–
infrastructures protection. We have analysed the accuracy of ICIAP 2005. Springer, 2005, pp. 50–57.
four AD techniques in correctly identifying anomalies using [16] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detection: A survey,”
ACM Computing Surveys (CSUR), vol. 41, no. 3, p. 15, 2009.
a set of statistical features. Results from our experiments [17] J. P. Sterbenz, D. Hutchison, E. K. Çetinkaya, A. Jabbar, J. P. Rohrer,
indicate that detection rate differs with respect to the type M. Schöller, and P. Smith, “Resilience and survivability in commu-
of the anomaly and the running mode of the applied AD nication networks: Strategies, principles, and survey of disciplines,”
Computer Networks, vol. 54, no. 8, pp. 1245–1265, 2010.
technique. Specifically, AD techniques that run in supervised [18] T. H. Morris, Z. Thornton, and I. Turnipseed, “Industrial control system
mode appeared to perform better; however, a dataset to train a simulation and data logging for intrusion detection system research.”
technique is not always possible to have. Therefore, we argue [19] T. Morris and W. Gao, “Industrial control system traffic data sets for
intrusion detection research,” in Critical Infrastructure Protection VIII.
that there is a need for developing a robust, and preferably Springer, 2014, pp. 65–78.
real-time AD technique that can work in unsupervised mode [20] J. C. Bezdek, R. Ehrlich, and W. Full, “Fcm: The fuzzy c-means
and have a better detection accuracy. The configuration modes, clustering algorithm,” Computers & Geosciences, vol. 10, no. 2, pp.
191–203, 1984.
normalization techniques, etc. are yet more variables to con- [21] A. Lazarevic, L. Ertöz, V. Kumar, A. Ozgur, and J. Srivastava, “A
sider when it comes to apply them operationally. comparative study of anomaly detection schemes in network intrusion
In the future, we will investigate how to realise anomaly de- detection.” in SDM. SIAM, 2003, pp. 25–36.
tection in an online manner for SCADA systems. Furthermore,
we will investigate the performance benefits of data sampling,