Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

STADe: An unsupervised time-windows method of detecting anomalies in oil and gas Industrial Cyber-Physical Systems (ICPS) networks

Mohammed, Abubakar Sadiq ORCID: https://orcid.org/0000-0001-7505-7835, Anthi, Eirini, Rana, Omer ORCID: https://orcid.org/0000-0003-3597-2646, Burnap, Pete ORCID: https://orcid.org/0000-0003-0396-633X and Hood, Andrew 2025. STADe: An unsupervised time-windows method of detecting anomalies in oil and gas Industrial Cyber-Physical Systems (ICPS) networks. International Journal of Critical Infrastructure Protection , 100762. 10.1016/j.ijcip.2025.100762

[thumbnail of 1-s2.0-S187454822500023X-main.pdf] PDF - Accepted Post-Print Version
Available under License Creative Commons Attribution.
Download (7MB)

Abstract

Critical infrastructure and Operational Technology (OT) are becoming more exposed to cyber attacks due to the integration of OT networks to enterprise networks especially in the case of Industrial Cyber-Physical Systems (ICPS). These technologies that are a huge part of our daily lives usually operate by having sensors and actuators constantly communicating through an industrial network. To secure these industrial networks from cyber attacks, researchers have utilised misuse detection and Anomaly Detection (AD) techniques to detect potential attacks. Misuse detection methods are unable to detect zero-day attacks while AD methods can, but with high false positive rates and high computational overheads. In this paper, we present STADe, a novel Sliding Time-window Anomaly Detection method that uses a sole feature of network packet inter-arrival times to detect anomalous network communications. This work aims to explore a mechanism for detecting breaks in periodicity to flag anomalies. The method was validated using data from a real oil and gas wellhead monitoring testbed containing field flooding, SYN flooding, and Man-in-the-Middle (MITM) attacks - which are attacks that are popularly used to target the availability and integrity of oil and gas critical infrastructure. The results from STADe proved to be effective in detecting these attacks with zero false positives and F1 scores of 0.97, 0.923, and 0.8 respectively. Further experiments carried out to compare STADe with other unsupervised machine learning algorithms – KNN, isolation forest, and Local Outlier Factor (LOF) – resulted in F1 scores of 0.55, 0.673, and 0.408 respectively. STADe outperformed them with an F1 score of 0.933 using the same dataset.

Item Type: Article
Date Type: Published Online
Status: In Press
Schools: Schools > Computer Science & Informatics
Publisher: Elsevier
ISSN: 1874-5482
Date of First Compliant Deposit: 24 April 2025
Date of Acceptance: 8 April 2025
Last Modified: 24 Apr 2025 14:45
URI: https://orca.cardiff.ac.uk/id/eprint/177871

Actions (repository staff only)

Edit Item Edit Item
Altmetric
Dimensions
Download Statistics

Downloads

Downloads per month over past year

View more statistics

CORE (COnnecting REpositories)


Maintained by Cardiff University Information Services