TY - GEN
T1 - An Enhanced EWMA for Alert Reduction and Situation Awareness in Industrial Control Networks
AU - Jiang, Baoxiang
AU - Liu, Yang
AU - Liu, Huixiang
AU - Ren, Zehua
AU - Wang, Yun
AU - Bao, Yuanyi
AU - Wang, Wenqing
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Intrusion detection systems (IDSs) are widely deployed in the industrial control systems to protect network security. IDSs typically generate a huge number of alerts, which are time-consuming for system operators to process. Most of the alerts are individually insignificant false alarms. However, it is not the best solution to discard these alerts, as they can still provide useful information about network situation. Based on the study of characteristics of alerts in the industrial control systems, we adopt an enhanced method of exponentially weighted moving average (EWMA) control charts to help operators in processing alerts. We classify all detection signatures as regular and irregular according to their frequencies, set multiple control limits to detect anomalies, and monitor regular signatures for network security situational awareness. Extensive experiments have been performed using real-world alert data. Simulation results demonstrate that the proposed enhanced EWMA method can greatly reduce the volume of alerts to be processed while reserving significant abnormal information.
AB - Intrusion detection systems (IDSs) are widely deployed in the industrial control systems to protect network security. IDSs typically generate a huge number of alerts, which are time-consuming for system operators to process. Most of the alerts are individually insignificant false alarms. However, it is not the best solution to discard these alerts, as they can still provide useful information about network situation. Based on the study of characteristics of alerts in the industrial control systems, we adopt an enhanced method of exponentially weighted moving average (EWMA) control charts to help operators in processing alerts. We classify all detection signatures as regular and irregular according to their frequencies, set multiple control limits to detect anomalies, and monitor regular signatures for network security situational awareness. Extensive experiments have been performed using real-world alert data. Simulation results demonstrate that the proposed enhanced EWMA method can greatly reduce the volume of alerts to be processed while reserving significant abnormal information.
UR - https://www.scopus.com/pages/publications/85141700409
U2 - 10.1109/CASE49997.2022.9926545
DO - 10.1109/CASE49997.2022.9926545
M3 - 会议稿件
AN - SCOPUS:85141700409
T3 - IEEE International Conference on Automation Science and Engineering
SP - 888
EP - 894
BT - 2022 IEEE 18th International Conference on Automation Science and Engineering, CASE 2022
PB - IEEE Computer Society
T2 - 18th IEEE International Conference on Automation Science and Engineering, CASE 2022
Y2 - 20 August 2022 through 24 August 2022
ER -