An Explainable AI Framework for Process-Aware Attack Detection in Industrial Control Systems

Abstract

 The cybersecurity of industrial control systems (ICS) has become a priority area of research, particularly since the emblematic attacks of the 2010s, such as Stuxnet, BlackEnergy and Industroyer. These incidents highlighted a new category of cyberthreats, capable of targeting the physical processes controlled by ICS while evading traditional detection methods. These so-called “stealth” attacks do not necessarily violate communication protocols, and do not generate suspicious traffic, making them difficult to identify by systems based on signatures or conventional behavioral models. ICS have distinct characteristics compared with traditional IT systems. Unlike IT systems, where priority is given to data confidentiality, ICS systems focus on the availability and integrity of the physical process. These systems are highly constrained by real-time requirements, and are designed to operate continuously in often hostile industrial environments. In addition, they integrate specific components such as programmable logic controllers (PLCs), sensors or actuators, which interact directly with the physical environment. In this context, conventional cybersecurity approaches show their limitations, particularly in the face of so-called “process-aware” attacks which manipulate the internal states of the system without visibly altering communications. To overcome these shortcomings, approaches based on artificial intelligence, and more specifically on explainable artificial intelligence (XAI), offer considerable prospects. The aim is twofold: to detect abnormal behavior, while providing human operators comprehensible explanations. We have applied two XAI methods, SHAP and LIME, to a simulated industrial process and to data obtained from the testbed SWaT. The results show that these methods provide a better understanding of detection model decisions by identifying, for example, which variables influence an alert but also some uncovered other security patterns that have been violated and which were invisible to specification-based approaches. Integrating these techniques into detection systems could therefore significantly improve the ability of ICS to deal with increasingly sophisticated cyber threats.

Bio

Léa Astrid KENMOGNE, PhD 3ème et dernière année, LIG, Inria, Grenoble-INP, UGA. Diplômée de l'Ecole nationale Polytechnique de Yaounde (Cameroun) en 2022 et titulaire d'un Master en Data Science de l'ISIMA (Clermont-Ferrand, France ) en 2023. Domaine de recherche : l'IA pour la Cybersécurité dans les Systèmes Industriels. Sujet de thèse: La détection des attaques orientées processus dans les Systèmes Industriels par l'IA Explicable. Expérience en Enseignement ( Réseau IT et réseaux industriels et automates) + Encadrement scientifique et pedagogique d'un stagiaire pendant 5 mois.