An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a security incident and event management station. An IDS detects potential cyberattacks in different ways. There are host based (HIDS) and network based (NIDS) intrusion detection systems. Host intrusion detection systems run on individual hosts or devices on the network. Network intrusion detection systems detect potential cyberattacks based on the network traffic patterns.
A HIDS typically monitors the inbound and outbound data packets from the device only and generate alerts and sends to the user or administrator if suspicious activity is detected. It also monitors behavior of the host device, such as CPU and memory usage to detect potential cyberattacks. If the usage of memory deviates from the normal, the alert is sent to the administrator to investigate. An example of HIDS usage can be seen on distributed control systems (DCS) in chemical industry, in which the cycle time is not supposed to be above 100 milliseconds.
Network intrusion detection systems (NIDS) are connected to the network to monitor data traffic to and from all devices on the network. It performs an analysis for passing traffic on the entire subnet, works in a passive mode, and matches the traffic that is passed on the subnets to the library of known attacks. Once the attack pattern is identified, or abnormal network traffic behavior is sensed, the alert can be sent to the administrator. Example of the NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall.
While HIDS and NIDS have been widely used for threat detection on enterprise network in an Internet Technology (IT) world, intrusion detection systems are not currently available for industrial production plants because the HIDS and NIDS technology is not easily extended to such environments. For example, most plant floor networks use heterogeneous proprietary networks and communication protocols; therefore it is not trivial to collect data traffic patterns to run a NIDS. Controllers or other legacy devices were designed for control functionalities; as a result, it is not easy to implement and deploy HIDS on those devices due to limited computational power and memory. At the same time, controllers and other production devices have access to production process information that provides a unique knowledge base not available on more generic enterprise systems. Accordingly, it is desired to apply this production process information to address the intrusion detection deficiencies in industrial production plants.