A modified densenet approach with nearmiss for anomaly detection in industrial control systems


MULTIMEDIA TOOLS AND APPLICATIONS, vol.81, no.16, pp.22573-22586, 2022 (SCI-Expanded) identifier identifier

  • Publication Type: Article / Article
  • Volume: 81 Issue: 16
  • Publication Date: 2022
  • Doi Number: 10.1007/s11042-021-11618-0
  • Journal Indexes: Science Citation Index Expanded (SCI-EXPANDED), Scopus, FRANCIS, ABI/INFORM, Applied Science & Technology Source, Compendex, Computer & Applied Sciences, INSPEC, zbMATH
  • Page Numbers: pp.22573-22586
  • Keywords: Anomaly detection, Cyber physical systems, DenseNet, NearMiss, Industrial applications, SWaT
  • Karadeniz Technical University Affiliated: Yes


The safety of Industrial Control Systems (ICSs) is of vital importance especially for critical infrastructures (CIs) that cause economic losses as well as adversely affecting human life when damaged. The cyber-attacks on CIs in the past years have revealed these negative effects. Moreover, the conclusion that ICSs are vulnerable to cyber-attacks and that prevention should be taken against possible new attacks. This paper presents a modified DenseNet approach with NearMiss (NM) undersampling technique to detect anomalies in a small-scale ICS commonly used to test anomaly detection approaches. The utilized small-scale ICS is known as Secure Water Treatment (SWaT) testbed. To deal with class imbalance problem of the SWaT dataset, NM undersampling technique is employed and samples in majority class are deleted. Several modified DenseNet architectures are evaluated using k-fold cross validation technique and comprehensive experiments are conducted on SWaT dataset. The performance of the proposed anomaly detection approach is compared to state-of-the-art studies. The experimental results show that the proposed modified DenseNet architecture has identified anomalies occured because of the injected attacks with less false positive rate and high precision score compared to previous studies. Moreover, the superiority of the proposed approach compared to the other state-of-the-art studies is that it detects all injected attack types with an improved precision, recall and F1-score rates of 1, 0.9997 and 0.9999, respectively.