{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T10:00:59Z","timestamp":1776074459671,"version":"3.50.1"},"reference-count":30,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T00:00:00Z","timestamp":1773360000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T00:00:00Z","timestamp":1773360000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001381","name":"National Research Foundation Singapore","doi-asserted-by":"publisher","award":["NRF-NCR25-NSOE05-0001"],"award-info":[{"award-number":["NRF-NCR25-NSOE05-0001"]}],"id":[{"id":"10.13039\/501100001381","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>This work focuses on the validation of attack pattern mining in the context of Industrial Control System (ICS) security. A comprehensive security assessment of an ICS requires the generation of a variety of attack patterns. For this purpose, we have proposed a data-driven technique to generate attack patterns for an ICS. The proposed technique has been used to generate 117,960 attack patterns from data from a water treatment plant. These attack patterns were used to launch attacks on the operational testbed that typically lasted 2 to 4 minutes. Interestingly, some 2-minute attacks impacted the plant, while some attacks of 3 or 4 minutes duration had no observable effect. This suggests that even short-lived attacks can significantly impact operational plants. The proposed technique and the effectiveness of the patterns generated in moving the plant to an anomalous state are valuable when assessing the quality of Intrusion Detection Systems for physical plants. In this work, we present a detailed case study to validate the attack patterns.<\/jats:p>","DOI":"10.1007\/s10207-026-01236-y","type":"journal-article","created":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T16:22:27Z","timestamp":1773418947000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Attack pattern mining to discover hidden threats to industrial control systems"],"prefix":"10.1007","volume":"25","author":[{"given":"Muhammad Azmi","family":"Umer","sequence":"first","affiliation":[]},{"given":"Chuadhry Mujeeb","family":"Ahmed","sequence":"additional","affiliation":[]},{"given":"Aditya P.","family":"Mathur","sequence":"additional","affiliation":[]},{"given":"Muhammad Taha","family":"Jilani","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,3,13]]},"reference":[{"key":"1236_CR1","doi-asserted-by":"crossref","unstructured":"Ahmed, C. M., Ochoa, M., Zhou, J., Mathur, A.: Scanning the cycle: Timing-based authentication on plcs. ASIA CCS \u201921, page 886\u2013900, New York, NY, USA, 2021. ACM","DOI":"10.1145\/3433210.3453102"},{"key":"1236_CR2","doi-asserted-by":"publisher","first-page":"142","DOI":"10.1038\/474142a","volume":"174","author":"S Weinberger","year":"2011","unstructured":"Weinberger, S.: Computer security: Is this the start of cyberwarfare? Nature 174, 142\u2013145 (2011)","journal-title":"Nature"},{"key":"1236_CR3","unstructured":"Lipovsky. R.: New wave of cyber attacks against Ukrainian power industry, January 2016. http:\/\/www.welivesecurity.com\/2016\/01\/11"},{"key":"1236_CR4","unstructured":"Cobb, P.: German steel mill meltdown: Rising stakes in the internet of things. https:\/\/securityintelligence.com\/german-steel-mill-meltdown-rising-stakes-in-the-internet-of-things\/, (2015)"},{"key":"1236_CR5","doi-asserted-by":"publisher","first-page":"735","DOI":"10.1007\/s10955-014-1024-9","volume":"158","author":"D Helbing","year":"2015","unstructured":"Helbing, D., Brockmann, D., Chadefaux, T., Donnay, K., Blanke, U., Woolley-Meza, O., Moussaid, M., Johansson, A., Krause, J., Schutte, S., et al.: Saving human lives: What complexity science and information systems can contribute. J. Stat. Phys. 158, 735\u2013781 (2015)","journal-title":"J. Stat. Phys."},{"key":"1236_CR6","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.physrep.2021.10.005","volume":"948","author":"M Jusup","year":"2022","unstructured":"Jusup, M., Holme, P., Kanazawa, K., Takayasu, M., Romi\u0107, I., Wang, Z., Ge\u010dek, S., Lipi\u0107, T., Podobnik, B., Wang, L., et al.: Social physics. Phys. Rep. 948, 1\u2013148 (2022)","journal-title":"Phys. Rep."},{"key":"1236_CR7","doi-asserted-by":"crossref","unstructured":"Umer, M. A., Ahmed, C. M., Jilani, M. T., Mathur, A. P.: Attack rules: an adversarial approach to generate attacks for industrial control systems using machine learning. In Proceedings of the 2th Workshop on CPS&IoT Security and Privacy, pages 35\u201340, (2021)","DOI":"10.1145\/3462633.3483976"},{"key":"1236_CR8","doi-asserted-by":"crossref","unstructured":"Adepu, S., Mathur, A.: Generalized attacker and attack models for cyber physical systems. In 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 283\u2013292, 6 (2016)","DOI":"10.1109\/COMPSAC.2016.122"},{"key":"1236_CR9","doi-asserted-by":"crossref","unstructured":"Rocchetto, M., Tippenhauer, N. O.: On Attacker Models and Profiles for Cyber-Physical Systems, pages 427\u2013449. Springer International Publishing, Cham, (2016)","DOI":"10.1007\/978-3-319-45741-3_22"},{"issue":"1","key":"1236_CR10","doi-asserted-by":"publisher","first-page":"86","DOI":"10.1109\/TDSC.2018.2875008","volume":"18","author":"S Adepu","year":"2021","unstructured":"Adepu, S., Mathur, A.: Distributed attack detection in a water treatment plant: Method and case study. IEEE Trans. Dependable Secure Comput. 18(1), 86\u201399 (2021)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"1236_CR11","doi-asserted-by":"crossref","unstructured":"Mathur, A. P., Tippenhauer, N. O.: SWaT: A water treatment testbed for research and training on ICS security. In International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater), pages 31\u201336, USA, (2016). IEEE","DOI":"10.1109\/CySWater.2016.7469060"},{"key":"1236_CR12","volume-title":"and Zhi Xue","author":"Z Lin","year":"2019","unstructured":"Lin, Z., Shi, Y.: and Zhi Xue. Generative adversarial networks for attack generation against intrusion detection, Idsgan (2019)"},{"key":"1236_CR13","doi-asserted-by":"crossref","unstructured":"Zizzo, G., Hankin, C., Maffeis, S., Jones, K.: Adversarial attacks on time-series intrusion detection for industrial control systems. In (TrustCom). IEEE, (2020)","DOI":"10.1109\/TrustCom50675.2020.00121"},{"key":"1236_CR14","doi-asserted-by":"crossref","unstructured":"Goh, J., Adepu, S., Junejo, K. N., Mathur, A.: A dataset to support research in the design of secure water treatment systems. In CRITIS, pages 88\u201399, Cham, (2017). Springer","DOI":"10.1007\/978-3-319-71368-7_8"},{"key":"1236_CR15","doi-asserted-by":"crossref","unstructured":"Kravchik, M., Biggio, B., Shabtai, A.: Poisoning attacks on cyber attack detectors for industrial control systems. arXiv preprint arXiv:2012.15740, (2020)","DOI":"10.1145\/3412841.3441892"},{"key":"1236_CR16","unstructured":"Feng, C., Li, T., Zhu, Z., Chana, D.: A deep learning-based framework for conducting stealthy attacks in industrial control systems. arXiv preprint arXiv:1709.06397, (2017)"},{"key":"1236_CR17","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2021.100452","volume":"34","author":"Y Jia","year":"2021","unstructured":"Jia, Y., Wang, J., Poskitt, C.M., Chattopadhyay, S., Sun, J., Chen, Y.: Adversarial attacks and mitigation for anomaly detectors of cyber-physical systems. Int. J. Crit. Infrastruct. Prot. 34, 100452 (2021)","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"1236_CR18","doi-asserted-by":"crossref","unstructured":"Ahmed, C. M., Palleti, V, R., Mathur, A. P.: Wadi: A water distribution testbed for research in the design of secure cyber physical systems. In CysWater, pages 25\u201328, NY, USA, (2017) ACM","DOI":"10.1145\/3055366.3055375"},{"key":"1236_CR19","doi-asserted-by":"crossref","unstructured":"Mustafa, A., Khan, M. T., Umer, M. A., Masood, Z., Ahmed, C. M.: Adversarial sample generation for anomaly detection in industrial control systems. arXiv preprint arXiv:2505.03120, (2025)","DOI":"10.1145\/3735948.3736158"},{"issue":"3","key":"1236_CR20","doi-asserted-by":"publisher","first-page":"1810","DOI":"10.1109\/TDSC.2020.3037500","volume":"19","author":"J Chen","year":"2020","unstructured":"Chen, J., Gao, X., Deng, R., He, Y., Fang, C., Cheng, P.: Generating adversarial examples against machine learning-based intrusion detector in industrial control systems. IEEE Trans. Dependable Secure Comput. 19(3), 1810\u20131825 (2020)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"1236_CR21","doi-asserted-by":"crossref","unstructured":"Ahmed, C. M.: Attackllm: Llm-based attack pattern generation for an industrial control system. In Proceedings of the 2nd International Workshop on Foundation Models for Cyber-Physical Systems & Internet of Things, pages 31\u201336, (2025)","DOI":"10.1145\/3722565.3727196"},{"key":"1236_CR22","doi-asserted-by":"crossref","unstructured":"Erba, A., Taormina, R., Galelli, S., Pogliani, M., Carminati, M., Zanero, S., Tippenhauer N. O.: Real-time evasion attacks with physical constraints on deep learning-based anomaly detectors in industrial control systems. 07 (2019)","DOI":"10.1145\/3427228.3427660"},{"key":"1236_CR23","doi-asserted-by":"crossref","unstructured":"Pham, T. S., Nguyen, Q. U., Nguyen, X. H.: Generating artificial attack data for intrusion detection using machine learning. In Proceedings of the Fifth Symposium on Information and Communication Technology, pages 286\u2013291, (2014)","DOI":"10.1145\/2676585.2676618"},{"key":"1236_CR24","unstructured":"Steinbu\u00df, G.: Calibration and Evaluation of Outlier Detection with Generated Data. PhD thesis, Karlsruher Institut f\u00fcr Technologie (KIT), (2020)"},{"key":"1236_CR25","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1613\/jair.953","volume":"16","author":"synthetic minority over-sampling technique","year":"2002","unstructured":"synthetic minority over-sampling technique: Nitesh V Chawla, Kevin W Bowyer, Lawrence O Hall, and W Philip Kegelmeyer. Smote. Journal of artificial intelligence research 16, 321\u2013357 (2002)","journal-title":"Journal of artificial intelligence research"},{"key":"1236_CR26","doi-asserted-by":"crossref","unstructured":"Turowski, M., Weber, M., Neumann, O., Heidrich, B., Phipps, K., K \u00c7akmak, H., Mikut, R., Hagenmeyer, V.: Modeling and generating synthetic anomalies for energy and power time series. In Proceedings of the Thirteenth ACM International Conference on Future Energy Systems, pages 471\u2013484, (2022)","DOI":"10.1145\/3538637.3539760"},{"key":"1236_CR27","unstructured":"iTrust. Dataset and models. https:\/\/itrust.sutd.edu.sg\/itrust-labs_datasets\/dataset_info\/, 2021"},{"key":"1236_CR28","doi-asserted-by":"crossref","unstructured":"Agrawal, R., Imieli\u0144ski, T., Swami, A.: Mining association rules between sets of items in large databases. In ICMD, volume 22, pages 207\u2013216, New York, NY, USA, (1993) ACM","DOI":"10.1145\/170036.170072"},{"key":"1236_CR29","doi-asserted-by":"crossref","unstructured":"Ahmed, C. M., Umer, M. A., Salimah, B. S., Liyakkathali, B., Jilani, M. T., Zhou, J.: Machine learning for cps security: Applications, challenges and recommendations. In Machine Intelligence for Cybersecurity Applications, pages 397\u2013421. Springer,(2021)","DOI":"10.1007\/978-3-030-57024-8_18"},{"key":"1236_CR30","doi-asserted-by":"crossref","unstructured":"Umer, M. A., Mathur, A., Junejo, K. N., Adepu, S.: Generating invariants using design and data-centric approaches for distributed attack detection. IJCIP, 28:100341, (2020)","DOI":"10.1016\/j.ijcip.2020.100341"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01236-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-026-01236-y","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01236-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:21:46Z","timestamp":1776072106000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-026-01236-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,13]]},"references-count":30,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,4]]}},"alternative-id":["1236"],"URL":"https:\/\/doi.org\/10.1007\/s10207-026-01236-y","relation":{},"ISSN":["1615-5270"],"issn-type":[{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,13]]},"assertion":[{"value":"6 January 2026","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"16 February 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 March 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"70"}}