{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,2]],"date-time":"2026-03-02T14:31:54Z","timestamp":1772461914738,"version":"3.50.1"},"reference-count":37,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2021,2,27]],"date-time":"2021-02-27T00:00:00Z","timestamp":1614384000000},"content-version":"vor","delay-in-days":57,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Airbus Endeavr"},{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"name":"New Industrial Systems: Chatty Factories"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,2,16]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>This article presents three-tiered intrusion detection systems, which uses a supervised approach to detect cyber-attacks in industrial control systems networks. The proposed approach does not only aim to identify malicious packets on the network but also attempts to identify the general and finer grain attack type occurring on the network. This is key in the industrial control systems environment as the ability to identify exact attack types will lead to an increased response rate to the incident and the defence of the infrastructure. More specifically, the proposed system consists of three stages that aim to classify: (i) whether packets are malicious; (ii) the general attack type of malicious packets (e.g. Denial of Service); and (iii) finer-grained cyber-attacks (e.g. bad cyclic redundancy check, attack). The effectiveness of the proposed intrusion detection systems is evaluated on network data collected from a real industrial gas pipeline system. In addition, an insight is provided as to which features are most relevant in detecting such malicious behaviour. The performance of the system results in an F-measure of: (i) 87.4%, (ii) 74.5% and (iii) 41.2%, for each of the layers, respectively. This demonstrates that the proposed architecture can successfully distinguish whether network activity is malicious and detect which general attack was deployed.<\/jats:p>","DOI":"10.1093\/cybsec\/tyab006","type":"journal-article","created":{"date-parts":[[2021,3,1]],"date-time":"2021-03-01T22:45:12Z","timestamp":1614638712000},"source":"Crossref","is-referenced-by-count":31,"title":["A three-tiered intrusion detection system for industrial control systems"],"prefix":"10.1093","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5274-0727","authenticated-orcid":false,"given":"Eirini","family":"Anthi","sequence":"first","affiliation":[{"name":"Department of Computer Science and Informatics, Queens Building, Cardiff University, 5 The Parade, Roath, Cardiff CF24 3AA, Cardiff, UK"}]},{"given":"Lowri","family":"Williams","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Informatics, Queens Building, Cardiff University, 5 The Parade, Roath, Cardiff CF24 3AA, Cardiff, UK"}]},{"given":"Pete","family":"Burnap","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Informatics, Queens Building, Cardiff University, 5 The Parade, Roath, Cardiff CF24 3AA, Cardiff, UK"}]},{"given":"Kevin","family":"Jones","sequence":"additional","affiliation":[{"name":"Digital Transformation Office, Airbus, Newport, UK"}]}],"member":"286","published-online":{"date-parts":[[2021,2,27]]},"reference":[{"key":"2021030123550008800_tyab006-B1","author":"Stouffer","year":"2006"},{"key":"2021030123550008800_tyab006-B2","first-page":"72","author":"Kravchik","year":"2018"},{"key":"2021030123550008800_tyab006-B3","author":"Cybersecurity","year":"2014"},{"key":"2021030123550008800_tyab006-B4","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/MSP.2011.67","article-title":"Stuxnet: dissecting a cyberwarfare weapon","volume":"9","author":"Langner","year":"2011","journal-title":"IEEE Secur Privacy"},{"key":"2021030123550008800_tyab006-B5","article-title":"Slammer worm crashed Ohio nuke plant net","volume":"20","author":"Poulsen","year":"2003","journal-title":"Register"},{"key":"2021030123550008800_tyab006-B6","author":"Defense Use Case.","year":"2016"},{"key":"2021030123550008800_tyab006-B7","first-page":"261","author":"Feng","year":"2017"},{"key":"2021030123550008800_tyab006-B8","first-page":"5","author":"Yu","year":"2015"},{"key":"2021030123550008800_tyab006-B9","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.cose.2008.08.003","article-title":"Anomaly-based network intrusion detection: techniques, systems and challenges","volume":"28","author":"Garcia-Teodoro","year":"2009","journal-title":"Comput Secur"},{"key":"2021030123550008800_tyab006-B10","first-page":"3","author":"Morris","year":"2015"},{"key":"2021030123550008800_tyab006-B11","first-page":"54","author":"Beaver","year":"2013"},{"key":"2021030123550008800_tyab006-B12","author":"Turnipseed","year":"2015"},{"key":"2021030123550008800_tyab006-B13","author":"Turnipseed","year":"2020"},{"key":"2021030123550008800_tyab006-B14","author":"Csir-procurement-guide.pdf.","year":"2019"},{"key":"2021030123550008800_tyab006-B15","doi-asserted-by":"crossref","first-page":"11994","DOI":"10.1016\/j.eswa.2009.05.029","article-title":"Intrusion detection by machine learning: a review","volume":"36","author":"Tsai","year":"2009","journal-title":"Expert Syst Appl"},{"key":"2021030123550008800_tyab006-B16","first-page":"209","author":"Sabhnani","year":"2003"},{"key":"2021030123550008800_tyab006-B17","doi-asserted-by":"crossref","first-page":"2308","DOI":"10.1109\/TII.2014.2330796","article-title":"Norms in one-class classification for intrusion detection in scada systems","volume":"10","author":"Nader","year":"2014","journal-title":"IEEE Trans Industr Inform"},{"key":"2021030123550008800_tyab006-B18","first-page":"171","author":"Bigham","year":"2003"},{"key":"2021030123550008800_tyab006-B19","doi-asserted-by":"crossref","first-page":"3104","DOI":"10.1109\/TSG.2015.2409775","article-title":"Developing a hybrid intrusion detection system using data mining for power systems","volume":"6","author":"Pan","year":"2015","journal-title":"IEEE Trans Smart Grid"},{"key":"2021030123550008800_tyab006-B20","first-page":"1","author":"Parthasarathy","year":"2012"},{"key":"2021030123550008800_tyab006-B21","first-page":"140","author":"Goh","year":"2017"},{"key":"2021030123550008800_tyab006-B22","first-page":"626","author":"Maglaras","year":"2014"},{"key":"2021030123550008800_tyab006-B23","doi-asserted-by":"crossref","first-page":"160","DOI":"10.4018\/978-1-5225-1829-7.ch009","volume-title":"Security Solutions and Applied Cryptography in Smart Grid Communications","author":"Maglaras","year":"2017"},{"key":"2021030123550008800_tyab006-B24","first-page":"174","article-title":"A specification-based intrusion detection framework for cyber-physical environment in electric power system","volume":"17","author":"Pan","year":"2015","journal-title":"Int J Netw Secur"},{"key":"2021030123550008800_tyab006-B25","first-page":"1827","author":"Linda","year":"2009"},{"key":"2021030123550008800_tyab006-B26","first-page":"1","author":"Ghaeini","year":"2019"},{"key":"2021030123550008800_tyab006-B27","first-page":"1","author":"Gao","year":"2010"},{"key":"2021030123550008800_tyab006-B28","first-page":"1058","author":"Inoue","year":"2017"},{"key":"2021030123550008800_tyab006-B29","first-page":"848","author":"Jones","year":"2014"},{"key":"2021030123550008800_tyab006-B30","author":"Darktrace: World-Leading AI for Cyber Security","year":"2020"},{"key":"2021030123550008800_tyab006-B31","author":"Veracode: Application Security Software"},{"key":"2021030123550008800_tyab006-B32","first-page":"1","author":"Drias","year":"2015"},{"key":"2021030123550008800_tyab006-B33","first-page":"16","article-title":"Guide to industrial control systems (ICS) security","volume":"800","author":"Stouffer","year":"2011","journal-title":"NIST Special Publication"},{"key":"2021030123550008800_tyab006-B34","author":"Maynard"},{"key":"2021030123550008800_tyab006-B35","author":"Weka 3.","year":"2018"},{"key":"2021030123550008800_tyab006-B36","doi-asserted-by":"crossref","first-page":"9042","DOI":"10.1109\/JIOT.2019.2926365","article-title":"A supervised intrusion detection system for smart home iot devices","volume":"6","author":"Anthi","year":"2019","journal-title":"IEEE Internet Things J"},{"key":"2021030123550008800_tyab006-B37","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1007\/978-1-4471-0123-9_3","volume-title":"Soft Computing and Industry","author":"","year":"2002"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab006\/36411319\/tyab006.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab006\/36411319\/tyab006.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,3,1]],"date-time":"2021-03-01T23:55:20Z","timestamp":1614642920000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyab006\/6153960"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,1]]},"references-count":37,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,2,16]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyab006","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2021,1,1]]},"published":{"date-parts":[[2021,1,1]]},"article-number":"tyab006"}}