{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,2]],"date-time":"2026-06-02T09:05:57Z","timestamp":1780391157209,"version":"3.54.1"},"reference-count":45,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2023,2,1]],"date-time":"2023-02-01T00:00:00Z","timestamp":1675209600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Australian Cybersecurity CRC"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Industrial Control Systems (ICSs) were initially designed to be operated in an isolated network. However, recently, ICSs have been increasingly connected to the Internet to expand their capability, such as remote management. This interconnectivity of ICSs exposes them to cyber-attacks. At the same time, cyber-attacks in ICS networks are different compared to traditional Information Technology (IT) networks. Cyber attacks on ICSs usually involve a sequence of actions and a multitude of devices. However, current anomaly detection systems only focus on local analysis, which misses the correlation between devices and the progress of attacks over time. As a consequence, they lack an effective way to detect attacks at an entire network scale and predict possible future actions of an attack, which is of significant interest to security analysts to identify the weaknesses of their network and prevent similar attacks in the future. To address these two key issues, this paper presents a system-wide anomaly detection solution using recurrent neural networks combined with correlation analysis techniques. The proposed solution has a two-layer analysis. The first layer targets attack detection, and the second layer analyses the detected attack to predict the next possible attack actions. The main contribution of this paper is the proof of the concept implementation using two real-world ICS datasets, SWaT and Power System Attack. Moreover, we show that the proposed solution effectively detects anomalies and attacks on the scale of the entire ICS network.<\/jats:p>","DOI":"10.3390\/s23031561","type":"journal-article","created":{"date-parts":[[2023,2,1]],"date-time":"2023-02-01T01:36:59Z","timestamp":1675215419000},"page":"1561","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":26,"title":["Correlation-Based Anomaly Detection in Industrial Control Systems"],"prefix":"10.3390","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6694-7753","authenticated-orcid":false,"given":"Zahra","family":"Jadidi","sequence":"first","affiliation":[{"name":"School of Computer Science, Queensland University of Technology, Brisbane, QLD 4000, Australia"},{"name":"School of Information and Communication Technology, Griffith University, Gold Coast, QLD 4222, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8784-0154","authenticated-orcid":false,"given":"Shantanu","family":"Pal","sequence":"additional","affiliation":[{"name":"School of Information Technology, Deakin University, Melbourne, VIC 3125, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7987-7750","authenticated-orcid":false,"given":"Mukhtar","family":"Hussain","sequence":"additional","affiliation":[{"name":"School of Computer Science, Queensland University of Technology, Brisbane, QLD 4000, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3466-9218","authenticated-orcid":false,"given":"Kien","family":"Nguyen Thanh","sequence":"additional","affiliation":[{"name":"School of Electrical Engineering and Robotics, Queensland University of Technology, Brisbane, QLD 4000, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2023,2,1]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1016\/j.icte.2018.02.001","article-title":"Cyber security of critical infrastructures","volume":"4","author":"Maglaras","year":"2018","journal-title":"ICT Express"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"1550147718794615","DOI":"10.1177\/1550147718794615","article-title":"A survey of intrusion detection on industrial control systems","volume":"14","author":"Hu","year":"2018","journal-title":"Int. J. Distrib. Sens. Netw."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"101677","DOI":"10.1016\/j.cose.2019.101677","article-title":"Cybersecurity for industrial control systems: A survey","volume":"89","author":"Bhamare","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_4","first-page":"359","article-title":"Security in Industrial Control Systems Using Machine Learning Algorithms: An Overview","volume":"314","author":"Arora","year":"2022","journal-title":"ICT Anal. Appl."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"108","DOI":"10.1016\/j.comcom.2022.11.009","article-title":"An ensemble deep federated learning cyber-threat hunting model for Industrial Internet of Things","volume":"198","author":"Jahromi","year":"2022","journal-title":"Comput. Commun."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Pal, S., Hitchens, M., Varadharajan, V., and Rabehaja, T. (2018, January 12\u201315). Policy-based access control for constrained healthcare resources. Proceedings of the 2018 IEEE 19th International Symposium on \u201cA World of Wireless, Mobile and Multimedia Networks\u201d (WoWMoM), Chania, Greece.","DOI":"10.1109\/WoWMoM.2018.8449813"},{"key":"ref_7","first-page":"102717","article-title":"Adversarial attacks on machine learning cybersecurity defences in industrial control systems","volume":"58","author":"Anthi","year":"2021","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"964","DOI":"10.1016\/j.future.2016.11.031","article-title":"Secure integration of IoT and cloud computing","volume":"78","author":"Stergiou","year":"2018","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Pal, S. (2021). Internet of Things and Access Control: Sensing, Monitoring and Controlling Access in IoT-Enabled Healthcare Systems, Springer Nature.","DOI":"10.1007\/978-3-030-64998-2"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"35355","DOI":"10.1109\/ACCESS.2018.2846590","article-title":"A real-time correlation of host-level events in cyber range service for smart campus","volume":"6","author":"Tian","year":"2018","journal-title":"IEEE Access"},{"key":"ref_11","first-page":"1117","article-title":"DAICS: A deep learning solution for anomaly detection in industrial control systems","volume":"10","author":"Abdelaty","year":"2021","journal-title":"IEEE Trans. Emerg. Top. Comput."},{"key":"ref_12","unstructured":"Hahn, A. (2016). Cyber-Security of SCADA and Other Industrial Control Systems, Springer."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Stergiou, C.L., and Psannis, K.E. (2022). Digital Twin Intelligent System for Industrial Internet of Things-Based Big Data Management and Analysis in Cloud Environments, Elsevier.","DOI":"10.1016\/j.vrih.2022.05.003"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"2467","DOI":"10.1007\/s00170-021-08001-6","article-title":"Automated detection-in-depth in industrial control systems","volume":"118","author":"Jadidi","year":"2022","journal-title":"Int. J. Adv. Manuf. Technol."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"68","DOI":"10.1109\/MCOMSTD.0001.2100007","article-title":"UAV-Based Smart Surveillance System over a Wireless Sensor Network","volume":"5","author":"Memos","year":"2021","journal-title":"IEEE Commun. Stand. Mag."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Chalapathy, R., and Chawla, S. (2019). Deep learning for anomaly detection: A survey. arXiv.","DOI":"10.1145\/3394486.3406704"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Jadidi, Z., Dorri, A., Jurdak, R., and Fidge, C. (2020\u20131, January 29). Securing manufacturing using blockchain. Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China.","DOI":"10.1109\/TrustCom50675.2020.00262"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3439950","article-title":"Deep learning for anomaly detection: A review","volume":"54","author":"Pang","year":"2021","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_19","unstructured":"Ribu Hassini, S., Gireesh Kumar, T., and Kowshik Hurshan, S. (2022). ICT Analysis and Applications, Springer."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"234","DOI":"10.1016\/j.cose.2019.02.008","article-title":"CorrCorr: A feature selection method for multivariate correlation network anomaly detection techniques","volume":"83","author":"Gottwalt","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"105742","DOI":"10.1016\/j.ijepes.2019.105742","article-title":"Correlation-based feature selection for resilience analysis of MVDC shipboard power system","volume":"117","author":"Kushal","year":"2020","journal-title":"Int. J. Electr. Power Energy Syst."},{"key":"ref_22","first-page":"1174","article-title":"Design Tactile Interfaces with Enhanced Depth Images with Patterns and Textures for Visually Impaired People","volume":"3","author":"Kokkonis","year":"2018","journal-title":"Int. J. Trend Sci. Res. Dev."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Su, S., Sun, Y., Gao, X., Qiu, J., and Tian, Z. (2019). A correlation-change based feature selection method for IoT equipment anomaly detection. Appl. Sci., 9.","DOI":"10.3390\/app9030437"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"101752","DOI":"10.1016\/j.cose.2020.101752","article-title":"A deep learning method with wrapper based feature extraction for wireless intrusion detection system","volume":"92","author":"Kasongo","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Petladwala, M., Ishii, Y., Sendoda, M., and Kondo, R. (2019, January 12\u201317). Canonical correlation based feature extraction with application to anomaly detection in electric appliances. Proceedings of the ICASSP 2019\u20142019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Brighton, UK.","DOI":"10.1109\/ICASSP.2019.8683671"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Hussain, M., Foo, E., and Suriadi, S. (2019, January 16\u201318). An improved industrial control system device logs processing method for process-based anomaly detection. Proceedings of the 2019 International Conference on Frontiers of Information Technology (FIT), Islamabad, Pakistan.","DOI":"10.1109\/FIT47737.2019.00037"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"100341","DOI":"10.1016\/j.ijcip.2020.100341","article-title":"Generating invariants using design and data-centric approaches for distributed attack detection","volume":"28","author":"Umer","year":"2020","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"ref_28","unstructured":"Benesty, J., Chen, J., Huang, Y., and Cohen, I. (2009). Noise Reduction in Speech Processing, Springer."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"1986","DOI":"10.1093\/bioinformatics\/btr300","article-title":"Classification with correlated features: Unreliability of feature ranking and solutions","volume":"27","author":"Lengauer","year":"2011","journal-title":"Bioinformatics"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Haylett, G., Jadidi, Z., and Thanh, K.N. (2021, January 25\u201327). System-Wide Anomaly Detection of Industrial Control Systems via Deep Learning and Correlation Analysis. Proceedings of the IFIP International Conference on Artificial Intelligence Applications and Innovations, Hersonissos, Crete, Greece.","DOI":"10.1007\/978-3-030-79150-6_29"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Pal, S., Jadidi, Z., and Foo, E. (2022). Secure and Trusted Cyber Physical Systems: Recent Approaches and Future Directions, Springer International Publishing.","DOI":"10.1007\/978-3-031-08270-2"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"1235","DOI":"10.1162\/neco_a_01199","article-title":"A Review of Recurrent Neural Networks: LSTM Cells and Network Architectures","volume":"31","author":"Yu","year":"2019","journal-title":"Neural Comput."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Ayinde, B.O., Inanc, T., and Zurada, J.M. (2019, January 14\u201319). On correlation of features extracted by deep neural networks. Proceedings of the 2019 International Joint Conference on Neural Networks (IJCNN), Budapest, Hungary.","DOI":"10.1109\/IJCNN.2019.8852296"},{"key":"ref_34","first-page":"410","article-title":"Big data analytics in cyber security: Network traffic and attacks","volume":"61","author":"Wang","year":"2021","journal-title":"J. Comput. Inf. Syst."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Nasir, I.M., Khan, M.A., Yasmin, M., Shah, J.H., Gabryel, M., Scherer, R., and Dama\u0161evi\u010dius, R. (2020). Pearson correlation-based feature selection for document classification using balanced training. Sensors, 20.","DOI":"10.3390\/s20236793"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"100650","DOI":"10.1016\/j.rtbm.2021.100650","article-title":"Analysis of dependency and importance of key indicators for railway sustainability monitoring: A new integrated approach with DEA and Pearson correlation","volume":"41","author":"Mane","year":"2021","journal-title":"Res. Transp. Bus. Manag."},{"key":"ref_37","unstructured":"Morris, T. (2022, October 15). Industrial Control System (ICS) Cyber Attack Datasets. Available online: https:\/\/sites.google.com\/a\/uah.edu\/tommy-morris-uah\/ics-data-sets."},{"key":"ref_38","unstructured":"(2022, October 15). Secure Water Treatment\u2014iTrust. Available online: https:\/\/itrust.sutd.edu.sg\/testbeds\/secure-water-treatment-swat\/."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Cheng, Z., Zou, C., and Dong, J. (2019, January 24\u201327). Outlier detection using isolation forest and local outlier factor. Proceedings of the Conference on Research in Adaptive and Convergent Systems, Chongqing, China.","DOI":"10.1145\/3338840.3355641"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"1851","DOI":"10.1109\/COMST.2019.2891891","article-title":"A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities","volume":"21","author":"Alshamrani","year":"2019","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Pal, S., and Jadidi, Z. (2022). Analysis of security issues and countermeasures for the industrial internet of things. Appl. Sci., 20.","DOI":"10.3390\/app11209393"},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"214","DOI":"10.1016\/j.cose.2018.03.001","article-title":"A systematic survey on multi-step attack detection","volume":"76","author":"Navarro","year":"2018","journal-title":"Comput. Secur."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"103741","DOI":"10.1016\/j.compind.2022.103741","article-title":"Multi-step attack detection in industrial control systems using causal analysis","volume":"142","author":"Jadidi","year":"2022","journal-title":"Comput. Ind."},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Elmrabit, N., Zhou, F., Li, F., and Zhou, H. (2020, January 15\u201319). Evaluation of machine learning algorithms for anomaly detection. Proceedings of the 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Dublin, Ireland.","DOI":"10.1109\/CyberSecurity49315.2020.9138871"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Kravchik, M., and Shabtai, A. (2018, January 15\u201319). Detecting cyber attacks in industrial control systems using convolutional neural networks. Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and Privacy, Toronto, ON, Canada.","DOI":"10.1145\/3264888.3264896"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/3\/1561\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T18:20:25Z","timestamp":1760120425000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/3\/1561"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,2,1]]},"references-count":45,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,2]]}},"alternative-id":["s23031561"],"URL":"https:\/\/doi.org\/10.3390\/s23031561","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,2,1]]}}}