Intrusion Detection and Identification Using Tree-Based Machine Learning Algorithms on DCS Network in the Oil Refinery

Recently, Critical Infrastructures (CI) such as energy, power, transportation, and communication have come to be increasingly dependent on advanced information and communication technology (ICT). This change has increased the connection between the Industrial Control System (ICS) supporting the CI and the Internet, resulting in an increase in security threats and allowing a malicious attacker to manipulate and control the ICS arbitrarily. On the other hand, ICS operators are reluctant to install security systems for fear of adverse effects on normal operations due to system changes. Therefore, new research is needed to detect anomalies quickly and identify attack types while ensuring the high availability of ICS. This study proposes a host-based method to detect and identify abnormalities in an Oil Refinery's Distributed Control System (DCS) network using DCS vendor-proprietary protocols using a proposed method based on the tree-based machine learning algorithm. The results demonstrate that the proposed method can effectively detect an abnormality with the eXtreme Gradient Boosting (XGB) classifier, with up to 99% accuracy. Taken together, the results of this study contribute to the accurate detection of abnormal events and identification of attack types on the network without disrupting the normal operation of the DCS in the Oil Refinery.