Dikhanbayev S.A., Serek A.
ANALYSIS OF ATTACK DETECTION METHODS ON CRITICAL INFRASTRUCTURE BASED ON BEHAVIORAL ANOMALIES *
Аннотация:
the increasing digitization of critical infrastructure systems—such as energy, water, transportation, and finance—has significantly expanded the surface for cyberattacks. Traditional signature-based intrusion detection methods are no longer sufficient to address advanced persistent threats and novel attack vectors that exploit behavioral weaknesses. This article presents a comprehensive analysis of behavioral anomaly detection methods as a proactive approach to securing critical infrastructure. By evaluating statistical, machine learning, and hybrid models using benchmark datasets like CICIDS2017, SWaT, and NSL-KDD, the study identifies key strengths and limitations of current techniques. It highlights the importance of context-aware modeling, real-time monitoring, and human behavior integration to reduce false positives and improve detection accuracy. The paper further explores emerging technologies, including federated learning and explainable AI, that enhance the adaptability and transparency of detection systems. Findings suggest that a holistic, behavior-focused strategy is essential for enhancing cyber resilience and mitigating risks across critical infrastructure sectors.
Ключевые слова:
anomaly detection, critical infrastructure, cybersecurity, machine learning, ICS security, cyber resilience, real-time monitoring
DOI 10.24412/2712-8849-2025-586-1278-1287
Introduction. Critical infrastructure systems—including power grids, water treatment facilities, transportation networks, and financial systems—form the backbone of national security and public safety. The increasing integration of digital technologies into these infrastructures has improved efficiency and control but has simultaneously introduced unprecedented vulnerabilities [1, с. 18]. These systems are now prime targets for cyberattacks, which can result in severe societal and economic consequences, from power outages to disruptions in healthcare or banking services. Traditional attack detection methods, which rely heavily on signature-based intrusion detection or perimeter defenses, are insufficient in identifying sophisticated or novel attack patterns [2, с. 2].Given that many attacks now blend into normal network traffic and evolve dynamically, there is an urgent need to explore behavior-based detection methods capable of identifying subtle indicators of compromise before significant damage occursBehavioral anomaly detection has emerged as a promising paradigm in cybersecurity. It focuses on identifying deviations from established baselines of system or user behavior, which may signal a cyberattack or insider threat [3, с. 4]. This is particularly relevant in critical infrastructure, where operational continuity and safety are paramount and where attackers often seek to remain stealthy by mimicking legitimate behavior.Recent high-profile cyber incidents, such as the Colonial Pipeline ransomware attack and the compromise of Ukraine’s power grid, underscore the urgent need for adaptive, intelligent detection techniques. These attacks not only exploited system vulnerabilities but also involved lateral movement, privilege escalation, and behavioral deception—tactics that signature-based systems often miss [4, с. 6]. Therefore, analyzing and enhancing behavioral anomaly detection methods is essential for protecting critical infrastructure from increasingly complex and persistent cyber threats.The application of behavioral anomaly detection extends across all sectors of critical infrastructure. In energy systems, it enables early detection of disruptions caused by malicious commands or data manipulation. In healthcare, it helps prevent data breaches and tampering with patient records. In finance, it identifies abnormal transaction patterns that may indicate fraud or advanced persistent threats (APTs).From a socio-economic standpoint, improved detection capabilities reduce the likelihood of catastrophic failures, financial losses, and threats to public safety. For example, a 2022 report by IBM estimated that the average cost of a data breach in critical infrastructure was over $4.82 million, with significantly higher stakes in sectors like healthcare and energy. Investing in behavioral detection not only enhances operational resilience but also reduces long-term costs associated with incident response and recovery.2. State of the art.2.1 Common Detection Methods.Traditional cyberattack detection approaches primarily fall into three categories: signature-based, rule-based, and anomaly-based methods. Signature-based systems like Snort or Suricata detect known attack patterns by comparing incoming traffic to a database of signatures. While effective against previously identified threats, these systems fail to recognize novel or zero-day attacks.In contrast, behavioral anomaly detection methods build a profile of "normal" behavior using statistical models, machine learning algorithms, or time-series analyses. Any significant deviation from the learned baseline is flagged as potentially malicious. [7, с. 110]. This approach is particularly relevant to critical infrastructure systems, where even minor anomalies can signal serious threats (Cárdenas et al., 2008).Recent research shows that unsupervised learning models—such as k-means clustering, isolation forests, and autoencoders—are commonly applied in Industrial Control System (ICS) networks to detect anomalies without relying on labeled attack data [8, с. 2]. Supervised models like Random Forests and Support Vector Machines (SVM) are also used when attack-labeled datasets are available (Ring et al., 2019).Furthermore, hybrid models that combine both statistical and machine learning techniques are emerging as a powerful approach to balance false positive rates and detection accuracy, especially in dynamic environments like ICS and SCADA systems (Ahmed et al., 2016).2.2 Recent Studies and Solutions.Numerous studies have addressed behavioral detection in the context of critical infrastructure. For instance:SWaT dataset analysis: Goh et al. applied deep learning models such as LSTM-based sequence prediction to detect anomalies in a water treatment plant. Their results showed high detection rates and low false positives, highlighting the promise of deep learning in ICS environments [6, с. 90].CICIDS2017: This dataset, which simulates real-world enterprise traffic, has been widely used to train anomaly detection models. Studies using ensemble methods and deep neural networks have demonstrated over 95% detection accuracy [7, с. 115].NSL-KDD: Despite being older and criticized for lack of modern attack representation, it remains a benchmark for validating new algorithms. Improved preprocessing and feature selection have enabled better detection outcomes even with basic classifiers [9, с. 4].Researchers have also explored context-aware anomaly detection, where system state (e.g., sensor values or actuator status) is used to increase the precision of alerts. For instance, Lin et al. (2020) proposed a method integrating operational context with behavior modeling in ICS, significantly reducing false alarms caused by legitimate fluctuations in sensor readings.2.3 Gaps and Limitations.Despite substantial progress, several gaps persist:Lack of real-time, scalable solutions: Many detection models are tested in offline environments. Real-time deployment faces challenges in processing large volumes of streaming data with low latency [10, с. 25].Data imbalance and scarcity: Many datasets, especially in ICS, are heavily imbalanced, with far fewer attack instances than normal data. This skews model training and reduces detection effectiveness.Contextual ambiguity: Behavioral baselines often fail to account for operational mode changes (e.g., maintenance vs. production), leading to false positives.Limited generalizability: Detection models trained on one dataset often fail when applied to different environments due to differences in protocols, traffic patterns, and system configurations.Thus, while existing behavioral detection methods show promise, they require enhancements in contextual awareness, adaptability, and integration with operational processes in critical infrastructure.2.4 Conclusion.As critical infrastructure systems become increasingly digitized and interconnected, their vulnerability to cyber threats grows correspondingly. Behavioral anomaly detection offers a vital solution by shifting focus from identifying known attack signatures to recognizing deviations in normal operations — a paradigm better suited to detect sophisticated and novel threats in real time.This article has reviewed the landscape of behavioral anomaly detection methods, particularly in the context of industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA), and other critical environments. It highlights that while statistical models and machine learning techniques such as LSTM, autoencoders, and clustering algorithms have demonstrated strong potential, they often face practical limitations including lack of contextual sensitivity, scalability challenges, and limited real-world deployment.Moreover, significant research gaps persist — especially in creating models that adapt to operational changes, detect low-frequency but high-impact events, and integrate human behavioral baselines. False positives remain a persistent issue, particularly when operational context is not considered. To address these challenges, future approaches must integrate real-time monitoring, edge-computing deployments, explainable AI, and feedback-based learning systems.From a socio-economic perspective, strengthening anomaly detection capabilities in critical sectors — like power, water, healthcare, and finance — reduces downtime, prevents catastrophic damage, and protects national security. Thus, investment in behavioral anomaly detection is not just a technical imperative but a strategic one for any government or organization tasked with securing essential services.3. Discussion.The review of current behavioral anomaly detection methods underscores both their strengths and limitations in safeguarding critical infrastructure. While signature-based systems remain foundational in many enterprise security architectures, their ineffectiveness against zero-day attacks and polymorphic malware renders them inadequate for ICS and SCADA environments. Behavioral detection, in contrast, introduces a much-needed layer of intelligence and adaptability.Human Behavior and Context Sensitivity:One of the recurring themes in the literature is the critical role of human behavior in both causing and detecting anomalies. Many attacks exploit legitimate user privileges — such as phishing leading to credential compromise — making behavioral modeling of users and operators essential. However, most current detection frameworks inadequately distinguish between anomalous behavior caused by adversaries and that arising from non-malicious events such as maintenance, configuration changes, or operator errors.This challenge calls for the integration of context-aware anomaly detection, which enhances models by incorporating domain-specific factors like operation states, thresholds, and historical trends. Contextual modeling, when combined with feedback loops from human analysts, offers promise in reducing false positives and increasing trust in autonomous detection systems.Toward Real-Time and Adaptive Detection:Another key requirement for critical infrastructure is real-time monitoring. Systems such as power grids and water treatment plants operate continuously, and delayed threat detection can result in irreversible damage. However, many academic studies still rely on batch-processed models that analyze pre-collected data.To address this, future research should explore stream-based learning algorithms, online clustering, and edge-based deployment of detection agents. Deploying lightweight models at the sensor level or integrating detection into programmable logic controllers (PLCs) could help shift detection capabilities closer to the attack surface.Current behavioral detection models often stop at flagging anomalies without offering actionable insights. For practical utility, integration with automated response mechanisms — such as network segmentation, dynamic policy enforcement, or alert prioritization — is essential.Moreover, integrating anomaly detection systems with SIEMs (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response) platforms enables faster triage and cross-correlation with other event sources. This is particularly valuable in SOC (Security Operations Center) environments tasked with protecting critical assets.Emerging Research Trends, Several promising directions are emerging:Deep Learning and Attention Models: While LSTMs are common in sequential behavior modeling, recent approaches use Transformers with attention mechanisms to better capture long-term dependencies [13, с. 1334].Federated Learning: Particularly suited for distributed critical infrastructure, federated learning allows models to be trained across multiple devices or organizations without sharing raw data, preserving privacy while benefiting from collaborative knowledge [14, с. 55].Digital Twins: Virtual replicas of physical systems (e.g., substations or pipelines) can simulate various attack scenarios and system behaviors, supporting anomaly detection in a controlled but realistic environment. Explainable AI (XAI): Transparency in why a model flagged a behavior as anomalous is essential in high-stakes environments. Explainable models can help operators trust and act upon alerts, reducing incident response time and increasing adoption.
Номер журнала Вестник науки №5 (86) том 4
Ссылка для цитирования:
Dikhanbayev S.A., Serek A. ANALYSIS OF ATTACK DETECTION METHODS ON CRITICAL INFRASTRUCTURE BASED ON BEHAVIORAL ANOMALIES // Вестник науки №5 (86) том 4. С. 1278 - 1287. 2025 г. ISSN 2712-8849 // Электронный ресурс: https://www.вестник-науки.рф/article/23428 (дата обращения: 08.07.2025 г.)
Вестник науки © 2025. 16+