Application of Local Outlier Factor algorithm in detecting Industrial Control System network attacks

Abstract

Industrial Control Systems (ICS) play a crucial role in managing and automating industrial processes across critical sectors, including energy, manufacturing, transportation, and utilities. ICS are integrated systems that combine hardware and software components to monitor, control, and optimize the functionality of industrial equipment and processes in real-time. Cyber attacks are increasingly targeting Industrial Control Systems (ICS) and critical infrastructure such as grid systems, as such it is vital to develop more secure solutions. According to a report by the Communications Authority of Kenya, there were 75,459 identified ICS attacks from January to March 2025. Machine learning-based anomaly detection techniques are necessary considering intrusion detection systems (IDS) frequently miss zero day attacks. Local Outlier Factor (LOF) could help identify anomalies in real-time ICS network traffic. The real-time ICS attack detection tool was developed through python-based anomaly detection routines for train and test analysis. The HAI (HIL-based Augmented ICS) dataset that was used in training and testing of the tool. The HAI dataset is an open source dataset that was collected from a realistic industrial control system (ICS) testbed augmented with a Hardware-In-the-Loop (HIL). The two stages, the training phase and the testing phase, improved analysis and detection through LOF modeling for real-time detection. The tests were conducted on a SCADA test-bed configured to run on Kali Linux. Statistical deviations identified anomalies within the ICS network traffic. While offline, the tool did not identify any TCP SYN scans and IP spoofing. Challenges with computational analysis revealed the necessity of hybrid models possible with a more mature system. Machine learning-based anomaly detection for ICS network traffic is an area that should be highly researched since traditional Intrusion Detection Systems (IDSs) are less effective for securing ICS as they primarily rely on signature-based detection and lack sufficient known attack signatures specific to ICSs. Although LOF works well for detecting cyberthreats, large-scale deployment requiring advancements in automation, computational efficiency, and false positive reduction. The improving real-time cybersecurity solutions for safeguarding vital infrastructure. Future improvements on this research could focus on optimizing LOF parameters, automated threat mitigation systems, and investigating hybrid anomaly detection techniques while improving system efficiency. Another area for future research is the adoption of LOF in large ICS infrastructures.

Keywords-Local Outlier Factor (LOF), Industrial Control Systems (ICS), Intrusion Detection Systems (IDS), HIL-based Augmented ICS(HAI), Hardware-In-the-Loop (HIL)