Next Article in Journal
Reliability Estimation of Stress–Strength Model for Multi-Component System Based on Lomax Distribution Using the Survival Signature
Previous Article in Journal
Finite Element Analysis-Based Assessment of Damage Parameters for Ultra-Low-Cycle Fatigue Behavior of Structural Steels
Previous Article in Special Issue
A Novel Approach for Cyber Threat Analysis Systems Using BERT Model from Cyber Threat Intelligence Data
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations

by
Abdulmohsen Almalawi
1,
Shabbir Hassan
2,
Adil Fahad
3,
Arshad Iqbal
4 and
Asif Irshad Khan
2,*
1
Department of Computer Science, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia
2
Department of Computer Science, Aligarh Muslim University, Aligarh 202002, Uttar Pradesh, India
3
Department of Computer Science, College of Computer Science & Information Technology, Al Baha University, Al Baha 65527, Saudi Arabia
4
K. A. Nizami Centre for Quranic Studies, Aligarh Muslim University, Aligarh 202002, Uttar Pradesh, India
*
Author to whom correspondence should be addressed.
Symmetry 2025, 17(4), 616; https://doi.org/10.3390/sym17040616
Submission received: 19 February 2025 / Revised: 9 April 2025 / Accepted: 15 April 2025 / Published: 18 April 2025
(This article belongs to the Special Issue Advanced Studies of Symmetry/Asymmetry in Cybersecurity)

Abstract

:
Supervisory control and data acquisition (SCADA) systems are vulnerable to cyberattacks; hence, cybersecurity is a major concern. Hybrid methodologies using advanced machine learning (ML) may increase intrusion detection and system security. The intrusion detection algorithms have little adaptability, high false-positive rates for novel threats, and restricted feature extraction. SCADA systems are subject to sophisticated attacks. This study’s hybrid autoencoder-hybrid ResNet–long short-term memory (LSTM) (HAE–HRL) architecture includes deep feature extraction, anomaly detection, and sequential analysis. This framework uses these three methods to improve threat detection. AI can scan massive amounts of data and find patterns humans and traditional systems miss. The hybrid approach gives defenders an unequal edge. Autoencoders identify anomalies, convolutional neural networks (CNNs) extract features, and hybrid ResNet–LSTM learns temporal patterns. Cyber risks are correctly classified using this method. With SCADA security and intrusion detection, the model may considerably enhance network abnormality and hostile activity detection. According to experimental tests, HAE–HRL reduces false positives and improves detection accuracy, making it a robust cybersecurity solution.

1. Introduction

Cybersecurity concerns have developed for SCADA systems, which underpin industrial automation, electricity grids, water treatment facilities, and other important infrastructure [1]. Advanced persistent threats (APT) ransomware, distributed denial-of-service (DDoS) attacks, and zero-day weaknesses are highly dangerous to SCADA networks [2]. SCADA networks have antiquated, vulnerable designs. The confluence of operational technology (OT) and information technology (IT) has expanded the attack surface and the possibility of hostile infiltration [3]. Rule-based access limitations and signature-based intrusion detection systems (IDSs) are inadequate against rising cyber threats since they employ pre-defined attack signatures and static heuristics [4]. Due to constant changes in cyber threats, these measures cannot adapt. Modern cybersecurity frameworks must leverage adaptive, real-time threat detection methods like artificial intelligence (AI), deep learning (DL), and behavioral anomaly detection to withstand dynamic cyber assaults, and this will reduce these hazards’ risks [5].
Intrusion detection is the foundation of SCADA cybersecurity. Traditional intrusion detection systems (IDSs) cannot protect against new threats and zero-day attacks because they use pre-defined signatures and rule-based techniques [6]. These systems also have large false-positive rates, which require unnecessary system interventions and lower detection mechanism confidence [7]. Machine learning algorithms generally lack the feature extraction abilities and flexibility to address SCADA security issues [8]. Although artificial intelligence, machine learning, and anomaly-based detection are potential alternatives [9], this limitation highlights the need for more sophisticated SCADA-specific intrusion detection frameworks that are cognizant of their surroundings.
A recent study provided a novel cybersecurity paradigm. Multi-modal machine learning improves SCADA intrusion detection in this model. This approach resolves key restrictions of prior methods [10]. The system improves threat identification and reduces false positives using CNNs for deep feature extraction, hybrid LSTM networks for temporal pattern analysis, and autoencoders for unsupervised anomaly detection [11]. This ensemble strategy beats earlier solutions, providing a more adaptive and resilient security solution for SCADA-deployed critical infrastructure, and this strategy seems to be better than others [12].
DDoS, ransomware, and sophisticated, persistent threats may disrupt operations and cause significant financial harm [13]. Mission-critical SCADA systems are vulnerable to these assaults because they operate in real time. By using adaptive, behavior-based threat analysis, DL approaches were altered [14]. Traditional security systems are reactive and use signature-based detection, making it hard to detect sophisticated threats. CNNs generate discriminative spatial features from raw network data, and stacked autoencoders learn regular working patterns to detect tiny irregularities [15] accurately. The suggested architecture protects against network attacks using multi-layered defenses. By examining temporal correlations in network data, LSTM networks may discover complex, multi-stage assault sequences [16]. Due to this integrated DL design, SCADA systems have a robust, real-time security mechanism to identify and prevent known and emerging cyber threats.
This research empirically evaluates the HAE–HRL framework’s SCADA system protection. The report shows significant intrusion detection improvements via comprehensive experimental investigation. The study uses benchmark datasets and real-time SCADA network traffic to test the framework [17]. The research found that the framework had greater detection accuracy and lower false-positive rates than previous methods. The findings suggest hybrid deep learning architectures may reduce cybersecurity vulnerabilities in industrial control systems by integrating hierarchical feature extraction with reinforcement learning. The framework’s ability to understand complex temporal patterns and adapt to changing threats suggests a paradigm shift toward more intelligent and autonomous critical infrastructure security solutions. This skill is significant. These results justify using advanced machine learning in industrial cybersecurity. These methods guard against known attack vectors and react to emerging threats quickly.
Motivation: Despite being vital to the nation’s infrastructure, SCADA systems are susceptible to intrusions due to their legacy architecture and interconnectedness. Cyber risks are rising, requiring powerful security systems to identify and stop complex assaults. This study builds a hybrid intrusion detection system (IDS) using deep learning to improve detection accuracy and decrease false positives. Anomaly asymmetry gives defenders a strategic edge by utilizing artificial intelligence to examine massive datasets and find complex patterns that may escape human discovery or regular security processes.
Problem statement: SCADA systems’ intrusion detection systems (IDSs) must overcome high false-positive rates, poor threat response, and poor feature extraction. Due to these shortcomings, SCADA systems are susceptible to hackers who may interrupt critical operations. This study addresses issues by increasing threat detection and SCADA system security. CNNs, autoencoders, and ResNet–LSTM networks are used in the hybrid deep learning HAE–HRL model.
Contribution of this paper
Developing the HAE–HRL framework by integrating CNNs, autoencoders, and ResNet–LSTM networks to enhance SCADA intrusion detection.
Leveraging AI to process large-scale datasets and identify complex patterns that might escape human detection or circumvent conventional security measures.
One may evaluate the performance of the suggested framework by analyzing its accuracy, false-positive rate, and adaptability to real-time SCADA network traffic and benchmark datasets.
To demonstrate how hybrid DL models may enhance SCADA system security and reduce the likelihood of cybersecurity hazards.
The article’s structure is prearranged as follows: Section 2 provides related work in the field of SCADA systems, examining existing research and developments. Section 3 details the proposed methodology of HAE–HRL, outlining its framework and implementation. Section 4 evaluates the efficiency of HAE–HRL, presenting a thorough analysis of its performance and effectiveness. Finally, Section 5 concludes the study, summarizing key results and recommending potential directions for future study.

2. Related Works

The techniques combine hybrid machine learning models, optimization methodologies, and feature selection tactics to enhance SCADA intrusion detection systems (IDSs). These models reduce false positives, improve detection accuracy, and address critical infrastructure security issues, including insider threats and cyber-physical hazards. They use ensemble learning, deep learning, and optimization [18]. The hybrid ensemble learning model (HELM) uses network sensors to identify SCADA system breaches. It uses UNSW-NB15 and MSU water system data to find breaches using an IDS. Both are water systems. Data preparation involves extracting features using a normalized PCA. The grey wolf optimiser (GWO) uses majority voting to improve classifiers, including bagging, stacking, AdaBoost, naive Bayes, and SVM. Others choose an extreme learning machine (ELM) using the bijective soft-set technique. Traditional intrusion detection systems (IDSs) struggle to meet SCADA concerns. These include outdated protocols, real-time operational restrictions, and high interpretability. Thus, researchers are using protocol-based intrusion detection. These methods examine SCADA communication protocols. These protocols include Modbus [19], DNP3 [20], and IEC 60870-5-104 [21]. These methods have proven that they can locate anomalies by detecting departures from protocol predictions.
The use of cooperative game theory-based Shapley analysis to increase the interpretability of machine learning-based intrusion detection systems is a major advance in this area. Shapley values provide a mathematical framework for quantifying each feature’s impact on model predictions. This paradigm explains why certain network actions are hazardous. SCADA operators must understand and trust intrusion detection system conclusions. Serpil Ustebay and colleagues pioneered protocol-based intrusion detection systems using Shapley analysis [22]. This method efficiently found crucial intrusion detection factors while maintaining high accuracy. Their work shows that Shapley’s analysis may bridge the gap between complex machine-learning models and operator-friendly security solutions. Despite these advances, many challenges remain. Shapley value calculation may be too difficult for real-time applications. Large SCADA networks with significant traffic volumes are particularly affected. Researchers are investigating approximation methodologies as a solution, but further optimization is needed to ensure scalability. Compatibility and performance trade-offs must be considered when combining Shapley-enhanced intrusion detection systems with earlier SCADA systems. In particular, enhanced analytics must not disrupt SCADA systems’ real-time operations.

2.1. Hybrid ML-Based IDS

To identify insider risks in SCADA systems, the study advises using ML techniques, especially ensemble and hybrid approaches [23]. By spotting intricate insider assaults and tackling issues such as data privacy and security, as well as locating pertinent threat data for training, these approaches improve intrusion detection. One practical approach for enhancing detection resilience is observed to be hybrid models. A dual-hybrid IDS capable of identifying false data injection attacks (FDIAs) in smart grids [24] is suggested here. It uses a hybrid DL classifier to combine LSTM networks with CNN. It combines GWO and particle swarm optimization (PSO) for hybrid feature selection. This approach increases computing efficiency, lowers false positives and negatives, and raises the detection accuracy.

2.2. Optimization-Based IDS with DS-LSTM

To provide a unique IDS framework for SCADA systems, the suggested method integrates clustering, optimization, and classification techniques [25]. Deep sequential LSTM (DS-LSTM) for intrusion detection, the multifaceted data clustering models (MDCMs) for pre-processing, and the hybrid gradient descent spider monkey optimizations (GDSMOs) for parameter selection form the framework. Simultaneously, it will reduce the processing time and operations of computations without compromising the higher accuracy in the classification process. The proposed mechanism identifies cyber-attack occurrence in wireless sensor networks through the intelligent hybrid model, which involves a DL hybrid model and the combination of various ML techniques. In such a mechanism, principal component analysis (PCA) and singular value decompositions (SVDs) are incorporated in a feature reduction model, which enables an accelerated detection model and decreases complexity in the developed model [26]. According to the study, the high precision rate of the message queuing telemetry transports (MQTTs) and wireless sensor network (WSN) datasets is 91.98%, and efficiency while taking a detection time of about 23 s.

2.3. Cyber–Physical Risk Assessment Model for SCADA

The proposed approach includes a cyber–physical model for SCADA systems, indicating network breaches and their risk degrees concerning industrial operations. It defines the SCADA network and devices in terms of identifying communication patterns and device state connectivity [27]. Any deviation from this paradigm is considered anomalous, prompting a risk analysis to assess potential threats and their impact. This method thus enhances the effectiveness of understanding cyberattacks by improving detection and analyses. The Genetically Seeded Flora with transformer neural network (GSFTNN) finds vulnerabilities in the SCADA system. It thus detects an operational change that would prove to be evidence of a penetration attempt using its TNN model and GSF feature optimization strategy [28]. The method is more efficient and economical than traditional signature-based systems, among approaches like ResNet, recurrent neural network (RNN), and LSTM. The following results were evaluated regarding the WUSTL-IIOT-2018 ICS SCADA cyber security data.

2.4. PCA–RBN with Emperor Penguin Optimization

The proposed technique improves intrusion detection in SCADA systems by lowering dimensionality using PCA and a radial basis network (RBN) for classification [29]. The Emperor Penguin optimization technique is meant to improve training and stop problems with fading gradients. This method preserves important information while reducing the feature count from 35 to 17, producing good performance measures: 91.22% accuracy, 92.31% precision, 94.09% recall, and 89.20% F1 score. Table 1 shows the comparison of existing methods.
Many hybrid IDS methods, including ELM, DL models, and optimization techniques like GWO, PSO, and PCA, might improve intrusiveness detection in SCADA systems. These methods progress computing efficiency, false positive/negative rates, and detection accuracy. Regarding finding vulnerabilities and cyber-attacks, dual-hybrid IDS, PCA–RBN with Emperor Penguin optimization, and GSFTNN are first picks.

3. Proposed Method

Changing cybersecurity threats requires more a sophisticated IDS. This paper investigates a hybrid DL model, CNN–LSTM, to enhance the IDS’s real-time threat detection accuracy. Multi-threaded packet processing, deep packet inspection, and anomaly detection using NSL-KDD and WSN-DS datasets improve cybersecurity. The paper also presents HAE–HRL for SCADA network security, enhancing defensive systems. To improve the identification of known and undiscovered cyber threats, the proposed HAE–HRL model employs a multi-stage hybrid DL architecture. It is especially useful for critical infrastructures like SCADA systems. To make use of each component’s capabilities in extracting features, reducing dimensionality, and analyzing temporal behavior, the model incorporates three essential components: hybrid autoencoder, ResNet, and LSTM.

3.1. Novel Hybrid Framework for Intrusion Detection

This paper presents an HAE–HRL framework combining autoencoders, CNN-based feature extraction, and a hybrid ResNet–LSTM model to increase the accuracy of cyber threat detection in SCADA systems. From the SCADA dataset, 35 important features were chosen for further analysis because they bore on attack signature patterns and network traffic behavior. Information such as IP addresses used for sending and receiving data, the size of packets, protocols used, connection timestamps, flow rates, error rates, TCP window sizes, and payload entropy are all part of this. The features were selected using correlation and mutual information analysis to improve learning efficiency and decrease redundancy. Standard ML classifiers (SVM, random forest, and KNN), CNN–LSTM, and standalone autoencoder were used as baseline models to assess the performance of the proposed HAE–HRL model. Accuracy, precision, recall, F1 score, AUC–ROC, detection rate, and false alarm rate were measured for assessment. This paper presents HAE–HRL, a novel hybrid cybersecurity framework integrating different machine-learning approaches to improve intrusion detection in SCADA systems. Our framework uses CNNs for deep feature extraction, hybrid LSTM networks for sequential pattern recognition, and autoencoders for anomaly detection, going against the grain of standard intrusion detection systems that depend on single-model techniques. This method is one of a kind since it can learn from its mistakes and identify new types of attacks with few false positives. Improved detection accuracy and enhanced resilience for SCADA security are two additional benefits of the suggested architecture over traditional approaches, which cannot adapt to changing cyber threats.
Figure 1 illustrates a general conceptual overview of how a traditional IDS operates within a network environment. In a network, a collection of computers is connected, and the IDS is crucial in identifying negative behavior. The IDS informs security personnel and logs the incident into a database for further investigation when it discovers a threat. Managing data traffic between the internal network and the World Wide Web, the firewall acts as the next barrier of defense, filtering unauthorized access before it arrives at the router. Captivatingly, the design features a surprise gift that results in a mobile device, maybe hinting at unexpected online assaults like phishing or malware.
V s w o s a n : B s o a p w + N s w
Equation (1) shows the relationship between the hybrid anomaly detection method N s w and signal fluctuations ( V s w ) in SCADA network traffic. While adding newly discovered deviations ( o s a n ) for adaptive threat detection, it maps baseline safety criteria ( B s o a p w ).
F q s p a b n : B a w u q K s o w
Using a correction factor ( F q s ) and mapping atypical patterns ( p a b n ) to weighted standard attributes ( B a w u q ), the equation shows the quantification of feature variations ( K s o w ) in SCADA detection of anomalies. By lowering the number of false positives and increasing the accuracy of cybersecurity, the equation guarantees adaptive feature scaling.
l p w s a q n : B s w u i + V a p b x
Associating aberration quantification ( l p w s ), weighted baseline parameters for security a q n , and predictive adjustment B s w u i , the equation simulates the learned forecast weight ( V a p b x ) for SCADA security. A robust anomaly classification system with few false positives is made possible by Equation (3) optimization of prediction accuracy.
The suggested HAE–HRL model’s autoencoder has a symmetrical design with a network of encoders and decoders. The three layers that make up the encoder are as follows: a dense input layer with 128 neurons, a convolutional layer with 64 filters of size 3 × 3, a ReLU activation, and finally, a max-pooling layer to reduce dimensionality. After that, a bottleneck layer of 32 neurons represents the compressed latent space. Following the same structure as the encoder, the decoder begins with an up-sampling layer and then moves on to a deconvolutional (transposed convolution) layer with 64 filters. Finally, it involves a dense output layer that uses a linear activation function to restore the initial input features.
Figure 2 illustrates a sequential hybrid architecture that integrates CNN and LSTM networks for an IDS. In this design, the CNN first extracts spatial features from the input data, which are then processed by LSTM networks to capture temporal dependencies within those features. This paper introduces a hybrid DL architecture combining CNN and LSTM, applied to the NSL-KDD and WSN-DS datasets. The process begins with data pre-processing, encompassing data cleaning, feature extraction, normalization, and CNN-based feature selection to emphasize significant attributes. A pre-defined threshold is established, enabling the selection of a refined feature subset for further analysis. Subsequently, LSTM networks take precedence, effectively handling the sequential nature of the data. The model is trained, verified, and tested to obtain optimal performance. Two approaches are finally used in classification: Binary categorization lets one distinguish between normal and abnormal activities. Type 1, Type 2, and Type N attacks constitute multiclassification. This architecture increases intrusion detection accuracy, enabling real-time cybersecurity threat identification and reducing unnecessary action.
f 2 W : L s s u e + V a l p s n V a w l s i
The function f 2 W that controls SCADA anomaly detection is represented by the equation. It connects learned risk states ( L s s u e ), predictive variations ( V a l p s n ), and adaptive adjustments to weights ( V a w l s i ). By improving the precision of detection and the efficiency of real-time intrusion categorization, Equation (4) strengthens cybersecurity.
P s w j i s n : B s w a n + J a w u e
Equation (5) represents the SCADA system’s predictive security state P s w , finding the correlation between signal deviations ( j i s n ), adaptive baseline safeguards ( B s w a n ), and just-in-time abnormal adjustments ( J a w u e . To improve detection accuracy while decreasing false positives, the equation guarantees dynamic threat adaptation.
P f r u s n w : V a w u q M s o s b e
An equation that links real-time system fluctuations P f r u s n w , adaptive variances adjustments ( V a w u q ), and multi-scale privacy enhancement ( M s o s b e ) is the prognostic function for SCADA security. By optimizing predictive adaptability, Equation (6) guarantees strong cybersecurity with few false positives.

3.2. Enhanced Anomaly Detection with Reduced False Positives

While maintaining excellent detection accuracy, using ResNet–LSTM for sequential pattern learning and autoencoders for anomaly detection helps significantly reduce false positives. Figure 3 presents a multi-threaded packet processing technique for controlling network traffic. Thread 1, starting the operation, gathers incoming packets from lines of packet acquisition. Pulling relevant data, Thread 2 packet decoding prepares data for future usage. Refining the data flow and stream processing Thread 3 ensures ordered packet treatment. Thread 4 through Thread n distributes packet processing among many packet detection threads under the load-balancing (LB) scheme. These threads enable efficient identification and analysis of network packets employing data transmission. This method ensures scalability and parallelism for real-time network monitoring, optimizing performance. Shared data applied across detection threads enhance fast threat identification and accuracy.
Deep packet inspection (DPI) and intrusion detection systems(IDSs), which provide great cybersecurity and perfect data flow, fit this paradigm as high-speed network security solutions.
g r e x a n : L s e w u s + V a s w n
The generalized response V a s w n to extracted anomalies is represented by Equation (7) g r e , which maps learned secured states ( x a n ) with reactive variances adjustments L s e w u s .
P d e r x a b n : J s e w u w J s w u q
Equation (8) shows the correlation between just-in-time security updates ( P d e r ) and adaptive quantification adjustments ( x a b n ), as well as the predictive detection ( J s e w u w ) of retrieved anomalies ( J s w u q ).
v F s y w : J a w u e + V a s u q
Equation (9) shows the variation function ( v F s ) that is applied to all identified anomalies ( y w ), connecting adaptive variety adjustments ( J a w u e ) with just-in-time updates for safety ( V a s u q ). By lowering detection errors and boosting intrusion prevention, assuring continual adaptation to emerging cyber threats, and improving SCADA security, the equation is a powerful tool. The suggested HAE–HRL model’s autoencoder has a symmetrical design with a network of encoders and decoders. The three layers that make up the encoder are as follows: a dense input layer with 128 neurons, a convolutional layer with 64 filters of size 3 × 3, a ReLU activation, and finally, a max-pooling layer to reduce dimensionality. After that, a bottleneck layer of 32 neurons represents the compressed latent space.
Traditional SCADA cryptography techniques are in grave danger with the advent of quantum computing. SCADA authentication and communication protocols, such as RSA, ECC, and Diffie–Hellman (DH), depend on computationally complex algorithms, such as integer factorization and discrete logarithms. Since quantum algorithms can solve these issues in polynomial time, many cryptographic methods are susceptible to fast decryption and key recovery, especially by Shor’s algorithm. This makes SCADA data and control commands less secure and more susceptible to interception and manipulation by malicious actors. Given the importance of SCADA systems to vital infrastructure, there is a need to move towards post-quantum cryptographic algorithms that can endure these new challenges and maintain secure communication in future operating settings, especially in light of the advent of quantum computing.
Incorporating quantum-resistant algorithms is becoming essential for safeguarding key infrastructures, including power grids, water systems, transportation networks, and industrial control systems. With the advancement in quantum computing, traditional encryption techniques such as RSA, ECC, and DH face potential threats from quantum algorithms like Shor’s algorithm. To alleviate these risks, quantum-resistant (or post-quantum) cryptographic algorithms such as lattice-based cryptography, hash-based signatures, code-based encryption, multivariate polynomial cryptography, and isogeny-based cryptography are being formulated to ensure robust security in a post-quantum era. These algorithms are designed to withstand conventional and quantum assaults, making them exceptionally appropriate for protecting data transfer, authentication methods, and control signals in critical infrastructure.
The increasing importance of quantum computing in cybersecurity makes this omission significant. Quantum algorithms, such as quantum support vector machines (QSVM) and quantum k-nearest neighbors (QKNN), can improve anomaly detection by using quantum parallelism to analyze high-dimensional data more effectively than conventional methods. Furthermore, quantum optimization methods may decrease training duration, enhance detection precision, and minimize false positives. Using the NSL-KDD dataset, Figure 4 presents a systematic strategy for cyberattack identification and classification. It assigns 20% for testing and 80% for training, starting with dataset separation. The cyber-attack training phase consists of pre-processing (numeralization and feature scaling using UV-Scaler), data organization (null feature removal and protocol-based grouping), and feature extraction. The testing phase follows a like-minded path employing pre-processing, feature extraction, and null feature elimination [30]. Non-attacked data are handled for cyber security and data security (PXORP-ECC); attacked data are recorded for further investigation.
This all-encompassing procedure aggregates security measures with ML techniques to enhance cybersecurity defensive mechanisms.
P w s a u w : L s u s q B a w u e
The weighting of anomaly signals ( P w s ) in the predictive model B a w u e is given by Equation (10), which also correlates the learned level states ( a u w ) with baseline adapting updates ( L s u s q ). The equation improves SCADA security by enhancing anomaly detection accuracy and decreasing the number of false alarms caused by adaptive security upgrades.
F e s p a n : B a s o s n + V a w a n q
Equation (11) symbolizes the function for extracting features ( p a n ) that is applied to predictive anomalies F e s , connecting the optimization of baseline security ( B a s o s n ) with adaptive variance adjustments ( V a w a n q ). Accurate feature selection, reduced false positives, and improved intrusion detection performance are ways the equation improves SCADA security. A systematic strategy for cyberattack identification and classification in SCADA networks is illustrated in Figure 4.
M w a b s n : N a w u o + V a o a p
Linking networking adaptation ( M w a ) with variance-based optimizer ( b s n ), the equation represents a model loading function N a w u o utilized on anomaly-based signals ( V a o a p ). The equation improves SCADA security by making models more flexible, decreasing detection errors, and making SCADA systems more resistant to cyber threats. The LSTM component of the HAE–HRL model may capture sequential and temporal relationships within SCADA system traffic data. To facilitate hierarchical temporal feature extraction, it comprises two stacked LSTM layers, with 128 memory units in the top layer and 64 units in the bottom layer. A dropout layer is added after each LSTM layer with a dropout rate of 0.3 to prevent overfitting. An activation function called ReLU and a fully linked dense layer consisting of 32 neurons are used to process the final temporal information. Whether multi- or binary-class classification is being performed determines the activation function the output layer uses. Using categorical cross-entropy loss training and the Adam optimizer, the LSTM module can learn time-dependent patterns that signify intrusion signs or unusual system behaviors.

3.3. Improved SCADA System Security

The framework provides exceptional cybersecurity for critical infrastructure, particularly SCADA systems, by quickly detecting network anomalies and malicious activity and addressing unique vulnerabilities. Originally designed to guard SCADA systems against cyberattacks, the innovative IDS known as the HAE–HRL framework (Figure 5), DL mixed with anomaly detection, improves security monitoring. The process begins with data preparation assured of consistent and clean input. After the prominent network characteristics are extracted, a CNN detects deviations via autoencoder reconstruction of normal patterns. Then, a hybrid ResNet–LSTM model enables the system to be flexible enough to meet changing threats by capturing temporal attack patterns. “Adaptive learning for new attack patterns” refers to the continuous model enhancement process, where the system incrementally retrains or fine-tunes the CNN–LSTM model using recently captured anomalies or zero-day attack features. This ensures that the detection model evolves and maintains its efficacy against emerging threats.
This mechanism helps the IDS move beyond static learning into a dynamic detection paradigm, where the system can proactively adapt to sophisticated, evolving threats. The HAE–HRL approach incorporates adaptive learning for novel attack patterns to improve the system’s awareness of changing or new cyber threats in SCADA settings. To keep up with evolving assault tactics, adaptive learning constantly updates model parameters and decision limits thanks to fresh data flowing in. It accomplishes its goals by including incremental updates into training cycles, which allow for fine-tuning the autoencoder and LSTM weights using fresh labeled or unlabeled input samples instead of retraining the complete model. Implemented feature drift detection techniques to track changes in input data distributions and initiate localized model updates when deviations surpass specified thresholds. Due to this feature, the system can identify new abnormalities and adjust its categorization limits appropriately, ensuring it can maintain high detection accuracy even when faced with advanced or unpredictable attacks.
P s D w u w : K s w u a J s w u q
Equation (13) shows the predictability of security decisions P s D w u w using identified anomalies ( K s w u a ), connecting knowledge-based security improvements ( J s w u q ) with immediate delivery adjustments.
P s e s w n : K s w u q + B a s u w
Equation (14) shows the predictive security improvement ( P s e ) that is applied to observed anomalies ( s w n ) by combining baseline adaptive measures ( K s w u q ) with knowledge-based security updates ( B a s u w ).
P d e a s n : L s 3 p s v a q + V a s y w
Equation (15) ( P d e ) shows the improved predictive detection for anomaly signals ( a s n ) by integrating learned security patterns ( L s 3 p s v a q ) and adaptive variance adjustments ( V a s y w ). Equation (15) guarantees dynamic adaptability to new cyber dangers, enhances anomaly categorization, and lowers false positives, all of which increase the security of SCADA systems. Anomaly detection and intrusion detection and classification are two important outcomes of the suggested HAE–HRL model. The first is based on the autoencoder stage’s reconstruction error, and the second is the result of the ResNet–LSTM layers’ assignment of each input to a specific class, such as normal, DoS, MITM, probe, or zero-day attack. The autoencoder stage performs an early anomaly filter, and a refined classification is carried out by the ResNet–LSTM block using deep spatial and temporal information. Figure 5 shows the entire technique, which combines all the main parts of the approach, such as the SCADA input data, learning modules for feature extraction, an adaptive learning mechanism, and dual-output generation. Step 4 (autoencoder) is employed for unsupervised anomaly detection. It learns the normal traffic distribution during training and flags deviations (high reconstruction error) as potential anomalies. This step does not classify threats into specific categories. It simply distinguishes “normal” from “abnormal” behavior. Step 5 (SoftMax classifier) then takes either the flagged anomalies or the latent features (from earlier layers) and performs supervised classification and labeling detected anomalies into defined cyber threat categories (e.g., DoS, MITM, spoofing).
Providing details about the CNN and LSTM designs used for comparison is crucial to ensure that all remain accessible and reproducible. Detailing the models’ structure and training concerning the number of layers, activation functions, and optimization strategies could be evaluated objectively compared to the suggested HAE–HRL framework. The convolutional and pooling layers of CNNs make them effective in feature extraction, while the sequential data architecture of LSTMs makes them great at capturing the temporal connections observed in cyberattack patterns. The resulting performance gains in context help explain whether these designs were selected as baseline models or intrusion detection optimizations. Algorithm 1 shows the HAE–HRL intrusion detection in the SCADA system. In the HAE–HRL framework, these integrations of anomaly detection and classification of two components operate in a sequential pipeline rather than in parallel. Specifically, the autoencoder-based anomaly detection functions as a preliminary filtering stage that identifies deviations from normal traffic by evaluating reconstruction error. Only those data instances flagged as anomalous are then forwarded to the classification stage, where the SoftMax classifier assigns them to specific cyber threat categories. This approach ensures that the system first isolates suspicious traffic through unsupervised learning before applying supervised classification, thereby improving detection accuracy and computational efficiency.
Algorithm 1: HAE–HRL Intrusion Detection in SCADA.
Input: SCADA network traffic data (X)
Output: Detected anomalies and classified cyber threats
1:  # Step 1: Data Pre-processing
2:  Normalize features in X using standard scaling
3:  Select relevant features based on correlation or feature importance
4:  Split X into a training set ( X t r a i n ) and testing set ( X t e s t )

5:  # Step 2: Feature Extraction via Hybrid ResNet
6:  for each input sample x in X t r a i n do
7:      Apply a 1D Convolutional Layer to extract spatial patterns
8:      Apply Batch Normalization and ReLU activation
9:      Pass output through residual connections (ResNet Block)
10:     Extract spatial feature vector f r e s n e t
11:  end for

12: # Step 3: Temporal Feature Learning via LSTM
13: for each f r e s n e t do
14:     Input f r e s n e t into LSTM to learn temporal dependencies
15:     Extract sequential feature vector f l s t m
16: end for

17: # Step 4: Anomaly Detection using Autoencoder
18: Train an autoencoder model AE on f l s t m (assumed normal samples)
19: for each f l s t m in X t e s t do
20:     Compute reconstruction error: RE = || f l s t m t e s t − AE( f l s t m t e s t )||2
21:     if RE > anomaly_threshold, then
22:         Flag sample as anomalous
23:     end if
24: end for

25: # Step 5: Threat Classification via Softmax
26: for each anomalous f l s t m do
27:     Input f l s t m into the fully connected classifier
28:     Apply Softmax to output threat class probabilities
29:     Assign a predicted class label y p r e d = a r g m a x ( p r o b a b i l i t i e s )
30: end for

31: # Step 6: Model Evaluation
32: Compute metrics: Accuracy, Precision, Recall, F1-score on test data

33: # Step 7: Real-time Deployment
34: Continuously collect real-time SCADA traffic
35: Apply preprocessing → ResNet → LSTM → Autoencoder
36: Flag anomalies and classify threats in real time
37: Generate alerts for high-risk anomalies
This paper presents a CNN–LSTM hybrid model for IDSs, improving intrusion detection by employing classification techniques and feature selection. Using NSL-KDD datasets guarantees real-time cybersecurity monitoring. Multi-threaded packet processing enhances network traffic management, while HAE–HRL enriches SCADA systems via anomaly detection and DL. The proposed systems minimize false positives, improve detection accuracy, and strengthen cybersecurity resilience. The autoencoder identifies unknown or previously unseen threats by detecting anomalies based on reconstruction error. It operates unsupervised, flagging traffic that deviates significantly from the learned normal patterns. Once an anomaly is detected, the latent representation or features extracted from that data point are passed to the classifier, which attempts to label the threat if it matches a known category. In this way, the autoencoder and the classifier are linked sequentially; the autoencoder detects novel or abnormal behavior, while the classifier interprets and labels threats that resemble known attack signatures.
In industrial settings with limited processing resources, deploying CNNs and LSTMs might provide substantial scaling issues. These DL models are inherently resource-intensive, necessitating a significant amount of memory, processing power, and energy usage. This is particularly true when they are employed for real-time intrusion detection in SCADA or other industrial control systems. Regarding DL inference tasks, industrial settings sometimes depend on outdated hardware or embedded systems that do not possess the computing capability necessary to carry them out effectively. As a consequence of this, the implementation of such models may result in latency problems, decreased throughput, or bottlenecks in the system, which would undermine the responsiveness and dependability of essential processes. In addition, the use of computer resources is further strained by the need for periodic retraining and adaptive learning, both of which are required to preserve detection accuracy in the face of ever-changing threat patterns.
A combination of hash-based cryptography and lattice-based encryption has been used to reduce the likelihood of quantum assaults, especially those that use Shor’s technique. The new cryptographic architecture incorporates a hybrid strategy to improve security in the long run by combining conventional and quantum-resistant encryption. Anomaly detection efficiency can be improved with the help of quantum-enhanced ML techniques, which have also been investigated for intrusion detection with Grover’s search algorithm. The CNN component extracts rich spatial features from SCADA traffic, capturing local dependencies. The LSTM then models the temporal sequences in the traffic data, which is especially important for time-series patterns common in cyber-attacks. The autoencoder serves as an anomaly detector, enabling the identification of previously unseen or subtle threat patterns in an unsupervised manner. Finally, the SoftMax classifier provides a supervised categorization of identified threats. Though the structure appears linear, each module performs a distinct role, and their integration is designed to create a layered defense mechanism, first detecting deviations and then classifying them.

4. Result and Discussion

Although essential for industrial activities, SCADA systems run major cybersecurity risks. Conventional intrusion detection techniques suffer in flexibility and false positives. This paper presents an HAE–HRL framework combining CNNs, autoencoders, and ResNet–LSTM to improve detection accuracy, anomaly detection, and adaptability. The method gives SCADA systems better cybersecurity, offering strong resistance against changing cyberattacks. Virtual environments with benchmark datasets and SCADA traffic scenario emulation were the only ones to evaluate the suggested methodology. This study conducted real-world industrial implementation and assessment. Therefore, the findings reflect the controlled test settings, exempt from the real-world unpredictability, hardware limits, and unexpected traffic behavior often encountered in operational SCADA setups. Performance parameters of the model, like detection latency and false-positive rate, are affected by this constraint, which makes them less generalizable.
Figure 6 highlights the false-positive rates of models. HAE–HRL has the lowest (5%), ensuring fewer incorrect alerts. The hybrid model was trained on the NSL-KDD dataset using an NVIDIA RTX 3090 GPU (Santa Clara, CA, USA), was sourced locally in Saudi Arabia, with 20 GB VRAM, 64 GB RAM, and an Intel i9-12900K processor. The total training time for 50 epochs was 3 h and 45 min, with an average epoch duration of 4.5 min. To optimize this, we utilized multi-threaded packet processing, which reduced pre-processing time by 35% compared to single-threaded baselines. Our primary experiments were conducted on the aforementioned high-performance setup. However, recognizing the resource constraints in industrial SCADA environments, we tested the model on an NVIDIA Jetson TX2. Future work will focus on reducing computational overhead and benchmarking real-time performance in industrial environments.

4.1. Dataset Description

SCADA systems must be linked to heterogeneous networks to save money, making security their biggest problem. A small-scale cyber-attack on a computer network will greatly affect SCADA systems since remote terminal units (RTUs) have limited resources. SCADA systems implementing the IEC 60870-5-104 protocol are frequently utilized in power plants [31]. A physical testbed simulates electrical distribution, providing a controlled environment for analysis and testing. Distributed SCADA systems are particularly vulnerable due to their direct integration within community infrastructure, exposing them to a wider range of potential attack vectors. This research seeks SCADA datasets. This work simulates human–machine interface (HMI)–RTU communication and then attacks to interrupt it. Attacks include port scans, brute force, and DoS. DoS attacks include internet control message protocol (ICMP), synchronize (Syn), and International Electrotechnical Commission (IEC) 104 floods. The IEC 104 flood attack overwhelms the remote terminal unit (RTU) with an unknown application service data unit (ASDU) type, disrupting normal operations. Kali Linux serves as the attack platform, while all network traffic is captured in pcap format, and IDSs such as Snort [32] and Suricata [33] analyze the dataset to detect malicious traffic patterns. The simulation environment utilized in this study is shown in Table 2.
The fundamental cryptographic procedures used to safeguard communication, authentication, and data integrity are jeopardized by quantum computing, which poses a significant challenge to the security architecture of SCADA systems. Securing control messages and establishing secure channels between field devices, RTUs, and control centers is accomplished by the majority of SCADA settings using public-key cryptography techniques like RSA and ECC. These cryptosystems, however, may be broken efficiently by quantum algorithms such as Shor’s algorithm. These algorithms solve fundamental mathematical problems, which include integer factorization and elliptic curve discrete logarithms, in a polynomial time. This would allow attackers to decrypt sensitive data, fake command authentication, and breach secure sessions, which might lead to unauthorized access to critical infrastructure. By increasing brute-force key searches, Grover’s approach may degrade symmetric encryption, reducing the effective security strength of the encryption. This is because SCADA systems are often built to have lengthy operating lifespans; thus, introducing adversaries capable of quantum computing might result in serious vulnerabilities if quantum-resistant cryptographic protocols are not proactively implemented.
Consistent trends in SCADA networks rely on anomaly detection (Figure 7). The HAE–HRL framework can separate dangerous activities from normal processes with 93.38% anomaly detection accuracy. Using autoencoders to detect deep abnormalities, the model gains unambiguous identification of deviations from expected behavior. With early identification of cyberattacks guaranteed by this high detection rate, potential ones are prevented. CNN-based feature extraction combined with ResNet–LSTM enhances anomaly detection, enhancing the system’s resilience to changing risks.
P s w a q n w : L s i o s n e + V a 3 d s n
By combining adaptive variance adjustments ( P s w ) with learned security insights ( a q n w ), Equation (16) depicts the predictive secure weighting ( L s i o s n e ) that will be used for anomaly-based queries ( V a 3 d s n ). By boosting intrusion detection accuracy, decreasing false positives, and enhancing adaptive threat categorization, the equation improves SCADA system security for anomaly detection analysis.
Figure 8 shows the accuracy of different models in detecting anomalies. HAE–HRL achieves the highest accuracy (95%), outperforming CNN, LSTM, and a traditional IDS.

4.2. Analysis of Detection Accuracy

Detection accuracy (Figure 9) is a significant metric displaying the general effectiveness of the HAE–HRL system in identifying cyber threats. With an accuracy of 95.22%, the model properly classifies most situations, assuring a consistent cybersecurity solution for SCADA systems. This remarkable accuracy reveals the extent to which deep feature extraction and sequential pattern learning aid in reducing misclassification. As it greatly exceeds traditional methods, the proposed hybrid approach is a great choice for enhancing SCADA intrusion and network anomaly detection.
P s w i s b : L a w y q + V a s o s n e
Equation (17) shows the predictive weighting of security P s w for detected security breaches ( i s b ), which combines adaptive variance scaling ( L a w y q ) with latent abnormal learning ( V a s o s n e ). The equation improves SCADA system security by minimizing false positives, strengthening cyber resilience, and modifying threat detection thresholds to analyze detection accuracy.

4.3. Analysis of False Positive

The false-positive rate (FPR) counts the percentage of allowed network activity misclassified as risks. With an FPR of 15.25%, the HAE–HRL model suggests that further optimization is needed to reduce the unwanted warnings shown in Figure 10. Reduced FPR is the foundation of SCADA security, as frequent false positives could overwhelm security personnel and induce response weariness. Although the autoencoder has remarkable accuracy, boosting its anomaly detection characteristics might increase performance and aid in lowering false alarms, thus improving intrusion detection dependability.
D s q w : N a s t + B a w o s n
Integrating networks anomaly adjustments ( D s q w : ) with baseline integrity reinforcement ( N a s t , Equation (18) reflects the decision support for querying weighting ( B a w o s n ). The equation enhances SCADA on false-positive analysis by providing an adaptive anomaly response.
Figure 11 illustrates the trade-off between true- and false-positive rates. HAE–HRL shows the best curve, indicating superior detection capability with minimal errors compared to CNN and LSTM.

4.4. Analysis of Adaptability

Finding new and changing cyber hazards in SCADA systems requires adaptability. With 92.96% adaptability, the HAE–HRL framework can fit new assault patterns (Figure 12). The model improves detection using sequential pattern recognition and DL-based feature extraction. Unlike conventional approaches that face new challenges, this hybrid technique guarantees real-time learning and adaptability. The great versatility makes the framework a future-proof cybersecurity solution for protecting vital infrastructure.
T s e o a n : L s w u w + V a s u e
The equation incorporates learned security patterns ( T s e ) with adaptive variance adjustments ( L s w u w ) to represent threat indicate evaluation ( o a n : ) for observed anomalies ( V a s u e ). Equation (19) improves the security of SCADA systems by making anomaly detection more precise and making dynamic adjustments to account for new cyber threats for adaptability analysis.

4.5. Analysis of Intrusion Detection

A key component of cybersecurity, intrusion detection guarantees quick identification of illegal access and harmful actions. With a 92.96% intrusion detection accuracy, the HAE–HRL system becomes useful in spotting cyberattacks (Figure 13). Integration of CNN-based feature extraction, autoencoders, and ResNet–LSTM guarantees strong threat detection with great accuracy and recall. This result emphasizes how capable the framework is of improving SCADA system security, therefore providing strong protection against advanced cyberattacks.
P s w u a n : B s w u a q + V a s u w e
Equation (20) incorporates baseline safety measures P s w and adaptive variable adjustments ( B s w u a q ) to provide predictive health weighting ( u a n ) for unsolved anomalies ( V a s u w e ). The equation guarantees dynamic adaptation to new cyber dangers and improves the security of SCADA systems in analyzing intrusion detection. Table 3 shows the comparison of the existing method and the proposed method.
Combining DL models under the HAE–HRL architecture enhances the security of SCADA systems. Although it increases adaptability (92.96%), its 93.38% anomaly detection accuracy and 95.22% detection accuracy considerably decrease false positives (15.25%). The proposed system ensures real-time protection against new attacks, provides a powerful, reliable cybersecurity solution for industrial systems, and detects and classifies cyber threats better than present alternatives. Further, the proposed hybrid security combines asymmetric (e.g., anomaly detection, AI) methods to create a multi-layered defense. This reduces the asymmetry in attacker–defender dynamics by addressing known and unknown threats. The proposed method identifies deviations from normal behavior, which is inherently asymmetric because attackers often exploit unknown vulnerabilities or use novel techniques. Anomaly-based detection helps defenders detect zero-day attacks and other asymmetric threats. The proposed hybrid IDS combines signature-based and anomaly-based detection to create a more balanced defense. This ensures that known and unknown threats are addressed, reducing the asymmetry in attacker–defender dynamics.
The HAE–HRL model’s adaptability was tested by adding additional attack patterns that were not in the training dataset. This method simulates SCADA system hazards. The model uses adaptive learning by retraining the autoencoder, ResNet, and LSTM hybrid layers on updated datasets with known and newly uncovered intrusion signs. This is performed inside the model. The model uses temporal relationships detected by the LSTM layer and residual reconstruction errors for feedback-driven threshold setting and anomaly score recalibration. During the adaptability study, time-series data splitting was used to include modified DoS patterns and IEC 104 flood exploitation kinds. Before and after the adaptation cycles, detection accuracy and false-positive rate were measured to assess the model’s adaptability. The hybrid cybersecurity strategy for SCADA systems shows the potential to prevent asymmetric assaults but has limitations. These restrictions show the challenges of implementing sophisticated cybersecurity solutions for susceptible infrastructure and opportunities for improvement. Pre-trained machine learning algorithms may struggle to discover new attack vectors, which is one of the model’s biggest drawbacks. Asymmetric threats are dynamic, and attacker techniques are continually evolving. The model uses adaptive learning but still takes time to recognize and respond to new danger patterns. This delay necessitates continuous upgrades and retraining. Despite being designed to scale with SCADA network complexity, the model performs poorly in large-scale installations. As the network grows, real-time threat detection and response processing resources expand fast. This may delay operations and reduce efficiency. When resources are limited, this limitation is most obvious. The effectiveness of the ML components in the model heavily depends on the availability of high-quality, labeled training data. In practice, obtaining such data for SCADA systems can be challenging due to the sensitive nature of operational data and the lack of standardized datasets. Additionally, any biases or inaccuracies in the training data can compromise the model’s performance. Despite its advanced features, the model is not immune to adversarial attacks targeting ML algorithms. Attackers could exploit vulnerabilities in the model’s decision-making processes, leading to false positives or negatives. Addressing this limitation requires ongoing research into robust and resilient machine learning techniques.

5. Conclusions

Cybersecurity still poses a big challenge, as SCADA systems are prone to network anomalies and cyber-attacks. Often, classic IDSs fail without the flexibility to react to new dangers and high false positive rates. This paper introduced CNNs for feature extraction, autoencoders to detect anomalies by utilizing the HAE–HRL framework, and a hybrid ResNet–LSTM model for sequential analysis to solve these problems. The experimental results of reducing false positives reveal that the proposed approach significantly improves detection accuracy with a 95.22% detection benchmark, 93.38% anomaly detection, and 92.96% intrusion detection. On the other hand, real-time threat detection and improved security are guaranteed by competently identifying cyber hazards in SCADA systems with the HAE–HRL design. The proposed approach enhances our ability to differentiate between legitimate and malicious behaviors while more effectively identifying complex attack patterns than traditional methods. Although the structure is robust, further refinements could reduce the false positive rate (15.25%) and address key challenges associated with intrusion detection systems (IDSs). The proposed hybrid DL method offers a promising approach to safeguard the SCADA systems from evolving risks. This framework increases cybersecurity resilience and more dependable SCADA system protection by increasing anomaly detection and classification accuracy. In the future, the enhancement of HAE–HRL architecture will be explored for real-time deployment in big-scale SCADA systems and reducing the false-positive rate, which will be the main objectives of upcoming research. Furthermore, explainable AI (XAI) techniques facilitate a deeper understanding of threat detection mechanisms, enhancing transparency and trust in cybersecurity systems. Advancing research in transfer learning and adaptive learning methodologies will improve model generalization, ensuring resilience against zero-day attacks and evolving cyber threats. This study fully intends to explore the risks of quantum technology more deeply in future research, including potential mitigation strategies such as quantum-resistant encryption and post-quantum cryptography integration within hybrid intrusion detection frameworks.

Author Contributions

Conceptualization, A.A., S.H. and A.I.K.; methodology, A.A., A.F. and A.I.; software, S.H. and A.I.; validation, A.I., S.H. and A.F.; formal analysis, S.H. and A.F.; investigation, A.A., A.F. and A.I.; resources, A.A.; data curation, S.H.; writing—original draft preparation, A.I., S.H. and A.A.; writing—review and editing, A.F. and A.I.K.; visualization, S.H. and A.F.; supervision, A.I.K.; project administration, A.I.K.; funding acquisition, A.A. All authors have read and agreed to the published version of the manuscript.

Funding

Funding for this study was received from the Deanship of Scientific Research (DSR) at King Abdulaziz University, Jeddah, under grant no. (KEP-MSc: 78-611-1443).

Data Availability Statement

Data are contained within the article.

Acknowledgments

The Deanship of Scientific Research (DSR) at King Abdulaziz University (KAU), Jeddah, Saudi Arabia, has funded this project, under grant no. (KEP-MSc: 78-611-1443).

Conflicts of Interest

The authors declare no conflicts of interest.

List of Abbreviations

SCADASupervisory control and data acquisition
MLMachine learning
LSTMLong short-term memory
HAE-HRLHybrid autoencoder–hybrid ResNet–LSTM
AIArtificial intelligence
CNNConvolutional neural network
IDSIntrusion detection system
DDoSDistributed denial-of-service
DLDeep learning
HELMHybrid ensemble learning model
GWOGrey wolf optimiser
SVMSupport vector machine
ELMExtreme learning machine
ISNIndustrial sensor networks
FDIAFalse fata injection attacks
PSOParticle swarm optimization
DS-LSTMDeep sequential long short-term memory
MDCMMultifacet data clustering model
GDSMOHybrid gradient descent spider monkey optimization
PCAPrincipal component analysis
SVDSingular value decomposition
MQTTMessage queuing telemetry transport
WSNWireless sensor network
GSFTNNGenetically Seeded Flora with transformer neural network
RNNRecurrent neural network
RBNRadial basis network
DPIDeep packet inspection
LBLoad balancing
RTURemote terminal unit
ICMPInternet control message protocol
HMIHuman–machine interface
DoSDenial-of-service
SynSynchronize (Syn)
IECInternational Electrotechnical Commission
ASDUApplication service data unit
GSFGenetically Seeded Flora
TNNTransformer neural network
IPInternet protocol
RSARivest–Shamir–Adleman
ECCElliptic curve cryptography
QSVMQuantum support vector machines
QKNNQuantum k-nearest neighbors
ReLURectified linear unit
MITMMan in the middle
FPRFalse-positive rate

References

  1. Arumugam, S.R.; Paul, P.M.; Issac, B.J.J.; Ananth, J.P. Hybrid deep architecture for intrusion detection in cyber-physical system: An optimization-based approach. Int. J. Adapt. Control. Signal Process. 2024, 38, 3016–3039. [Google Scholar] [CrossRef]
  2. Alsharbaty, F.S.; Ali, Q.I. Smart Electrical Substation Cybersecurity Model Based on WPA3 and Cooperative Hybrid Intrusion Detection System (CHIDS). Smart Grids Sustain. Energy 2024, 9, 11. [Google Scholar] [CrossRef]
  3. Yadav, G.; Paul, K. Architecture and security of SCADA systems: A review. Int. J. Crit. Infrastruct. Prot. 2021, 34, 100433. [Google Scholar] [CrossRef]
  4. Singh, V.K.; Govindarasu, M. Cyber kill chain-based hybrid intrusion detection system for smart grid. In Wide Area Power Systems Stability, Protection, and Security; Springer: Berlin/Heidelberg, Germany, 2021; pp. 571–599. [Google Scholar]
  5. Shamsuzzaman, H.M.; Mosleuzzaman, M.D.; Mia, A.; Nandi, A. Cybersecurity Risk Mitigation in Industrial Control Systems Analyzing Physical Hybrid and Virtual Test Bed Applications. Acad. J. Artif. Intell. Mach. Learn. Data Sci. Manag. Inf. Syst. 2024, 1, 19–39. [Google Scholar] [CrossRef]
  6. Wai, E.; Lee, C.K.M. Seamless Industry 4.0 Integration: A Multi-layered Cyber-Security Framework for Resilient SCADA Deployments in CPPS. Appl. Sci. 2023, 13, 12008. [Google Scholar] [CrossRef]
  7. Balla, A.; Habaebi, M.H.; Elsheikh, E.A.; Islam, M.R.; Suliman, F.E.M.; Mubarak, S. Enhanced CNN-LSTM deep learning for SCADA IDS featuring Hurst parameter self-similarity. IEEE Access 2024, 12, 6100–6116. [Google Scholar] [CrossRef]
  8. Efiong, J.E.; Akinyemi, B.O.; Olajubu, E.A.; Aderounmu, G.A.; Degila, J. CyberSCADA Network Security Analysis Model for Intrusion Detection Systems in the Smart Grid. In Advances in Intelligent Systems, Computer Science and Digital Economics IV, Proceedings of the International Symposium on Computer Science, Digital Economy and Intelligent Systems, Wuhan, China, 11–13 November 2022; Hu, Z., Wang, Y., He, M., Eds.; Springer Nature: Cham, Switzerland, 2023; pp. 481–499. [Google Scholar]
  9. Balakrishna, R.; Jeyan, J.M.L. A Hybrid Model of SCADA Development with the need for Data Analytics & Time Series Analysis for Effective Load Forecasting, Data Security (DDoS) Attack Analysis & its Application in the Science & Engineering Applications. J. Basic Sci. Eng. 2024, 21, 850–870. [Google Scholar]
  10. Wai, E.; Lee, C.K.M. Depth in Defense: A Multi-layered Approach to Cybersecurity for SCADA Systems in Industry 4.0. Sci. Technol. Recent Updates Future Prospect. 2024, 2, 124–144. [Google Scholar]
  11. Alzahrani, A.; Aldhyani, T.H. Design of efficient based artificial intelligence approaches for sustainable of cyber security in smart industrial control system. Sustainability 2023, 15, 8076. [Google Scholar] [CrossRef]
  12. Lakhani, P.; Alankar, B.; Ashraf, S.S.; Parveen, S. Machine Learning-Based Network Intrusion Detection System for Enhanced Cyber-security. In Advancement of Intelligent Computational Methods and Technologies; CRC Press: Boca Raton, FL, USA, 2024; pp. 55–60. [Google Scholar]
  13. Alimi, O.A.; Ouahada, K.; Abu-Mahfouz, A.M.; Rimer, S.; Alimi, K.O.A. A review of research works on supervised learning algorithms for SCADA intrusion detection and classification. Sustainability 2021, 13, 9597. [Google Scholar] [CrossRef]
  14. Aneja, A.; Sharma, S.; Thapar, P.; Tiwari, S. Optimizing Network Intrusion Detection with Hybrid DTRJ Model: A Data Mining Approach. In Proceedings of the 2024 International Conference on Electrical Electronics and Computing Technologies (ICEECT), Greater Noida, India, 29–31 August 2024; Volume 1, pp. 1–5. [Google Scholar]
  15. Alem, S.; Espes, D.; Nana, L.; Martin, E.; De Lamotte, F. A novel bi-anomaly-based intrusion detection system approach for industry 4.0. Future Gener. Comput. Syst. 2023, 145, 267–283. [Google Scholar] [CrossRef]
  16. Robles-Durazno, A.; Moradpoor, N.; McWhinnie, J.; Russell, G.; Porcel-Bustamante, J. Implementation and evaluation of physical, hybrid, and virtual testbeds for cybersecurity analysis of industrial control systems. Symmetry 2021, 13, 519. [Google Scholar] [CrossRef]
  17. Inayat, U.; Zia, M.F.; Mahmood, S.; Berghout, T.; Benbouzid, M. Cybersecurity enhancement of smart grid: Attacks, methods, and prospects. Electronics 2022, 11, 3854. [Google Scholar] [CrossRef]
  18. Saheed, Y.K.; Abdulganiyu, O.H.; Tchakoucht, T.A. A novel hybrid ensemble learning for anomaly detection in industrial sensor networks and SCADA systems for smart city infrastructures. J. King Saud Univ.-Comput. Inf. Sci. 2023, 35, 101532. [Google Scholar] [CrossRef]
  19. Modbus Organization. Modbus Application Protocol Specification V1.1b3. 2012. Available online: https://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf (accessed on 20 March 2025).
  20. DNP Users Group. DNP3 Specification Volume 1: DNP3 Introduction, Overview, And Protocol Overview. 2020. Available online: https://www.dnp.org/About/Overview-of-DNP3-Protocol (accessed on 20 March 2025).
  21. International Electrotechnical Commission (IEC). IEC 60870-5-104: Telecontrol Equipment and Systems—Part 5-104: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles. 2006. Available online: https://webstore.iec.ch/publication/6024 (accessed on 20 March 2025).
  22. Ustebay, S.; Akgün, B.B.; Gaj, P. Securing SCADA Systems: A Protocol-Based Intrusion Detection Approach with Shapley Analysis. In Proceedings of the 2024 Innovations in Intelligent Systems and Applications Conference (ASYU), Ankara, Turkiye, 16–18 October 2024; pp. 1–7. [Google Scholar] [CrossRef]
  23. Al-Muntaser, B.; Mohamed, M.A.; Tuama, A.Y.; Rana, I.A. Cybersecurity Advances in SCADA Systems. Int. J. Adv. Comput. Sci. Appl. 2023, 14, 318–328. [Google Scholar] [CrossRef]
  24. Mohammed, S.H.; Singh, M.S.J.; Al-Jumaily, A.; Islam, M.T.; Islam, M.S.; Alenezi, A.M.; Soliman, M.S. Dual-hybrid intrusion detection system to detect False Data Injection in smart grids. PLoS ONE 2025, 20, e0316536. [Google Scholar] [CrossRef]
  25. Khadidos, A.O.; Manoharan, H.; Selvarajan, S.; Khadidos, A.O.; Alyoubi, K.H.; Yafoz, A. A classy multifacet clustering and fused optimization based classification methodologies for SCADA security. Energies 2022, 15, 3624. [Google Scholar] [CrossRef]
  26. Mahmood Naser, S.; Hussain Ali, Y.; Al-Jumeily OBE, D. Hybrid cyber-security model for attacks detection based on deep and machine learning. Int. J. Online Biomed. Eng. (Ijoe) 2022, 18, 17–30. [Google Scholar] [CrossRef]
  27. Sheng, C.; Yao, Y.; Fu, Q.; Yang, W. A cyber-physical model for SCADA system and its intrusion detection. Comput. Netw. 2021, 185, 107677. [Google Scholar] [CrossRef]
  28. Diaba, S.Y.; Anafo, T.; Tetteh, L.A.; Oyibo, M.A.; Alola, A.A.; Shafie-Khah, M.; Elmusrati, M. SCADA securing system using deep learning to prevent cyber infiltration. Neural Netw. 2023, 165, 321–332. [Google Scholar] [CrossRef]
  29. Mashtah, A.D.S. Strengthening SCADA System Security through a Novel Intrusion Detection Method Using artificial intelligence Algorithm. J. Univ. Babylon Pure Appl. Sci. 2024, 32, 221–240. [Google Scholar] [CrossRef]
  30. Abushark, Y.B.; Hassan, S.; Khan, A.I. Optimized Adaboost Support Vector Machine-Based Encryption for Securing IoT-Cloud Healthcare Data. Sensors 2025, 25, 731. [Google Scholar] [CrossRef] [PubMed]
  31. Google Dataset Search. Dataset for Network Intrusion Detection System on SCADA IEC 60870-5-104. Available online: https://datasetsearch.research.google.com (accessed on 10 March 2025).
  32. Roesch, M. Snort—Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration, Washington, DC, USA, 7–12 November 1999; pp. 229–238. [Google Scholar]
  33. Open Information Security Foundation. Suricata: Open Source Network Threat Detection Engine. 2010. Available online: https://suricata.io (accessed on 10 March 2025).
Figure 1. Conceptual overview of traditional intrusion detection system (IDS) operation in a network environment.
Figure 1. Conceptual overview of traditional intrusion detection system (IDS) operation in a network environment.
Symmetry 17 00616 g001
Figure 2. A sequential hybrid architecture combining a CNN for spatial feature extraction with LSTM networks to model temporal dependencies in the extracted features.
Figure 2. A sequential hybrid architecture combining a CNN for spatial feature extraction with LSTM networks to model temporal dependencies in the extracted features.
Symmetry 17 00616 g002
Figure 3. Illustration of multi-threaded packet processing for efficient network traffic control.
Figure 3. Illustration of multi-threaded packet processing for efficient network traffic control.
Symmetry 17 00616 g003
Figure 4. Illustrated systematic strategy for cyberattack identification and classification in SCADA networks.
Figure 4. Illustrated systematic strategy for cyberattack identification and classification in SCADA networks.
Symmetry 17 00616 g004
Figure 5. HAE–HRL: AI-driven cybersecurity framework or SCADA systems with DL-enhanced anomaly detection.
Figure 5. HAE–HRL: AI-driven cybersecurity framework or SCADA systems with DL-enhanced anomaly detection.
Symmetry 17 00616 g005
Figure 6. Comparative analysis of false-positive rates (FPR) across different models.
Figure 6. Comparative analysis of false-positive rates (FPR) across different models.
Symmetry 17 00616 g006
Figure 7. Anomaly detection analysis: assessing model effectiveness and precision.
Figure 7. Anomaly detection analysis: assessing model effectiveness and precision.
Symmetry 17 00616 g007
Figure 8. Illustration of comparative analysis of model accuracy in anomaly detection.
Figure 8. Illustration of comparative analysis of model accuracy in anomaly detection.
Symmetry 17 00616 g008
Figure 9. Detection accuracy–evaluating the effectiveness of the HAE–HRL system in identifying cyber threats.
Figure 9. Detection accuracy–evaluating the effectiveness of the HAE–HRL system in identifying cyber threats.
Symmetry 17 00616 g009
Figure 10. Analysis of false positives: assessing the impact on detection reliability.
Figure 10. Analysis of false positives: assessing the impact on detection reliability.
Symmetry 17 00616 g010
Figure 11. ROC curve comparison: visualizing the trade-off between true- and false-positive rates.
Figure 11. ROC curve comparison: visualizing the trade-off between true- and false-positive rates.
Symmetry 17 00616 g011
Figure 12. Analysis of adaptability: evaluating system flexibility and responsiveness.
Figure 12. Analysis of adaptability: evaluating system flexibility and responsiveness.
Symmetry 17 00616 g012
Figure 13. Analysis of intrusion detection: evaluating the effectiveness and efficiency of detection systems.
Figure 13. Analysis of intrusion detection: evaluating the effectiveness and efficiency of detection systems.
Symmetry 17 00616 g013
Table 1. The comparison of existing methods.
Table 1. The comparison of existing methods.
S. NoMethodsAdvantagesLimitations
1Hybrid ELM (HELM) [18]Enhanced detection accuracy, reduced false positives/negatives, and robustness to various attack types.Complexity in model setup, reliance on real-time data.
2Hybrid ML-based IDS [19]Improved detection of insider risks, better data privacy handling, and security challenges.Potential for higher computational cost and complexity in feature selection.
3Dual-hybrid IDS for FDIA detection [20]High detection accuracy, reduced false positives/negatives, efficient computational performance.Requires DL expertise and training complexity.
4Optimization-based IDS with DS-LSTM [21]Efficient in reducing computational load, improved classification accuracy, and integrated clustering.Dependency on optimization techniques for parameter tuning and complex integration.
5Hybrid cyber-attack detection model [22]High accuracy (91.98%), faster detection (23 s), and reduced model complexity.The complexity of combining DL and ML techniques is limited by dataset quality.
6Cyber–physical risk assessment model for SCADA [23]It helps identify network breaches, assesses risk, and improves cyber-attack detection and analysis.Requires extensive data for modeling SCADA devices may face difficulty in real-time detection.
7Genetically Seeded Flora transformer neural network (GSFTNN) [24]Accurate and economical, improves upon conventional signature-based systems, and has good performance metrics.Requires substantial training data and computational resources.
8PCA–RBN with Emperor Penguin optimization [25]Reduced dimensionality, improved accuracy, good performance metrics, optimized training.It may not generalize well to all SCADA systems and is computationally intensive during training.
Table 2. Simulation environment.
Table 2. Simulation environment.
MetricsDescription
SCADA protocolIEC 60870-5-104 is used for communication between the human–machine interface (HMI) and the RTU.
Testbed setupA physical setup simulating the electrical distribution system, including devices like RTUs, HMIs, and communication channels.
Attack scenariosPort scan, brute force, and DoS attacks (ICMP flood, SYN flood, IEC 104 flood).
Attacker toolsKali Linux is used to launch cyber-attacks on the SCADA system.
Traffic captureAttack scenarios are recorded in pcap format to analyze network traffic for detection.
IDS detection toolsSnort and Suricata IDSs are used to detect malicious traffic.
Attack types in DoSICMP, SYN, and IEC 104 flood attacks target SCADA communication channels.
RTU vulnerabilitiesRTU is susceptible to attacks due to its location in the community environment and limited resources.
Security analysisEvaluation of system performance and attack impact on SCADA system’s communication and functionality.
Table 3. Comparison of existing methods and proposed method.
Table 3. Comparison of existing methods and proposed method.
AspectsHELMFDIADS-LSTMProposed Method in RatioKey Features
Anomaly detection75.6%80.9%85.88%93.38%Autoencoder-based anomaly detection for improved accuracy
Detection accuracy76.3%82.3%85.91%95.22%A hybrid DL approach enhances feature extraction and classification.
False-positive rate20.34%24.5%25.38%15.25%Optimized filtering reduces false alarms significantly.
Adaptability67.3%78.3%80.85%92.96%ResNet–LSTM improves adaptability to evolving cyber threats.
Intrusion detection68.24%79.4%82.87%92.96%Advanced threat identification using CNN-based feature extraction
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Almalawi, A.; Hassan, S.; Fahad, A.; Iqbal, A.; Khan, A.I. Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations. Symmetry 2025, 17, 616. https://doi.org/10.3390/sym17040616

AMA Style

Almalawi A, Hassan S, Fahad A, Iqbal A, Khan AI. Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations. Symmetry. 2025; 17(4):616. https://doi.org/10.3390/sym17040616

Chicago/Turabian Style

Almalawi, Abdulmohsen, Shabbir Hassan, Adil Fahad, Arshad Iqbal, and Asif Irshad Khan. 2025. "Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations" Symmetry 17, no. 4: 616. https://doi.org/10.3390/sym17040616

APA Style

Almalawi, A., Hassan, S., Fahad, A., Iqbal, A., & Khan, A. I. (2025). Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations. Symmetry, 17(4), 616. https://doi.org/10.3390/sym17040616

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop