Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations
Abstract
:1. Introduction
- ▪
- Developing the HAE–HRL framework by integrating CNNs, autoencoders, and ResNet–LSTM networks to enhance SCADA intrusion detection.
- ▪
- Leveraging AI to process large-scale datasets and identify complex patterns that might escape human detection or circumvent conventional security measures.
- ▪
- One may evaluate the performance of the suggested framework by analyzing its accuracy, false-positive rate, and adaptability to real-time SCADA network traffic and benchmark datasets.
- ▪
- To demonstrate how hybrid DL models may enhance SCADA system security and reduce the likelihood of cybersecurity hazards.
2. Related Works
2.1. Hybrid ML-Based IDS
2.2. Optimization-Based IDS with DS-LSTM
2.3. Cyber–Physical Risk Assessment Model for SCADA
2.4. PCA–RBN with Emperor Penguin Optimization
3. Proposed Method
3.1. Novel Hybrid Framework for Intrusion Detection
3.2. Enhanced Anomaly Detection with Reduced False Positives
3.3. Improved SCADA System Security
Algorithm 1: HAE–HRL Intrusion Detection in SCADA. |
Input: SCADA network traffic data (X) Output: Detected anomalies and classified cyber threats 1: # Step 1: Data Pre-processing 2: Normalize features in using standard scaling 3: Select relevant features based on correlation or feature importance 4: Split X into a training set () and testing set () 5: # Step 2: Feature Extraction via Hybrid ResNet 6: for each input sample in do 7: Apply a 1D Convolutional Layer to extract spatial patterns 8: Apply Batch Normalization and ReLU activation 9: Pass output through residual connections (ResNet Block) 10: Extract spatial feature vector 11: end for 12: # Step 3: Temporal Feature Learning via LSTM 13: for each do 14: Input into LSTM to learn temporal dependencies 15: Extract sequential feature vector 16: end for 17: # Step 4: Anomaly Detection using Autoencoder 18: Train an autoencoder model AE on (assumed normal samples) 19: for each in do 20: Compute reconstruction error: RE = || − AE()||2 21: if RE > anomaly_threshold, then 22: Flag sample as anomalous 23: end if 24: end for 25: # Step 5: Threat Classification via Softmax 26: for each anomalous do 27: Input into the fully connected classifier 28: Apply Softmax to output threat class probabilities 29: Assign a predicted class label 30: end for 31: # Step 6: Model Evaluation 32: Compute metrics: Accuracy, Precision, Recall, F1-score on test data 33: # Step 7: Real-time Deployment 34: Continuously collect real-time SCADA traffic 35: Apply preprocessing → ResNet → LSTM → Autoencoder 36: Flag anomalies and classify threats in real time 37: Generate alerts for high-risk anomalies |
4. Result and Discussion
4.1. Dataset Description
4.2. Analysis of Detection Accuracy
4.3. Analysis of False Positive
4.4. Analysis of Adaptability
4.5. Analysis of Intrusion Detection
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
List of Abbreviations
SCADA | Supervisory control and data acquisition |
ML | Machine learning |
LSTM | Long short-term memory |
HAE-HRL | Hybrid autoencoder–hybrid ResNet–LSTM |
AI | Artificial intelligence |
CNN | Convolutional neural network |
IDS | Intrusion detection system |
DDoS | Distributed denial-of-service |
DL | Deep learning |
HELM | Hybrid ensemble learning model |
GWO | Grey wolf optimiser |
SVM | Support vector machine |
ELM | Extreme learning machine |
ISN | Industrial sensor networks |
FDIA | False fata injection attacks |
PSO | Particle swarm optimization |
DS-LSTM | Deep sequential long short-term memory |
MDCM | Multifacet data clustering model |
GDSMO | Hybrid gradient descent spider monkey optimization |
PCA | Principal component analysis |
SVD | Singular value decomposition |
MQTT | Message queuing telemetry transport |
WSN | Wireless sensor network |
GSFTNN | Genetically Seeded Flora with transformer neural network |
RNN | Recurrent neural network |
RBN | Radial basis network |
DPI | Deep packet inspection |
LB | Load balancing |
RTU | Remote terminal unit |
ICMP | Internet control message protocol |
HMI | Human–machine interface |
DoS | Denial-of-service |
Syn | Synchronize (Syn) |
IEC | International Electrotechnical Commission |
ASDU | Application service data unit |
GSF | Genetically Seeded Flora |
TNN | Transformer neural network |
IP | Internet protocol |
RSA | Rivest–Shamir–Adleman |
ECC | Elliptic curve cryptography |
QSVM | Quantum support vector machines |
QKNN | Quantum k-nearest neighbors |
ReLU | Rectified linear unit |
MITM | Man in the middle |
FPR | False-positive rate |
References
- Arumugam, S.R.; Paul, P.M.; Issac, B.J.J.; Ananth, J.P. Hybrid deep architecture for intrusion detection in cyber-physical system: An optimization-based approach. Int. J. Adapt. Control. Signal Process. 2024, 38, 3016–3039. [Google Scholar] [CrossRef]
- Alsharbaty, F.S.; Ali, Q.I. Smart Electrical Substation Cybersecurity Model Based on WPA3 and Cooperative Hybrid Intrusion Detection System (CHIDS). Smart Grids Sustain. Energy 2024, 9, 11. [Google Scholar] [CrossRef]
- Yadav, G.; Paul, K. Architecture and security of SCADA systems: A review. Int. J. Crit. Infrastruct. Prot. 2021, 34, 100433. [Google Scholar] [CrossRef]
- Singh, V.K.; Govindarasu, M. Cyber kill chain-based hybrid intrusion detection system for smart grid. In Wide Area Power Systems Stability, Protection, and Security; Springer: Berlin/Heidelberg, Germany, 2021; pp. 571–599. [Google Scholar]
- Shamsuzzaman, H.M.; Mosleuzzaman, M.D.; Mia, A.; Nandi, A. Cybersecurity Risk Mitigation in Industrial Control Systems Analyzing Physical Hybrid and Virtual Test Bed Applications. Acad. J. Artif. Intell. Mach. Learn. Data Sci. Manag. Inf. Syst. 2024, 1, 19–39. [Google Scholar] [CrossRef]
- Wai, E.; Lee, C.K.M. Seamless Industry 4.0 Integration: A Multi-layered Cyber-Security Framework for Resilient SCADA Deployments in CPPS. Appl. Sci. 2023, 13, 12008. [Google Scholar] [CrossRef]
- Balla, A.; Habaebi, M.H.; Elsheikh, E.A.; Islam, M.R.; Suliman, F.E.M.; Mubarak, S. Enhanced CNN-LSTM deep learning for SCADA IDS featuring Hurst parameter self-similarity. IEEE Access 2024, 12, 6100–6116. [Google Scholar] [CrossRef]
- Efiong, J.E.; Akinyemi, B.O.; Olajubu, E.A.; Aderounmu, G.A.; Degila, J. CyberSCADA Network Security Analysis Model for Intrusion Detection Systems in the Smart Grid. In Advances in Intelligent Systems, Computer Science and Digital Economics IV, Proceedings of the International Symposium on Computer Science, Digital Economy and Intelligent Systems, Wuhan, China, 11–13 November 2022; Hu, Z., Wang, Y., He, M., Eds.; Springer Nature: Cham, Switzerland, 2023; pp. 481–499. [Google Scholar]
- Balakrishna, R.; Jeyan, J.M.L. A Hybrid Model of SCADA Development with the need for Data Analytics & Time Series Analysis for Effective Load Forecasting, Data Security (DDoS) Attack Analysis & its Application in the Science & Engineering Applications. J. Basic Sci. Eng. 2024, 21, 850–870. [Google Scholar]
- Wai, E.; Lee, C.K.M. Depth in Defense: A Multi-layered Approach to Cybersecurity for SCADA Systems in Industry 4.0. Sci. Technol. Recent Updates Future Prospect. 2024, 2, 124–144. [Google Scholar]
- Alzahrani, A.; Aldhyani, T.H. Design of efficient based artificial intelligence approaches for sustainable of cyber security in smart industrial control system. Sustainability 2023, 15, 8076. [Google Scholar] [CrossRef]
- Lakhani, P.; Alankar, B.; Ashraf, S.S.; Parveen, S. Machine Learning-Based Network Intrusion Detection System for Enhanced Cyber-security. In Advancement of Intelligent Computational Methods and Technologies; CRC Press: Boca Raton, FL, USA, 2024; pp. 55–60. [Google Scholar]
- Alimi, O.A.; Ouahada, K.; Abu-Mahfouz, A.M.; Rimer, S.; Alimi, K.O.A. A review of research works on supervised learning algorithms for SCADA intrusion detection and classification. Sustainability 2021, 13, 9597. [Google Scholar] [CrossRef]
- Aneja, A.; Sharma, S.; Thapar, P.; Tiwari, S. Optimizing Network Intrusion Detection with Hybrid DTRJ Model: A Data Mining Approach. In Proceedings of the 2024 International Conference on Electrical Electronics and Computing Technologies (ICEECT), Greater Noida, India, 29–31 August 2024; Volume 1, pp. 1–5. [Google Scholar]
- Alem, S.; Espes, D.; Nana, L.; Martin, E.; De Lamotte, F. A novel bi-anomaly-based intrusion detection system approach for industry 4.0. Future Gener. Comput. Syst. 2023, 145, 267–283. [Google Scholar] [CrossRef]
- Robles-Durazno, A.; Moradpoor, N.; McWhinnie, J.; Russell, G.; Porcel-Bustamante, J. Implementation and evaluation of physical, hybrid, and virtual testbeds for cybersecurity analysis of industrial control systems. Symmetry 2021, 13, 519. [Google Scholar] [CrossRef]
- Inayat, U.; Zia, M.F.; Mahmood, S.; Berghout, T.; Benbouzid, M. Cybersecurity enhancement of smart grid: Attacks, methods, and prospects. Electronics 2022, 11, 3854. [Google Scholar] [CrossRef]
- Saheed, Y.K.; Abdulganiyu, O.H.; Tchakoucht, T.A. A novel hybrid ensemble learning for anomaly detection in industrial sensor networks and SCADA systems for smart city infrastructures. J. King Saud Univ.-Comput. Inf. Sci. 2023, 35, 101532. [Google Scholar] [CrossRef]
- Modbus Organization. Modbus Application Protocol Specification V1.1b3. 2012. Available online: https://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf (accessed on 20 March 2025).
- DNP Users Group. DNP3 Specification Volume 1: DNP3 Introduction, Overview, And Protocol Overview. 2020. Available online: https://www.dnp.org/About/Overview-of-DNP3-Protocol (accessed on 20 March 2025).
- International Electrotechnical Commission (IEC). IEC 60870-5-104: Telecontrol Equipment and Systems—Part 5-104: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles. 2006. Available online: https://webstore.iec.ch/publication/6024 (accessed on 20 March 2025).
- Ustebay, S.; Akgün, B.B.; Gaj, P. Securing SCADA Systems: A Protocol-Based Intrusion Detection Approach with Shapley Analysis. In Proceedings of the 2024 Innovations in Intelligent Systems and Applications Conference (ASYU), Ankara, Turkiye, 16–18 October 2024; pp. 1–7. [Google Scholar] [CrossRef]
- Al-Muntaser, B.; Mohamed, M.A.; Tuama, A.Y.; Rana, I.A. Cybersecurity Advances in SCADA Systems. Int. J. Adv. Comput. Sci. Appl. 2023, 14, 318–328. [Google Scholar] [CrossRef]
- Mohammed, S.H.; Singh, M.S.J.; Al-Jumaily, A.; Islam, M.T.; Islam, M.S.; Alenezi, A.M.; Soliman, M.S. Dual-hybrid intrusion detection system to detect False Data Injection in smart grids. PLoS ONE 2025, 20, e0316536. [Google Scholar] [CrossRef]
- Khadidos, A.O.; Manoharan, H.; Selvarajan, S.; Khadidos, A.O.; Alyoubi, K.H.; Yafoz, A. A classy multifacet clustering and fused optimization based classification methodologies for SCADA security. Energies 2022, 15, 3624. [Google Scholar] [CrossRef]
- Mahmood Naser, S.; Hussain Ali, Y.; Al-Jumeily OBE, D. Hybrid cyber-security model for attacks detection based on deep and machine learning. Int. J. Online Biomed. Eng. (Ijoe) 2022, 18, 17–30. [Google Scholar] [CrossRef]
- Sheng, C.; Yao, Y.; Fu, Q.; Yang, W. A cyber-physical model for SCADA system and its intrusion detection. Comput. Netw. 2021, 185, 107677. [Google Scholar] [CrossRef]
- Diaba, S.Y.; Anafo, T.; Tetteh, L.A.; Oyibo, M.A.; Alola, A.A.; Shafie-Khah, M.; Elmusrati, M. SCADA securing system using deep learning to prevent cyber infiltration. Neural Netw. 2023, 165, 321–332. [Google Scholar] [CrossRef]
- Mashtah, A.D.S. Strengthening SCADA System Security through a Novel Intrusion Detection Method Using artificial intelligence Algorithm. J. Univ. Babylon Pure Appl. Sci. 2024, 32, 221–240. [Google Scholar] [CrossRef]
- Abushark, Y.B.; Hassan, S.; Khan, A.I. Optimized Adaboost Support Vector Machine-Based Encryption for Securing IoT-Cloud Healthcare Data. Sensors 2025, 25, 731. [Google Scholar] [CrossRef] [PubMed]
- Google Dataset Search. Dataset for Network Intrusion Detection System on SCADA IEC 60870-5-104. Available online: https://datasetsearch.research.google.com (accessed on 10 March 2025).
- Roesch, M. Snort—Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration, Washington, DC, USA, 7–12 November 1999; pp. 229–238. [Google Scholar]
- Open Information Security Foundation. Suricata: Open Source Network Threat Detection Engine. 2010. Available online: https://suricata.io (accessed on 10 March 2025).
S. No | Methods | Advantages | Limitations |
---|---|---|---|
1 | Hybrid ELM (HELM) [18] | Enhanced detection accuracy, reduced false positives/negatives, and robustness to various attack types. | Complexity in model setup, reliance on real-time data. |
2 | Hybrid ML-based IDS [19] | Improved detection of insider risks, better data privacy handling, and security challenges. | Potential for higher computational cost and complexity in feature selection. |
3 | Dual-hybrid IDS for FDIA detection [20] | High detection accuracy, reduced false positives/negatives, efficient computational performance. | Requires DL expertise and training complexity. |
4 | Optimization-based IDS with DS-LSTM [21] | Efficient in reducing computational load, improved classification accuracy, and integrated clustering. | Dependency on optimization techniques for parameter tuning and complex integration. |
5 | Hybrid cyber-attack detection model [22] | High accuracy (91.98%), faster detection (23 s), and reduced model complexity. | The complexity of combining DL and ML techniques is limited by dataset quality. |
6 | Cyber–physical risk assessment model for SCADA [23] | It helps identify network breaches, assesses risk, and improves cyber-attack detection and analysis. | Requires extensive data for modeling SCADA devices may face difficulty in real-time detection. |
7 | Genetically Seeded Flora transformer neural network (GSFTNN) [24] | Accurate and economical, improves upon conventional signature-based systems, and has good performance metrics. | Requires substantial training data and computational resources. |
8 | PCA–RBN with Emperor Penguin optimization [25] | Reduced dimensionality, improved accuracy, good performance metrics, optimized training. | It may not generalize well to all SCADA systems and is computationally intensive during training. |
Metrics | Description |
---|---|
SCADA protocol | IEC 60870-5-104 is used for communication between the human–machine interface (HMI) and the RTU. |
Testbed setup | A physical setup simulating the electrical distribution system, including devices like RTUs, HMIs, and communication channels. |
Attack scenarios | Port scan, brute force, and DoS attacks (ICMP flood, SYN flood, IEC 104 flood). |
Attacker tools | Kali Linux is used to launch cyber-attacks on the SCADA system. |
Traffic capture | Attack scenarios are recorded in pcap format to analyze network traffic for detection. |
IDS detection tools | Snort and Suricata IDSs are used to detect malicious traffic. |
Attack types in DoS | ICMP, SYN, and IEC 104 flood attacks target SCADA communication channels. |
RTU vulnerabilities | RTU is susceptible to attacks due to its location in the community environment and limited resources. |
Security analysis | Evaluation of system performance and attack impact on SCADA system’s communication and functionality. |
Aspects | HELM | FDIA | DS-LSTM | Proposed Method in Ratio | Key Features |
---|---|---|---|---|---|
Anomaly detection | 75.6% | 80.9% | 85.88% | 93.38% | Autoencoder-based anomaly detection for improved accuracy |
Detection accuracy | 76.3% | 82.3% | 85.91% | 95.22% | A hybrid DL approach enhances feature extraction and classification. |
False-positive rate | 20.34% | 24.5% | 25.38% | 15.25% | Optimized filtering reduces false alarms significantly. |
Adaptability | 67.3% | 78.3% | 80.85% | 92.96% | ResNet–LSTM improves adaptability to evolving cyber threats. |
Intrusion detection | 68.24% | 79.4% | 82.87% | 92.96% | Advanced threat identification using CNN-based feature extraction |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Almalawi, A.; Hassan, S.; Fahad, A.; Iqbal, A.; Khan, A.I. Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations. Symmetry 2025, 17, 616. https://doi.org/10.3390/sym17040616
Almalawi A, Hassan S, Fahad A, Iqbal A, Khan AI. Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations. Symmetry. 2025; 17(4):616. https://doi.org/10.3390/sym17040616
Chicago/Turabian StyleAlmalawi, Abdulmohsen, Shabbir Hassan, Adil Fahad, Arshad Iqbal, and Asif Irshad Khan. 2025. "Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations" Symmetry 17, no. 4: 616. https://doi.org/10.3390/sym17040616
APA StyleAlmalawi, A., Hassan, S., Fahad, A., Iqbal, A., & Khan, A. I. (2025). Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations. Symmetry, 17(4), 616. https://doi.org/10.3390/sym17040616