Intrusion Detection in Critical Infrastructures: A Literature Review

Abstract

Over the years, the digitization of all aspects of life in modern societies is considered an acquired advantage. However, like the terrestrial world, the digital world is not perfect and many dangers and threats are present. In the present work, we conduct a systematic review on the methods of network detection and cyber attacks that can take place in a critical infrastructure. As is shown, the implementation of a system that learns from the system behavior (machine learning), on multiple levels and spots any diversity, is one of the most effective solutions.

1. Introduction

Nowadays, the tremendous development of technology has resulted in the permeation of it in all sectors of industries and infrastructures. This phenomenon is inevitable because modern societies have increased demands of resources to function properly [1]. Due to the extensive use of technology, production can be increased and society’s demands handled [2]. These infrastructures are called critical infrastructures due to the significant roles that they play. However, the adoption of technologies in the function of critical infrastructures allows several attacks to exploit the vulnerabilities of the critical infrastructures [3]. The scientific community tries to detect the vulnerabilities, possible threats, and attacks in critical infrastructures to develop security systems that prevent those attacks. One of the most well-known and commonly applied types of attack is the intrusion attack.

Today, countries have to support the increased resources that societies need to remain functional and protect their economies from crises. For this reason, countries rely on infrastructures (assets, industries, and systems) to handle and provide the required resources such as energy, communications, transportation, etc. We characterize as critical infrastructures the group of infrastructures that handle important resources such as power grids, water treatment plants, health services, and any other service which relates to the maintenance of the national economy, health, and security. The most crucial of the critical infrastructures are energy, water, transportation, and communications [4] since these infrastructures handle resources for the majority of operations of modern societies. Moreover, all critical infrastructures are interconnected and interdependent between them and with the sectors of the economy. This strong association between the critical infrastructure sectors means that damage in one service of a sector or even worse the loss of one sector will undoubtedly affect, to the same or a greater degree, the other critical infrastructures.

The large necessity of countries to satisfy the aforementioned requirements caused a rapid inflow of technology in the critical infrastructures to control their operations and maximize their performances. However, these computer systems have vulnerabilities and there are threats to their security. The high rate of cyber attacks in critical infrastructures such as the well-known Stuxnet malware, whose goal was to damage a nuclear power plant in Iran [5], confirms the necessity to develop algorithms, techniques, and software to counteract such attacks.

This research focuses on intrusion detection in critical infrastructures. More specifically, we refer to some of the most common attacks that can be used by the attacker to take the control of a system or cause damage to it. Furthermore, this research contains a description of techniques and models which have been implemented in several intrusion detection systems. The contributions and novelty of the article are:

• We present some of the most used and well-known attacks which could harm a critical infrastructure and cause serious problems and damages;
• We present a short analysis of machine learning and deep learning models and methods which are used in intrusion detection systems, as shown in the literature;
• We conduct several experiments by generating DoS (Denial of Service Attacks) attacks in order to measure packet loss and response delay;
• We evaluate the efficiency of several machine learning techniques against several attacks by using a publicly available dataset;
• We discuss our findings and propose several future research directions.

The rest of this research is organized as follows: In Section 2, we present the related work with critical infrastructures’ vulnerabilities and threats, types of attacks, e.g., phishing, SQL injection, etc. Section 3 presents some of the most used intrusion attack methods along with the proposed IDS models from the literature that use either machine or deep learning. In Section 4, we evaluate common DOS attacks using our experimental small network section and we also present the accuracy of common ML techniques against a dataset that includes a wide variety of intrusions simulated in a military network environment. Finally, Section 5.2 includes the conclusions that we draw from this research.

2. Related Work

Critical infrastructures are a significant sector of every country and, for this reason, it is crucial to know which are the threats and vulnerabilities in such systems and possible attacks in order to find a way to prevent and confront them. The research effort presented in [6] gives emphasis on the recent SCADA systems vulnerabilities and recommends ways for the improvement of the security in crucial components of SCADA systems in industrial infrastructures. Additionally, the authors of [7] present the main threats in critical infrastructures, security measures for these threats, and an overview of the categories of cyberattack techniques. In [8], the vulnerabilities and the threats in critical infrastructures are presented, and possible solutions are recommended. In [9], the authors present a review of the existing sniffing attacks, variations of these attacks, and prevention and detection techniques. Moreover, in [10], the authors presented a review of SQL injection attacks. The next paper introduces a survey of phishing attacks [11]. The research article in [12] investigates brute force attacks which aim to find the configurations of an IoT network.

The development of several types of systems to ensure the security of critical infrastructures is the result of the need to deal with the threats and attacks in critical infrastructures such as nuclear power plants [13]. Scholars have proposed a number of technical measures that include technological tools to prevent [14,15], defend [16], detect [17], mitigate [18], and respond to cyber attacks. One way to check if a system is being attacked or an intruder has gained access to it is to detect abnormal behavior. The authors of [19] present the similarities, differences, and limitations of the most used tools for fault diagnosis and cybersecurity. In [20], the authors present a real-time anomaly-based Intrusion Detection System (IDS), which has the goal to detect attacks in industrial process levels of critical infrastructures. In [21], the authors present a survey of data mining techniques adopted to detect anomalies in data or reveal if a system attacked. The authors of [22] introduce a new method for intrusion detection that relies on an incremental clustering algorithm and adopts the DBSCAN algorithm. The authors of [23] propose a new algorithm for attack detection based on an autoencoder. In [24], the authors present a new algorithm to prevent users from phishing. Again, the DBSCAN algorithm is adopted, but in combination with a technique named RD-TIA [25], which clusters the data based on their features as phishing or legitimate, in an effort to increase the accuracy of the algorithm. An extended version of an isolation forest was introduced by the authors of [26] for fault detection in hydroelectric plants. Furthermore, in [27], a deep learning approach using a Long Short Term Memory (LSTM) architecture and Recurrent Neural Network (RNN) aims to create an intrusion detection system. Additionally, ref. [28] studies the comparison between the naïve Bayes classifier and hidden Markov model. Both models are applied to detect spam emails. In [29], a detailed analysis is presented for seven deep learning models such as Convolutional Neural Networks (CNNs), recurrent neural networks, etc., and their performances for intrusion detection are tested. The authors of [30] evaluate some of the most well-known machine learning models for intrusion detection. Finally, the research [31] presents an evaluation of the performance of restricted Boltzmann machines when they were applied to detect intruders in an anomalous network intrusion detection system.

3. Intrusion Attack Methods

Critical infrastructures, as mentioned before, have a crucial role in the functioning of society. Hence, countries try to improve their efficiency and at the same time reduce the time and production cost. However, some of the improvements that the countries apply to achieve this goal have created vulnerabilities in critical infrastructure systems. Hence, these vulnerabilities allow attackers to overcome the security of those systems and gain access to systems with privileges that are not permitted to have. Below, we give a short description of intrusion attack methods.

Brute-force attack: This is one of the most well-known attacks. The operation of this attack type is simple and relies on the computing power of the attacker’s computer system. Specifically, the attacker tries to find the correct combination of username and password using an exhaustive search of passwords and usernames. Usually, these attacks use tools to find the proper letters and symbols that constitute the password and the username. An attack that belongs to this category is a Dictionary attack which tries to find the correct username and password searching through a dictionary with common words and phrases that could be the password or username.

Buffer overload: This kind of attack has as goal to overwrite the data that exists in memory to gain control of the system. More specifically, the attacker gives as input to a program—more data than the buffer can handle. As a result, the data overcome the buffer boundary and the additional data stored in adjacent memory locations. The attackers use this attack in order to cause a Denial of Service (DoS) situation or in cases where the memory is well-defined can find the part of memory where the executable code of the system is stored and replace it with their own executable code. In the second case, the attacker can take the control of the system and intervene in the program operation.

Phishing: Phishing is a fraud type attack [32] that tries to delude the users by impersonating someone else, e.g., a company, which the user (victim) trusts. Often in these attacks, the attackers send an email that seems to be legitimate but it is not. The email that the user receives contains a malware file or insecure link. Hence, the attacker hopes the user (victim) will open the attachment file or link and the malware will be installed on the victim’s computer. The previous process has the result that the attacker has access to sensitive data such as passwords, usernames, etc. Some of the most common types of phishing listed below are referred to in [33]:

• Clone phishing;
• Spear phishing;
• Social networking on mobile;
• Gaming phishing;
• DNS base phishing;
• Live chat;
• Whaling;
• Filter evasion.

SQL injection: In this type of intrusion attack, the attacker sets an SQL statement as an input in the application’s input box in order to gain access to the database. The success of the attack results in the intruder gaining the permission to execute malicious code and harm the database or, even worse, retrieve sensitive data. The risks associated with SQL injection attacks and classification of SQL injection attack types are presented in detail.

Sniffer attack: Frequently, applications transmit packages over the transmission channel to exchange information with each other. A Sniffer attack is a process where the attacker captures, decodes, inspects and interprets the data in these packages. The context of these packages is usually passwords, usernames, etc.—i.e., important data. There are two types of Sniffer attacks, active and passive. In an active Sniffer attack, the attacker interacts with network traffic and the victim can detect if someone spies him and steal packages. On the other hand, in a passive Sniffer attack the victim does not has the ability to realize if someone performs a Sniffer attack because the attacker does not interact with network traffic.

Trojan horses: Trojan horses are programs that contain the attacker’s malware file in order to camouflage the malware from the victim’s systems defenses. In particular, the attackers use these programs attached to an email or in free downloaded files and programs to insert their malicious code in the victim’s computer or to performs any other attack they want. Frequently, trojan horses are used by attackers as backdoors to gain access to a system.

4. Intrusion Detection Systems

Models and algorithms in intrusion detection systems: In this chapter, we present some of the most well-known algorithms and models which can be applied into an implementation of an intrusion detection system (IDS), since the existence of anomalies in data may denote that an intruder has access to our computer system. The models presented below belong to the areas of machine and deep learning.

4.1. Machine Learning Models

K-Means: K-Means is one of the most popular and used unsupervised algorithms. This algorithm tries to minimize the distance of points in a cluster with their centers. The K-Means takes as input a dataset of n data points, i.e., $D=d_0,d_1,\dots ,d_n$ and the number of clusters $\left(K\right)$ that we want to cluster the data need to be predefined. The steps of the K-Means algorithm are enumerated as follow:

• From the dataset, D are randomly chosen K data points to be the centers of the K clusters;
• Every data point in D are assigned in the cluster whose centers is nearest to the examined data point;
• After the completion of step 2, we recalculate the center of each cluster only based on the data point which belongs to the cluster;
• When the new cluster’s centers are the same as the cluster’s centers of previous iteration, the algorithm output the clusters. Otherwise, we iterate from step 2.

The K-Means algorithm is a simple and efficient method for intrusion detection systems because it has the ability to cluster and classify tremendous volumes of high-dimensional numerical data.

Naive Bayes classifier: The naive Bayes classifier is based on Bayes’ theorem. The algorithm uses the Bayes theorem which has the ability to calculate the probability of an event occurring when we know the probability of another event that has already occurred. This probability can be calculated using the formula $P(c$|$x)=(P(x$ |$c)*P(c\left)\right)/\left(P\right(x\left)\right)$.

In the above equation, $P(c$|$x)$ is the probability of the target class (C) given predictor (x, attributes), P(C) is the prior probability of target class (C), $P(x$|$c)$ is the likelihood which is the probability of the predictor given class and P(x) is the prior probability of the predictor. More specifically, the posterior probability is calculated constructing a frequency table for each attribute against the target class. Then, the frequency tables are transformed to likelihood tables and used in combination with Equation (1) to calculate the posterior probability for each class. The class with the highest posterior probability is the outcome of prediction. The goal is to predict the correct class for a new instance.

K-nearest neighbors classifier: This algorithm is based on distance/similarity between two data. Specifically, the algorithm classifies a given data x using the following steps: (i) calculate the distance/similarity to all the data based on a function; (ii) sort the outcome of the function in ascending order; (iii) select the top K data of the ascending order; (iv) classify the given data x in the majority class of the top k nearest data. The most common approach of KNN uses the Euclidean distance between the data to detect the top K nearest neighbors.

DBSCAN: The DBSCAN (Density-Based Spatial Clustering of Applications with Noise) is one of the most widely used algorithms for performing clustering. DBSCAN processes the data based on the density that they have and for this reason it belongs in the category of density-based algorithms. The goal of DBSCAN is to assign the examined data points to subsets, i.e., clusters, and detect possible anomalies in the dataset. Assume a set of n points $P=p_0,p_1,\dots ,p(n-1)$ and each data point $p_i$,i $ϵ$ [0,n) belongs to some d-dimensional space R ∧ d with d $ϵ$ N. Hence, the DBSCAN, in order to cluster the points that belong in P, uses two parameters: The first is $ϵ$, which is the radius of the neighborhood around a data point (calculated by a distance metric) that determines the data points that are very close to a data point under consideration. The second parameter is the minimum number of points minPts that $p_i$ has to be connected in its neighborhood to be characterized as a core point.

Decision trees: Decision trees are used for classification processes. A decision tree is designed upside down with the root at the top. It consists of the root node, the interval nodes, and leaves, and all these components are connected with branches. The root node is the beginning of the tree, each interval node represents an attribute/feature, and every leaf represents a class in which the data will be classified. The general step for the creation of a decision tree can be summarized in the following steps: (i) beginning from the root node, which contains the complete dataset, we defined as D; (ii) find the best attribute/feature in the dataset based on an Attribute Selection Measure (ASM); (iii) divide the D into subsets that contain possible values for the best attributes/features; (iv) construct the internal node, which contains the best attribute; (v) the algorithm repeats steps three and four recursively to construct new internal nodes using each time the subsets were created from the third step. The algorithm stops when it cannot further classify the data, abd the last node is the leaf node which contains the classes of the data. The paper [34] contains an anomaly-based intrusion detection system using a CART decision tree.

SVM: Support vector machine is a supervised machine learning classification algorithm which is usually used in IDS systems. SVM is mostly used for binary classification problems and has as goal to find the appropriate hyperplane to maximize the distance between two classes. A hyperplane is a threshold which separates the data into two classes in the best way. In a two-dimensional space, we can image the hyperplane as a line which separates the data into two groups/classes. Hence, SVM makes sure to select the appropriate hyperplane. The data points which are closest to the hyperplane are called support vectors. SVM is used in both linear separable cases and linear non-separable cases. In linear separable cases, SVM plots the data in a n-dimensional space where each feature of data corresponds to one dimension and tries to find the hyperplane that maximizes the distance between the two classes. On the other hand, in linear non-separable cases, SVM introduces two concepts: soft margin and kernel tricks. SVM uses the soft margin approach in an effort to balance the trade-off between the maximization of distance between the classes and the misclassification. Alternatively, SVM adopts kernel trick, where the kernel maps the data into a new higher-dimensional space so that the original non-linear data can be separated.

Isolation forest: This algorithm is used to identify the anomaly data creating decision trees over random attributes. The idea behind the algorithm is that if a forest of random decision trees produces shorter path lengths for some points, then these points are highly likely to be anomalies. The algorithm starts with the training phase, i.e., the construction of the isolation trees. In the first step, a subset of training dataset is selected. The second step of the construction is to randomly choose an attribute r and a random value of this attribute between its min and max values; this value is called the split value. In the third step, a data point is selected and if it has a value smaller than the "split value" for the attribute r, then that point is sent to the left branch. Otherwise, the point is sent to the right branch. The second and the third steps are repeated recursively over the subset until a complete data point isolation, or a predetermined tree depth limit is reached. After the training phase is completed, the testing phase begins. In this phase, every examined data x has to pass over all isolation trees to obtain its path length h(x). The anomaly score for the x is calculated as follows:

$$s(x,n)=2^{-E\left(h\right(x\left)\right)/c\left(n\right)}$$

(1)

where

$$E\left(h\left(x\right)\right)={\mathsf{\Sigma }}_{i=1}^t{h}_i\left(x\right)/t$$

(2)

is the average path length of x over t isolation trees and $c\left(n\right)$ is the average path length of unsuccessful search in Binary Search Tree.

$$c\left(n\right)=2H(n-1)-\left(2\right(n-1)/n)$$

with

$$H\left(i\right)=ln\left(i\right)+\gamma$$

where $\gamma$ is the Euler’s constant. Generally, if the score is close to 1, then the examined data point is considered as an anomaly. Otherwise, if the anomaly score is smaller than 0.5, it is considered as a normal datum.

4.2. Deep Learning Models

Autoencoders: Autoencoders belong to unsupervised learning algorithms. An autoencoder in its simplest form consists of three components, an encoder, code, and decoder. An encoder is a feed-forward, fully connected neural network which has a goal to compress the input data vector into a latent space representation and encode it in a reduced dimension. The code contains the reduced data vector and sets it as input to the decoder. The decoder has the same structure but inversed, i.e., the first layer of the decoder has the same size as the last layer of the decoder. The operation of an autoencoder starts with the transformation of the input data vector into lower dimensions (encoder). The output of the encoder is stored in the code. After that, the autoencoder tries to reconstruct the initial input from the compressed data vector (decoder). There are many types of autoencoders. There are many types of autoencoders. Below we refer to some of the most used autoencoders types: convolutional autoencoders, variational autoencoders, denoising autoencoders and deep autoencoders.

RNN: Recurrent neural networks (RNNs) are a type of artificial neural network used in cases of processing sequential and time-series data. RNNs take as input a sequence of data and, from them, produce a sequence of outputs. The difference between the classical neural networks and the RNNs is depicted with the presence of a “hidden” state vector which represents the context based on prior input(s)/output(s). This means that the output depends on two parameters; the current input and the sequence of previous inputs. A simple implementation of RNN can be mathematically formulated by the following equations:

$$h_t={\sigma }^{\left(h\right)}(W^{\left(h\right)}{h}_{t-1}+W^{\left(x\right)}{x}_t)$$

(3)

$$y_t={\sigma }^{\left(y\right)}(W^{\left(y\right)}{h}_t)$$

(4)

In these equations, $x_t$ represents the input for the current timestamp t, $h_t$ and $h_{t-1}$ represent the hidden state vector for the current and previous timestamps, respectively. Additionally, the dense matrices are defined by $W^{\left(h\right)},W^{\left(x\right)},W^{\left(y\right)}$ and the activation functions are represented by ${\sigma }^{\left(h\right)},{\sigma }^{\left(y\right)}$. One important characteristic is that the RNNs have the same weight parameter within each layer of the network in contrast with traditional neural networks.

LSTM: Long short-term memory networks are a type of recurrent neural network (RNN) which have the ability to overcome the long-term dependency issue of recurrent networks. Many times, information from previous timestamps have important effects on the output of a model. Due to the ability of LSTMs to remember information for long time, LSTMs are a common choice for time-series models. A classical LSTM consists of four neural network layers. Each LSTM module contains a forget gate, an input gate, an output gate and a cell state. The basic component is the cell state which passes through the repeating modules. The forget gate decides how much of the memory from the previous module should be maintained. The input gate takes into consideration the input at current timestamp, the output of the previous output and combines them with an output activation function. The output gate decides based on the information from the input at current timestamp, the previous output and an output activation function the new output.

1D convolutional neural networks (CNN): CNNs are a deep learning model of feed-forward neural-networks. The most common version of CNNs is 2D CNNs which are applied in image processing. However, in intrusion detection systems they can be more effective than 1D CNNs due to the way they process the data. More specifically, 2D CNNs kernel move horizontally across the data whereas 1D CNNs move vertically. The architecture of CNNs contains two types of layers CNN-layers and MLP-layers. In CNN layers, the 1D convolutions and sub-sampling functions are applied. The list of hyper-parameters below forms the configuration of a 1D CNN.

• Number of hidden CNN and MLP layers;
• Kernel size in each CNN layer;
• Subsampling factor in each CNN layer;
• The chosen pooling and activation functions.

The paper [35] include a survey in 1D convolutional neural networks and present the applications in which they can be applied.

5. Evaluation of Attacks and Detection Mechanisms

The purpose of our section is to generate DoS (Denial of Service) attacks as well as deploy countermeasures against them. Both the attacks and their results will be presented in detail along with some detection mechanisms.

5.1. Attacks

Denial of service attacks aim to deny machine or network resources to certain users by interrupting the services of the host that are connected to the Internet. Such attacks are usually carried out by flooding a machine with unnecessary requests, overloading it, thus preventing the fulfillment of real requests. The scripts are located in Github Source Code (https://github.com/DeStC3/DosAttacksAndCountermeasures, accessed on 25 August 2021).

DDoS attacks are similar, except that incoming requests to the victim now come from multiple sources (distributed), making DDoS attacks more efficient, as it is almost impossible to block all target destinations of the attack.

All of these attacks are usually a derivative of some specialized tools available on many Linux operating systems, or programming language packs that take advantage of the basic principles of network structures and their principles used in an OS to easily generate scripts/attacks. In the simplest variations of these, the technique is usually to send a large volume of packets to the target, while in more complex ones, botnets or tools such as MyDoom or Slowloris can be used, along with sending packets of various protocols.

UDP Flood: A UDP Flood attack floods the target with a large number of User Datagram (Protocol) protocol packages. The general goal is to find random ports of the system, with the result that it repeatedly tries to check the application listening to this port; when none is found, then it sends back, in response, an ICMP package with the information “Destination Unreachable”. Obviously in large volumes, network resources start to run out of downloads and send, possibly leading to denial of access. Our version of a UDP Flood follows this simple standard, creating a udp packet and then sending it to the target for a specific period of time. Here, we assume that we already know the IP of the target as well as which ports are open in its system.

SYN Flood: SYN Flood exploits a known vulnerability in the TCP connection sequence, the three way handshake, where a SYN request to start a TCP connection must receive an SYN-ACK response from the host and then send back an ACK response. In such an attack, the request sender sends many SYN requests, but either does not respond to SYN-ACK with its own ACK, or sends requests from fake IPs. In any case, the host system waits for the response to each request, freezing resources until it can not create new connections, leading to denial of service.

To create our own attack, we used Python’s scapy package, which is widely used in such cases. Initially, fake IPs are created for a number of packets, as well as TCP packets that are sent. Due to problems using the scapy classes, the addresses and packet data were based on the template, but were inserted directly into the shipment function as it was the only suggested solution that bypassed the object creation problem.

ICMP Attack: Similar to UDP attacks, ICMPs send a large number of echo requests without expecting a response. They are able to consume incoming and outgoing bandwidth, as the system is forced to constantly send back reply packets, delaying it considerably. Our ICMP attack module creates and sends packets, the number of which is user-defined and determines the duration of the attack at a rate of about 10 to 1 (10 packs per second).

Ping of Death: An attack of this type typically involves sending malicious or malicious pings to a computer. The maximum size of an IP packet is about 64 bytes, including the header. However, the data link layer sets some upper limits on size, usually the maximum frame size. So, sometimes a large package is split into smaller fragments when sent, while the recipient reassembles them into a whole, which can create a buffer overflow on the memory pieces assigned to the package by creating denial of service for regular data packets. and allowing malware to be installed. For this attack, which runs on a number of packets, a false IP address is created each time it is used to create the packet before it is sent to the recipient.

5.2. Evaluation Results

The attacks were carried out on two machines which are in the same network, connected to two different router devices. For convenience, the target machine has its firewall turned off while the only processes running in the background are those that monitor the system network devices (nload, netstat, tcpdump) and the process that measures the device network response (ping in the address google.com). At the same time, the fact that the router/modem devices that provide the internet connection have their own firewalls that are locked to the active one by the provider must be taken into account. When the system is in a healthy state, the response time for the ping google.com command is 68–69 ms depending on the execution time with no data loss.

The results of the attacks vary, depending on the type of each (see Figure 1 and Figure 2). The Ping of Death and SYN Flood attacks proved to be stronger, with the former creating a very large percentage of packet loss (80%), which makes sense considering its model as well as the size of the packages shipped, while SYN creates the longer network response delays (up to 500 ms) due to the commitment of network resources to validate the handshake for each TCP packet.

The UDP and ICMP attacks proved to be less effective, a phenomenon based on the simplistic model they follow. Of course, the ICMP attack crisis must also be based on the settings of the target machine. A conventional machine (PC) has very few ports listening to the ICMP protocol and more TCP/UDP so most packets do not reach the target effectively. Of course, if the target was a configured mail-server, obviously the configured ports listening in the mail protocol would be higher in number and the attack would be more efficient.

5.3. Intrusion Detection Systems

Finally, we decided to test several ML methods against several attacks since usually the implementation of an IDS system follows a more dynamic approach using different machine learning models. By choosing a dataset that contains a number of malicious and normal connections to a network, we can train a system so that by inputting a link with the same number of arguments as the dataset, it can decide and inform the administrator of a network for malicious connections and packets. We decided to implement an IDS which will use machine learning to detect suspicious links and test it on the KDD CUP 1999 Dataset (http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, accessed on 25 August 2021) We used several algorithms (Gaussian naïve Bayes, decision tree, random forest, support vector classifier, logistic regression, gradient descent) and the findings are shown in Figure 3.

6. Conclusions—Discussion

Over recent years, the need for shielding critical infrastructure has become more and more and more urgent. The security of the product or service produced, through one almost completely automated process, and the elimination of labor opportunity accidents caused by cyber attacks and at the same time their full cooperation with automations and automated processes that take place during the production process perform timely and valid detections of cyber attacks on and cyber intrusion into a critical infrastructure, which is a rather difficult achievement. The most modern studies discuss the application of intelligent algorithms using artificial intelligence (AI), which will be modeled on a set of rules set out in by the managers or the system itself and will evolve through productive processes using machine learning (ML). To date, it has not been established whether theory can meet practice in real conditions of an infrastructure that manages vital products or services and whether, during the production process, different suppliers of devices, as well as sensors of low technical specifications and computing power, are used.

In this research, we investigated intrusion detection in critical infrastructures. Intrusion detection systems are the first line of defense against intrusion attacks. More specifically, we referred to the definition of critical infrastructures and the significant role that they have for a country. Additionally, we mentioned some of the most used and well-known attacks which could harm a critical infrastructure and cause serious problems and damages to it and by extension to the sectors of a country such as the economy, etc. Furthermore, we present a short analysis of machine learning and deep learning models and methods which are used in intrusion detection systems, as shown in the literature. We comprehended the important role of the security of critical infrastructures from cyber attacks and other threats. However there are many challenges in the security of critical infrastructure and generally in cybersecurity. A significant part of the implemented solutions does not focus on unsolved important problems, such as the development of lightweight intrusion detection systems that are able to work in devices with limited power supply, false alarm control, the reduction in false positives and false negatives number and DoS attacks. Moreover, dynamic IDSs that can cope with altering conditions of the system must be further examined and analyzed [36]. Another important future direction in intrusion detection systems is the application of deep learning approaches in combination with a proper dataset to produce valid results.