Open AccessOpen Access


Deep Learning Anomaly Detection Based on Hierarchical Status-Connection Features in Networked Control Systems

Jianming Zhao1,2,3,4, Peng Zeng1,2,3,4,*, Chunyu Chen1,2,3,4, Zhiwei Dong5, Jongho Han6

1 State Key Laboratory of Robotics, Shenyang Institute of Automation, Chinese Academy of Sciences, Shenyang, 110016, China
2 Key Laboratory of Networked Control Systems, Chinese Academy of Sciences, Shenyang 110016, China
3 Institutes for Robotics and Intelligent Manufacturing, Chinese Academy of Sciences, Shenyang, 110016, China
4 University of Chinese Academy of Sciences, Beijing, 100049, China
5 State Grid Liaoning Electric Power Company Limited Electric Power Research Institute, Shenyang, 110016, China
6 Korea Intelligent Automotive Parts Promotion Institute, Daegu, 43011, Korea

* Corresponding Author: Peng Zeng. Email:

Intelligent Automation & Soft Computing 2021, 30(1), 337-350.


As networked control systems continue to be widely used in large-scale industrial productions, industrial cyber-attacks have become an inevitable problem that can cause serious damage to critical infrastructures. In practice, industrial intrusion detection has been widely acknowledged to detect abnormal communication behaviors. However, unlike traditional IT systems, networked control systems have their own communication characteristics due to specific industrial communication protocols. Thus, simple cyber-attack modeling is inadequate and impractical for high-efficiency intrusion detection because the characteristics of network control systems are less considered. Based on the status information and transmission connection in industrial communication data payloads, which can properly express the characteristics of industrial control logic, this paper associates industrial communication features with transmission connection payload and status payload. Furthermore, transmission connection features include device address, context, time, and packet length, while status features cover measurement, input, distributed state, control state, and more. After designing a convolutional neural network (CNN) and a long short-term memory network (LSTM) to extract status features and transmission connection features from industrial communication data, this paper proposes a hierarchical deep learning anomaly detection approach, which can integrate the advantages of CNN and LSTM to achieve high-efficiency detection. The experimental results clearly show that the proposed approach, having the advantages of strong detection capability and low false alarm rate, is a superior means of anomaly detection when compared to its peers.


Cite This Article

J. Zhao, P. Zeng, C. Chen, Z. Dong and J. Han, "Deep learning anomaly detection based on hierarchical status-connection features in networked control systems," Intelligent Automation & Soft Computing, vol. 30, no.1, pp. 337–350, 2021.

This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
  • 854


  • 567


  • 0


Share Link

WeChat scan