Enhancing MITM Attack Detection Mechanism for ICS using LSTM-based Hybrid Ensemble Learning

Authors

  • Nguyen Tuan Anh
  • Le Van Dong
  • Dao Viet Cuong
  • Nguyen Dinh Nghia
  • Tran Quang Duc

DOI:

https://doi.org/10.54654/isj.v3i26.1137

Keywords:

Man-in-the-Middle Attack, industrial control system, software-defined networking, ensemble learning

Tóm tắt

 With the rapid development of Information Technology (IT), the integration of IT with Industrial Control System (ICS) makes it susceptible to cybersecurity threats, including Man-in-the-Middle (MITM) attacks. Many studies focus on MITM attack detection approaches that include rule-based methods and those using Machine Learning (ML). However, these approaches suffer from two main limitations: a lack of a dataset for MITM attack detection in ICS networks and an effective MITM attack detection method due to the ever-increasing complexity of ICS networks. In this paper, we propose a novel MITM attack detection framework using an ensemble learning algorithm for large-scale ICS networks. Concretely, we propose a novel ICS simulation framework for large-scale networks using Software-Defined Networking to facilitate ICS studies. Moreover, a novel lightweight MITM attack detection mechanism using an enhanced pre-processing technique and a hybrid ensemble learning algorithm using Long Short-Term Memory (LSTM) is proposed to detect MITM attacks with high accuracy while requiring suitable processing time. Experimental results show that the proposed MITM attack detection mechanism can achieve an f1 score of 91.91% while requiring only 8.91 microseconds for inference time.

Downloads

Download data is not yet available.

References

MITRE, “Adversary-in-the-Middle Technique - T0830,” https://attack.mitre.org/techniques/T0830/, 2020, accessed: 2025-06-06.

Z. Hill, J. Hale, M. Papa, and P. Hawrylak, “Using bro with a simulation model to detect cyber-physical attacks in a nuclear reactor,” in 2019 2nd International Conference on Data Intelligence and Security (ICDIS). IEEE, 2019, pp. 22–27.

Y. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono, and H. Wang, “Intrusion detection system for iec 60870-5-104 based scada networks,” in 2013 IEEE power & energy society general meeting. Ieee, 2013, pp. 1–5.

Y. Yang, K. McLaughlin, S. Sezer, T. Littler, E. G. Im, B. Pranggono, and H. Wang, “Multiattribute scada-specific intrusion detection system for power networks,” IEEE Transactions on Power Delivery, vol. 29, no. 3, pp. 1092–1102, 2014.

P. Wlazlo, A. Sahu, Z. Mao, H. Huang, A. Goulart, K. Davis, and S. Zonouz, “Man-in-the-middle attacks and defence in a power system cyber-physical testbed,” IET Cyber-Physical Systems: Theory & Applications, vol. 6, no. 3, pp. 164–177, 2021.

M. F. Elrawy, L. Hadjidemetriou, C. Laoudias, and M. K. Michael, “Detecting and classifying man-inthe-middle attacks in the private area network of smart grids,” Sustainable Energy, Grids and Networks, vol. 36, p. 101167, 2023.

D. J. S. Raja, R. Sriranjani, P. Arulmozhi, and N. Hemavathi, “Unified random forest and hybrid bat optimization based man-in-the-middle attack detection in advanced metering infrastructure,” IEEE Transactions on Instrumentation and Measurement, vol. 73, pp. 1–12, 2024.

O. Eigner, P. Kreimel, and P. Tavolato, “Detection of man-in-the-middle attacks on industrial control networks,” in 2016 International Conference on Software Security and Assurance (ICSSA). IEEE, 2016, pp. 64–69.

D. Antonioli and N. O. Tippenhauer, “Minicps: A toolkit for security research on cps networks,” in Proceedings of the First ACM workshop on cyberphysical systems-security and/or privacy, 2015, pp. 91– 100.

A. Ashok, P. Wang, M. Brown, and M. Govindarasu, “Experimental evaluation of cyber attacks on automatic generation control using a cps security testbed,” 07 2015, pp. 1–5.

Y. Yang, K. Mclaughlin, T. Littler, S. Sezer, E. G. Im, Z. Yao, B. Pranggono, and H. Wang, “Man-inthe-middle attack test-bed investigating cyber-security vulnerabilities in smart grid scada systems,” vol. 2012, 09 2012, pp. 1–8.

Y. Yang, L. Gao, Y.-B. Yuan, K. Mclaughlin, S. Sezer, and Y.-F. Gong, “Multidimensional intrusion detection system for iec 61850 based scada networks,” IEEE Transactions on Power Delivery, vol. 32, 01 2016.

A. P. Mathur and N. O. Tippenhauer, “Swat: A water treatment testbed for research and training on ics security,” in 2016 international workshop on cyberphysical systems for smart water networks (CySWater). IEEE, 2016, pp. 31–36.

C. M. Ahmed, V. R. Palleti, and A. P. Mathur, “Wadi: a water distribution testbed for research in the design of secure cyber physical systems.” New York, NY, USA: Association for Computing Machinery, 2017. [Online]. Available: https://doi.org/10.1145/3055366.3055375

L. Deri, M. Martinelli, and A. Cardigliano, “Realtime high-speed network traffic monitoring using ntopng,” in 28th large installation system administration conference (LISA14), 2014, pp. 78–88.

Downloads

Abstract views: 381 / PDF downloads: 50

Published

2025-12-31

How to Cite

Anh, N. T., Dong, L. V., Cuong, D. V., Nghia, N. D., & Duc, T. Q. (2025). Enhancing MITM Attack Detection Mechanism for ICS using LSTM-based Hybrid Ensemble Learning. Journal of Science and Technology on Information Security, 3(26), 79-91. https://doi.org/10.54654/isj.v3i26.1137

Issue

No 3. CS (26) 2025

Section

Papers

License

Proposed Policy for Journals That Offer Open Access

Authors who publish with this journal agree to the following terms:

1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).

Proposed Policy for Journals That Offer Delayed Open Access

Authors who publish with this journal agree to the following terms:

1. Authors retain copyright and grant the journal right of first publication, with the work [SPECIFY PERIOD OF TIME] after publication simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).