A machine-learning-based approach to build zero-false-positive IPSs for industrial IoT and CPS with a case study on power grids security

Intrusion prevention systems have long been the first layer of defense against malicious attacks. Most sensitive systems employ instances of them (e.g., Firewalls) to secure the network perimeter and filter out attacks or unwanted traffic. A firewall, similar to classifiers, has a boundary to decide which traffic sample is normal and which one is not. This boundary is defined by configuration and is managed by a set of rules that occasionally might also filter the normal traffic by mistake. However, for some applications, any interruption of the normal operation is not tolerable, e.g., in power plants, water distribution systems, gas or oil pipelines, etc. In this article, we design a learning firewall that receives labeled samples and configures itself automatically by writing preventive rules in a conservative way that avoids false alarms.We design a new family of classifiers, called z-classifiers, that unlike the traditional ones that merely target accuracy, rely on zero false positive as the metric for decision making. First, we analytically show why naive modification of current classifiers like support vector machine does not yield acceptable results, and then, propose a generic iterative algorithm to accomplish this goal. We use the proposed classifier with CART at its heart to build a firewall for a power grid monitoring system.To further evaluate the algorithm, we additionally test it on KDD CUP'99 dataset. The results confirm the effectiveness of our approach.