Anomaly detection in production facility network using ant agents

Available online at www.sciencedirect.com Available online at www.sciencedirect.com

ScienceDirect ScienceDirect Procedia CIRP 00 (2018) 000–000 ScienceDirect Procedia CIRP 00 (2018) 000–000 ScienceDirect

Available online atonline www.sciencedirect.com Available at www.sciencedirect.com

Procedia CIRP 00 (2017) 000–000 Procedia CIRP 79 (2019) 701–705

www.elsevier.com/locate/procedia www.elsevier.com/locate/procedia

www.elsevier.com/locate/procedia

12th 2018, 12thCIRP CIRPConference Conferenceon onIntelligent IntelligentComputation ComputationininManufacturing ManufacturingEngineering, Engineering,18-20 CIRPJuly ICME '18 12th CIRP Conference on Intelligent Computation in Manufacturing Engineering, CIRP ICME '18 Gulf of Naples, Italy 28th CIRPin Design Conference, May 2018, Nantes, France Anomaly detection production facility network using ant agents

Anomaly detection in production facility network using ant agents Nobutada Fujiiª, to Toshiya Kaiharaª, Kokuryoª, Hongª,* A new methodology analyze the Daisuke functional and Sungmyung physical architecture of Nobutada Fujiiª, Toshiya Kaiharaª, Daisuke Kokuryoª, Sungmyung Hongª,* University, 1-1, Rokkodai-cho, Nada ward, Kobe city, Hyogo prefecture, Japan existing productsªKobefor an assembly oriented product family identification ªKobe University, 1-1, Rokkodai-cho, Nada ward, Kobe city, Hyogo prefecture, Japan

Paul Stief *, Jean-Yves Dantan, Alain Etienne, Ali Siadat

* Corresponding author. Tel.: +81-78-803-6053. E-mail address: [email protected] * Corresponding author. Tel.: +81-78-803-6053. E-mail address: [email protected] École Nationale Supérieure d’Arts et Métiers, Arts et Métiers ParisTech, LCFC EA 4495, 4 Rue Augustin Fresnel, Metz 57078, France

Abstract

*Abstract Corresponding author. Tel.: +33 3 87 37 54 30; E-mail address: [email protected]

With the development of the information and communication technologies, the concept of Internet of Things has been popular. Production facilities factories are connected to theand Internet to instructtechnologies, productions the andconcept to manage performance of them. Resulting from Internet With the in development of the information communication of Internet of Things has been popular. Production connectionin offactories production is increasing of cyber-attacks to the facilities. This paper proposes a method detect facilities are facilities, connectedit to the Internetthetorisk instruct productionstargeting and to manage performance of them. Resulting from toInternet Abstract anomaly behavior of production facilities influenced cyber-attacks in which artificial antfacilities. agents areThis employed. Computer experiments are connection of production facilities, it is increasing thebyrisk of cyber-attacks targeting to the paper proposes a method to detect conductedbehavior to confirm the effectiveness of the proposedby method. anomaly of production facilities influenced cyber-attacks in which artificial ant agents are employed. Computer experiments are In today’s business environment, the trend towards more product variety and customization is unbroken. Due to this development, the need of © 2018 ThetoAuthors. by Elsevier conducted confirm Published the effectiveness of theB.V. proposed method. agile and reconfigurable production systems emerged to cope with various products and product families. To design and optimize production Peer-review under responsibility of the scientific of the 12th CIRP Conference on Intelligent Computation in Manufacturing © 2018 The Authors. Published by Elsevier B.V. © 2019 as The Authors. Published Elsevier B.V. committee systems well as to choose theby optimal product matches, product analysis methods are needed. Indeed, most of the known methods aim to Engineering. Peer-review underresponsibility responsibilityofofthe thescientific scientific committee of the 12th CIRP Conference on Intelligent Computation in Manufacturing Peer-review under committee of 12th CIRP Conference Intelligent Computation in Manufacturing analyze a product or one product family on the physical level. the Different product families,onhowever, may differ largely in terms of theEngineering. number and Engineering. nature of components. This fact impedes an efficient comparison and choice of appropriate product family combinations for the production Keywords: Anomaly detection; Cyber-attacks; Multi-agent; Ant agents system. A new methodology is proposed to analyze existing products in view of their functional and physical architecture. The aim is to cluster Keywords: Anomaly detection; Cyber-attacks; Multi-agent; Ant agents these products in new assembly oriented product families for the optimization of existing assembly lines and the creation of future reconfigurable assembly systems. Based on Datum Flow Chain, the physical structure of the products is analyzed. Functional subassemblies are identified, and a1.functional analysis is performed. Moreover, a hybrid functional and physical graph is the output whichatdepicts the Introduction In architecture this research, an (HyFPAG) anomaly detection method the case similarity between product families by providing design support to both, production system planners and product designers. An illustrative 1. Introduction research, an detection method the case of Ina this cyber-attack on anomaly production facilities in at factory is example of a nail-clipper is used to explain the proposed methodology. An industrial case study on two product families of steering columns of of a cyber-attack on production facilities by in factory is In recent years, with the development of information and proposed and confirm its effectiveness computer thyssenkrupp Presta France is then carried out to give a first industrial evaluation of the proposed approach. In recent years, with the development of information and proposed and confirm its effectiveness by computer communication technologies, production facilities used in the experiments. Specifically, it’s assumed that the facility © 2017 The Authors. Published by Elsevier B.V. communication technologies, facilities used in use the experiments. Specifically, it’s assumed that an thealgorithm facility factories are connected to the Internet, and it began controller is attacked, and apply method using Peer-review under responsibility ofproduction the scientific committee of to the 28th CIRP Design Conference 2018.

factories connected to Internet, andmanagement it began to [1]. use productionareinstructions andtheperformance

production andbyperformance management [1]. The riskAssembly; ofinstructions cyber-attacks the Internet in the factories, Keywords: Design method; Family identification

The risk by consideration, the Internet inaretheregarded factories, which hadofnotcyber-attacks been taken into as which had [2] not [5]. been However, taken into it consideration, as problems is difficult are to regarded completely problems [2] [5].due However, it is difficult completely prevent intrusions to the sophistication and to complexity of 1.prevent Introduction intrusions duewhy to theearly sophistication complexity[6]. of cyber-attacks, that’s detection and is important cyber-attacks,the that’s why early detection is important Considering traditional anomaly detection method [6]. of Due the to determination the fast development in the domain of Considering the traditional anomaly may detection methodwith of factory, of anomaly be tampered communication and an ongoing trend of digitization and factory, the determination maydetect be tampered and it may be impossibleoftoanomaly accurately anomalywith by digitalization, facing important and it may bemanufacturing impossible toenterprises accurately detect anomaly by cyber-attacks [7]. Therefore, a methodare adaptable to such challenges in today’s market environments: a continuing cyber-attacks [7]. Therefore, a method adaptable to such tampering by cyber-attacks is required. tendency towards reduction of product development timesbased and tampering by cyber-attacks is required. As a method of detecting cyber-attacks, algorithms shortened product lifecycles. In addition, there is an increasing a method of have detecting baseda on As foraging of ants beencyber-attacks, proposed [3]. algorithms In this method, demand ofof customization, beingproposed at theare same time a on global on foraging ofagents ants have been [3]. In thisinmethod, plurality imitating ants wandering thea competition with competitors over the wandering world.occurs Thisontrend, plurality agents imitating ants are protectingof target network, and all when abnormality in the which is inducing the development from to micro protecting network, and are when abnormality occurs in the terminals intarget the network, they shared withmacro other agents via markets, results in diminished lot sizes due to augmenting terminals in the network, they areand shared with to other via information called pheromones gathers the agents terminals product varieties (high-volume low-volume production) [1]. information called pheromonesto and gathers to the terminals having problems. To copeproblems. with this augmenting variety as well as to be able to having identify possible optimization potentials in the existing 2212-8271 ©system, 2018 The itAuthors. Publishedtobyhave Elsevier B.V. knowledge production is important a precise

controller is attacked, apply method using an algorithm based on the ant agents.and A plurality of agents move randomly based thenetwork ant agents. A plurality agents controllers, move randomly aroundonthe connecting theoffacility and around the network connecting the facility has controllers, each determines whether an abnormality occurredand in each them. determines whether an abnormality has occurred in them. of productMethod range and characteristics manufactured and/or 2. the Proposed assembled in this system. In this context, the main challenge in 2. Proposed Method modelling and analysis nowresearch not onlyistoexplained. cope with In single Proposed method ofisthis the products, a limited product range or existing product families, Proposed method this research In the method, agents that ofdetect anomaly isareexplained. placed in but also to agents be able network. to analyze andanomaly to acompare toindefine method, that detect areproducts placed protecting target When cyber-attack occurs inthea new product families. It can be observed that classical existing protecting target in network. Whena alotcyber-attack occurs facility controller the network, of agents gather on in it. a product in function of clients or features. facility families controllerare inregrouped the network, a lot of agents gather on it. However, assembly 2.1. Target model oriented product families are hardly to find. On the product 2.1. Target model family level, products differ mainly in two main numberbetween of components (ii) the Incharacteristics: this research, (i) thethe network factory and production type of components (e.g. mechanical, electrical, electronical). In thisisresearch, theFigure network between factoryofproduction facilities focused on. 1 shows a diagram the target Classical methodologies single products facilities is focused on. Figure shows mainly a diagram of the target model. The configuration ofconsidering the1 network is such that there are or solitary, already existing product families analyze model. of the network is such that there area server The for configuration instructing production on the facilities, andthe product structure on a physical level (components level) which server for instructing production on the facilities, and a causes difficulties regarding an efficient definition and comparison of different product families. Addressing this

Peer-review the scientific committee 2212-8271 ©under 2018responsibility The Authors. of Published by Elsevier B.V.of the 12th CIRP Conference on Intelligent Computation in Manufacturing Engineering. Peer-review under responsibility of the scientific committee of the 12th CIRP Conference on Intelligent Computation in Manufacturing Engineering. 2212-8271©©2017 2019The The Authors. Published by Elsevier 2212-8271 Authors. Published by Elsevier B.V. B.V. Peer-reviewunder underresponsibility responsibility scientific committee of the CIRP Conference on 2018. Intelligent Computation in Manufacturing Engineering. Peer-review of of thethe scientific committee of the 28th12th CIRP Design Conference 10.1016/j.procir.2019.02.031

Nobutada Fujii et al. / Procedia CIRP 79 (2019) 701–705 N. Fujii et al. / Procedia CIRP 00 (2018) 000–000

702

Fig. 1. The Target Model

Fig. 2. Variables in time series

plurality of facility controllers (Programmable Logic Controller, PLC) for operating the respective facilities (Equipment) are connected. It is assumed that all facility controllers are connected to each other.

2.4. Pheromone of ant agents

2.2. Ant agent model



Agents imitating ants (ant agents) are generated by each facility controller and they are implemented as a packet moving between facility controllers every unit time. As the role of the ant agents, it is to judge whether there is an anomaly in the facility controller visiting at that time. Only one detection item such as CPU utilization rate or memory usage rate obtained from the facility controller is observed by every ant agent, and an anomaly is judged with respect to the detection item set for itself. Ant agent also has the ability to drop pheromone. If the judgment result of the visited facility controller is anomaly, the ant agent drops pheromone to the facility controller. 2.3. Detection method Ant agents use threshold value for judging anomaly. If the value of the detection item set for each ant agent exceeds the threshold value, it is judged to be anomaly. On the other hand, it is not exceeded, judgment is made as normal. The threshold used here is not set in advance but is dynamically set for each time unit using change point detection. Change point detection is a method of detecting a sudden change in time series data [4]. Figure 2 shows variables in time series and Equation (1) shows the calculation formula of the threshold value of ant agent 𝑖𝑖 at time t.

𝑟𝑟 |} 𝑑𝑑𝑡𝑡𝑖𝑖 = max⁡{|𝑎𝑎𝑎𝑎𝑎𝑎𝑡𝑡𝑟𝑟 − 𝑣𝑣𝑡𝑡−𝑢𝑢

(𝑢𝑢 = 1, … , 𝑡𝑡′)

Variables t r i 𝑑𝑑𝑡𝑡𝑖𝑖 𝑣𝑣𝑡𝑡𝑟𝑟 𝑎𝑎𝑎𝑎𝑎𝑎𝑡𝑡𝑟𝑟

Description Time Detection item type Ant agent number Threshold of Ant agent i at Time t Value of the Detection item number r at Time t Average of 𝑣𝑣𝑡𝑡𝑟𝑟 from Time 𝑡𝑡 − 𝑡𝑡′ to Time 𝑡𝑡

 

Pheromones are present as pheromone concentration in each facility controller. The pheromone concentration is higher as the number of ant agent dropping pheromone increases. The pheromone is volatile, and the pheromone concentration decreases over time.

From these features, the pheromone concentration of the facility controller 𝑚𝑚 at time t is given by Equation (2).

𝑟𝑟 = 𝑒𝑒 ∗ 𝑝𝑝𝑡𝑡𝑟𝑟 + 𝑘𝑘𝑡𝑡𝑟𝑟 ∗ 𝑝𝑝 𝑝𝑝𝑡𝑡+1

(2)

Pheromones for each detection item are prepared. The ant agent responds only to the pheromone of the detection item set for itself. This is to keep ant agents, which have the detection item unnecessary for detecting anomaly, on the network in a dispersed state. 2.5. Ant agent’s movement Ant agents move between facility controllers per unit time. The destination is determined by roulette selection by pheromone concentration. Due to this simple agent’s movement rules and pheromone features, the facility controller, which is highly likely to be subjected to cyber-attacks, has a structure in which many ant agents are gathered.

(1)

If |𝑎𝑎𝑎𝑎𝑎𝑎𝑡𝑡𝑟𝑟 − 𝑣𝑣𝑡𝑡𝑟𝑟 | is greater than 𝑑𝑑𝑡𝑡𝑖𝑖 , ant agent 𝑖𝑖 determines that the PLC has anomaly at time t. Table 1 Variables using change point detection

The pheromones of ant agents have the following features.

Table 2 Variables using pheromone concentration Variables

Description

𝑝𝑝𝑡𝑡𝑚𝑚,𝑟𝑟

The pheromone concentration with respect to the detection item number 𝑟𝑟 of the facility controller 𝑚𝑚 at time 𝑡𝑡

e

p 𝑘𝑘𝑡𝑡𝑟𝑟

Volatilization rate

Pheromone increment

Number of ant agents dropping the pheromone of detection item 𝑟𝑟 at time⁡𝑡𝑡



Nobutada Fujii et al. / Procedia CIRP 79 (2019) 701–705 N. Fujii et al. / Procedia CIRP 00 (2018) 000–000

703

3. Computer experiments 3.1. Experiment overview Assuming the case where a facility controller (PLC 1) in the network suffered a cyber-attack and the CPU usage rate rose, the displacement of the number of ant agents is confirmed. Comparison experiments are conducted with the following two methods. 1. 2.

Fig. 3. The flow of actions per unit time of ant agents

The flow of actions per unit time of ant agents is shown in the figure 3. Ant agents are set the facility controller that they generated as the nest. First, the ant agent arriving at the facility controller determines whether it is abnormal. If it is judged as anomaly, the ant agent drops pheromone to the facility controller. Then set the next destination as its own nest. If it isn’t judged as anomaly, the ant agent does nothing and decides the next destination by roulette selection referring to pheromone concentration. Ant agents, which determined destination, move to there when the unit time ends. 2.6. Considering differences in operation status of facilities For each ant agent, they have thresholds for judging anomaly. The reference value for determining the threshold value is the value read by the facility controller that each ant agent visited at each time. By having a different threshold for each ant agent, it is possible to judge an anomaly with various criteria. However, since facilities in the factory are not uniformly operated, it is not desirable to handle the reference values of all facility controllers in the same way. Therefore, in this paper, anomaly detection considering the operation status of each facility by giving a threshold value for determining anomaly for each facility controller is proposed.

Each ant agent has a threshold at each time Each facility controller has a threshold at each time

This experiment is conducted in an environment where the PLC 6 has higher network usage than other PLCs. In this environment, confirm the experimental result in the case where the operating condition of each facility controller is not taken into consideration (Experiment 1) and when it is considered (Experiment 2). 3.2. Experimental condition       

Number of Facility controllers : 6 Detection items : CPU usage rate, Memory usage rate, Network Input usage, Network Output usage Number of Ant agents : 480 (each detection item:120) Cyber-attack occurrence timing : 𝑇𝑇 = 90 Volatilization rate : 𝑒𝑒 = 0.9 Time width of change point detection : 𝑡𝑡 ′ = 10 Number of trials : 5

3.4. Experiment results The results for the two cases are shown in Figure 4 and Figure 5, which show the number of all agent agents in each PLC at each time in Experiment 1 and Experiment 2, respectively, by simple moving average for each time width Δ𝑡𝑡⁡ = ⁡10. Table 3 shows that average and variance of the number of all ant agents visiting each facility controller before and after the occurrence of the anomaly.

Fig. 4. All ant agents in experiment 1

Nobutada et al. CIRP / Procedia CIRP000–000 79 (2019) 701–705 N. Fujii et al. /Fujii Procedia 00 (2018)

704

Table 3 Average and variance of the number of all ant agents

Ave. ① 𝑡𝑡 𝑡𝑡 ② 1 𝑡𝑡 90 𝑡𝑡 1 90

9 1 0 9 1 0

PLC 1 S.D.

Ave.

PLC 2 S.D.

PLC 3 S.D.

Ave.

Ave.

PLC 4 S.D.

Ave.

PLC 5 S.D.

Ave.

PLC 6 S.D.

69.37 93.55

10.31 14.93

73.72 70.28

10.96 7.24

72.42 67.67

8.55 5.22

82.01 77.94

10.89 6.77

84.11 94.49

17.02 7.82

110.88 82.41

19.56 4.55

80.24 97.01

9.58 9.1

87.87 87.41

8.9 8.86

83.26 81.16

9.43 6.05

77.5 70.29

9.52 9.61

81.69 74.01

10.58 7.23

78.91 79.53

9.9 7.05

Fig. 5. All ant agents in experiment 2

Fig. 7. Ant agents whose detection item is CPU usage in experiment 2

The number of ant agents whose detection item is CPU usage are shown in Figure 6 and Figure 7, which show the number of them in each PLC at each time in Experiment 1 and Experiment 2, respectively, by simple moving average for each time width Δt = 10. Table 4 shows the average and variance of the number of them visiting each facility controller before and after the occurrence of the anomaly.

Fig. 6. Ant agents whose detection item is CPU usage in experiment 1

3.5. Discussion Focusing on before the occurrence of the anomaly, it can be confirmed that ant agents is concentrated on the PLC 6 in Figure 4. As compared with other PLCs, the PLC 6 has high average in network usage, which is considered to be abnormal. In Figure 5, it can be confirmed that the deviation of the number of ant agents for each PLC before anomaly observed in Experiment 1 is small. Also from Table 3, it can be confirmed that there is no difference in the average of the number of ant agents in each PLC in Experiment 2. By setting a threshold value for each PLC, it seems that results did not depend on the average difference for each PLC. Focusing on after the occurrence of the anomaly, it can be seen that ant agents are gathered for a while in PLC 1 where anomaly occurred in both experiments. However, in Figure 4, the number keeps rising for about 20 seconds, whereas in Figure 5 it rises only for about 10 seconds. Even focusing on only ant agents whose detection item is CPU usage, it can be seen that there is a big difference in the number of ant agents visit PLC 1 from Figure 6 and Figure 7. From Table 4, it also can be confirmed that the average of the number of ant agents

Table 4 Average and variance of the number of ant agents whose detection item is CPU usage

Ave. ① 𝑡𝑡 𝑡𝑡 ② 1 𝑡𝑡 90 𝑡𝑡 1 90

9 1 0

9 1 0

PLC 1 S.D.

Ave.

PLC 2 S.D.

Ave.

PLC 3 S.D.

Ave.

PLC 4 S.D.

Ave.

PLC 5 S.D.

Ave.

PLC 6 S.D.

17.93 32.01

4.26 8.47

19.09 17.02

4.26 3.43

21.33 18.08

3.47 2.56

22.89 17.73

3.42 2.54

19.56 18.49

4.31 2.54

22.19 17.81

3.3 2.74

17.61 21.53

4.65 5.36

23.09 22.85

5.06 3.76

20.66 19.65

4.55 4.22

20.7 17.86

3.52 4.73

19.84 20.97

3.6 5.03

20.47 19.61

3.81 2.98



Nobutada Fujii et al. / Procedia CIRP 79 (2019) 701–705 N. Fujii et al. / Procedia CIRP 00 (2018) 000–000

in Experiment 1 is larger than in Experiment 2. It is considered that after the time width (t '= 10) of change point detection, the increased CPU usage amount becomes average and it is no longer determined as anomaly. In Experiment 1, since each ant agent has a different threshold, multiple judgments are made for one PLC at the same time. As a result, it is considered that abnormality was discovered in a longer period than Experiment 2. 4. Conclusion In this paper, a method to discover possible cyber-attacks on production facilities in factories based on foraging of ants was proposed. Comparative experiments are conducted in the cases of not considering the operation status of each facility and considering it. From the results, although the difference depending on the operation status of each facility becomes smaller, it is considered that there is a problem that opportunities to judge abnormality are reduced. From now on, a method to keep opportunities for judging abnormality while

705

considering the operation status of each facility should be considered. References [1] Takeshi J, Kazuhiro C, Yusuke K. Optimization of Factory Production Activities by Utilizing IoT, Information Processing Society of Japan 2017; Digital Practice 8, 15 July, p. 203-209 [2] Information-technology Promotion Agency, Investigation on control system security and it service continuity of important infrastructure ( https://www.ipa.go.jp/files/000025097.pdf ), 2009 [3] Glenn A. Fink, Jereme N. HAAck, A. David McKinnon, Defense on the Move: Ant-Based Cyber Defense, The Institute of Electrical and Electronics Engineers 2014; Vol. 12: p. 36-43. [4] Kenji Y. Error detection by data mining. 1st. Tokyo: Kyoritsu Publishing; 2009 p. 45-58. [5] Aya Y, Yoichi H. Outline of anomaly detection technology and application trends, Intec Technical Journal 2016; Vol. 17: p. 42-47. [6] Ministry of Internal Affairs and Communications, Research and development basic plan on analysis and detection of cyber attack ( http://www.soumu.go.jp/main_content/000245952.pdf ), 2013. [7] Hiroki U, Toru O, Makoto K. Toward Implementation of Attack Detection Technology for Industrial Control Systems, Computer Security Symposium 2014; p. 1269-1275