Machine Learning-based Intrusion Detection Systems: Deployment Guidelines for Industry


The PETRAS National Centre of Excellence for IoT System Cybersecurity presents: Machine Learning-based Intrusion Detection Systems: Deployment Guidelines for Industry.

The research team from the ELLIOTT project have developed guidelines to prepare end-users of industrial control systems (ICS) to have technical discussions and make informed decisions about creating and deploying Machine Learning-based IDS into a business. The guidelines also provides useful guidance on which detection tools to choose from in the presence of a plethora of commercial and open-source options.

Executive Summary

Industrial Control Systems (ICS) are increasingly becoming the subject of high-pro- file attacks. The motivations for these attacks can range from disgruntled em- ployees, financial, socio-political, military advantage, and corporate advantage, amongst others.

Historically, intrusion detection systems (IDS) have not been widely used to pro- tect ICS. For years, security for ICS was achieved through obscurity and isolation due to wide use of legacy systems that were not connected to wider networks and use of proprietary communication protocols. However, to improve cost-effi- ciency and productivity, ICS are becoming more connected to other systems via open communication protocols and use of smart devices such as Internet of Things (IoT). This new design has made securing ICS more challenging, and in need of security tools and techniques to increase visibility and protect against evolving threats.

In the coming decade, due to increasing sophistication of attackers and their at- tack methods, it is critical that security measures also advance and have the abil- ity to accurately detect and prevent threats. Machine Learning (ML) is one such promising technology. ML systems can be trained to automatically learn patterns of behaviour directly from network and/or physical data to detect malicious activ- ity, and optionally, faults, and then deploy them to make inferences about new patterns in service. While the use of ML has advantages such as faster creation of attack detection models, building and deploying ML systems have significant challenges.

The guidelines are aimed at:

  • Operators, managers of ICS, or those responsible for making decisions related to designing, installing, purchasing, or maintaining the performance of IDS
  • ICS suppliers, component designers, and others working on design/architecture definition processes; and decision-makers at the boardroom level when taking high-level decisions about the security of their ICS facilities

The report provides the following guidelines on selecting and deploying ML-based anomaly detection tools into a business:

  • The types of ML-based anomaly detection tools available
  • Aspects to consider while selecting one/discussing about them
  • How to define well-rounded performance
  • Options for deploying them and maintaining them when they are in use,
  • Limitations – both at an algorithm-level and at a domain-level. Also, Cyber-Physical Systems which encompass autonomous cars, robots, etc., are broader than only ICS. They are not targeted by this guideline.

Download the guideline:

If you have any queries relating to this paper or the research project, please contact us at