Search papers, labs, and topics across Lattice.
This paper introduces ProvICS, a novel provenance-based intrusion detection system specifically designed for Industrial Control Systems (ICS) by leveraging a unique Hardware-in-the-Loop (HIL) testbed that simulates an industrial chemical reactor. The study addresses the critical lack of comprehensive datasets capturing host-level behavior, network semantics, and physical process states in cyber-physical systems, enabling effective detection of multi-stage cyberattacks. Results show that ProvICS achieves high detection accuracy (F1 = 0.913, FPR = 1.40%) across 32 attack events, demonstrating its capability to reveal complementary attack signals through cross-modal data fusion.
ProvICS reveals that cross-modal data fusion can effectively detect a wide range of cyberattacks in industrial control systems, achieving an impressive F1 score of 0.913.
The convergence of Information Technology and Operational Technology has exposed Industrial Control Systems (ICS) to multi-stage cyberattacks that traverse software, network, and physical process layers simultaneously. Although Provenance-based Intrusion Detection Systems (PIDS) are effective in Information Technology (IT) environments, their applicability to Industrial Cyber-Physical Systems (CPS) remains largely unexplored because of the absence of datasets that jointly capture host-level causal behavior, industrial network semantics, and physical process state. To address this gap, we design an open-source, Hardware-in-the-Loop (HIL) CPS testbed that replicates an industrial chemical reactor control architecture across the Purdue model layers. Using this testbed, we propose ProvICS, a multimodal provenance dataset purpose-built for CPS intrusion detection, which synchronously captures four streams: whole-system provenance graphs from the supervisory host and the resource-constrained PLC, decoded Modbus deep-packet inspection records, and physical process telemetry. The collection comprises a 48-hour benign phase and a 22-hour attack phase across four campaigns covering 20 ICS ATT&CK techniques over 32 attack events, ranging from reconnaissance to physical process manipulation. Comparative analysis shows that ProvICS is among the few existing ICS/CPS benchmarks with multi-host kernel-level provenance, real PLC hardware-in-the-loop execution, decoded Modbus traffic, physical process-state measurements, and auxiliary raw PCAP traces in a time-synchronized collection. Baseline detection further confirms that cross-modal fusion can detect all 32 labeled attack events (F1 = 0.913, false-positive rate (FPR) = 1.40%), demonstrating the dataset's ability to expose complementary attack signals across modalities and addressing a gap not covered by prior benchmarks.