Attack Detection in Active Queue Management within Large-Scale Networks Control System with information of network and physical system

In recent years industrial control systems using networks for communication and Transmission Control Protocol (TCP) are normally used in supervisory layer, so malicious outsider and insider can attack through network. One of useful based model methods for fault detection and isolation is Unknown Input Observers (UIO).Some previous works that used UIO, observe dynamic of the physical system to detect attacks. This paper first describes how attacker can make Denial of Service (DoS) in active queue management and by using UIO, designed Network Intrusion Detection System (NIDS) that use fluid flow model, then fusion information of NIDS and Host Intrusion Detection Systems (HIDS). Distributed Intrusion Detection System (DIDS), detects abnormal behavior of network and physical system and alarms for three state: free attack, DoS and deception attack. So false negative for free attack and false positive for DoS attack are being reduced. Simulation results demonstrate the high success level of this approach for detecting attacks.