Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.

翻译：传统的入侵检测系统通常仅依赖网络流量或过程数据中的单一来源，然而这种单源方法可能遗漏工业控制系统中跨多层的复杂攻击模式，或针对运营技术系统不同层次的持续性威胁。本研究探讨了结合网络与过程数据能否提升工业控制系统环境中的攻击检测能力。利用SWaT数据集，我们在单一及组合数据源上评估了多种机器学习模型。研究结果表明，将网络流量与运营过程数据相整合能够提升检测能力，具体体现在网络攻击分类的召回率得到改善。作为有限测试环境下的概念验证，本研究探索了通过多源数据方法推进工业控制系统入侵检测的可行性。尽管结果具有前景，但仍属初步发现，并凸显了在不同数据集和精化方法上开展进一步研究的必要性。