ABSTRACT
Detection of previously unknown attacks and malicious messages is a challenging problem faced by modern network intrusion detection systems. Anomaly-based solutions, despite being able to detect unknown attacks, have not been used often in practice due to their high false positive rate, and because they provide little actionable information to the security officer in case of an alert. In this paper we focus on intrusion detection in industrial control systems networks and we propose an innovative, practical and semantics-aware framework for anomaly detection. The network communication model and alerts generated by our framework are userunderstandable, making them much easier to manage. At the same time the framework exhibits an excellent tradeoff between detection rate and false positive rate, which we show by comparing it with two existing payload-based anomaly detection methods on several ICS datasets.
- Digital bond's scada security portal. http://www.digitalbond.com/tools/quickdraw/, 2011.Google Scholar
- Siemens s7-1200 plc vulnerabilities. https://icscert. us-cert.gov/alerts/ICS-ALERT-11-161-01, 2011.Google Scholar
- Desrics: Datasets enabling security research for industrial control systems. http://desrics.com/, 2014.Google Scholar
- S7comm wireshark dissector plugin. http://s7commwireshark.sourceforge.net/, 2014.Google Scholar
- J. Beaver, R. Borges-Hink, and M. Buckner. An evaluation of machine learning methods to detect malicious scada communications. In International Conference on Machine Learning and Applications, volume 2, pages 54--59, Dec 2013. Google ScholarDigital Library
- G. Combs et al. Wireshark, 2015.Google Scholar
- E. Costante, J. den Hartog, M. Petković, S. Etalle, and M. Pechenizkiy. Hunting the unknown. In Data and Applications Security and Privacy XXVIII, pages 243--259. Springer, 2014. Google ScholarDigital Library
- H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer. Dynamic application-layer protocol analysis for network intrusion detection. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- P. Düssel, C. Gehl, P. Laskov, J.-U. Bußer, C. Störmann, and J. Kästner. Cyber-critical infrastructure protection using real-time payload-based anomaly detection. In E. Rome and R. Bloomfield, editors, Critical Information Infrastructures Security, LNCS 6027, pages 85--97. Springer, 2010. Google ScholarDigital Library
- P. Düssel, C. Gehl, P. Laskov, and K. Rieck. Incorporation of application layer protocol syntax into anomaly detection. In R. Sekar and A. Pujari, editors, Information Systems Security, LNCS 5352, pages 188--202. Springer, 2008. Google ScholarDigital Library
- N. Falliere, L. Murchu, and E. Chien. W32. stuxnet dossier. Technical Report November, 2011.Google Scholar
- D. Hadžiosmanović, R. Sommer, E. Zambon, and P. H. Hartel. Through the eye of the plc: Semantic security monitoring for industrial processes. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC '14, pages 126--135, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- D. Hadziosmanovic, D. Bolzoni, S. Etalle, and P. Hartel. Challenges and opportunities in securing industrial control systems. In Complexity in Engineering, 2012, pages 1--6. IEEE, 2012.Google ScholarCross Ref
- D. Hadziosmanovic, L. Simionato, D. Bolzoni, E. Zambon, and S. Etalle. N-gram against the machine: On the feasibility of the n-gram network analysis for binary protocols. In D. Balzarotti, S. Stolfo, and M. Cova, editors, Research in Attacks, Intrusions, and Defenses, LNCS 7462, pages 354--373. Springer, 2012. Google ScholarDigital Library
- Honeywell. Modbus rtu serial communications user manual, 2013.Google Scholar
- E. Knapp and J. Langill. Industrial network security: securing critical infrastructure networks for smart grid, scada, and other industrial control systems. Access Online via Elsevier, 2011. Google ScholarDigital Library
- C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS '03, pages 251--261. ACM, 2003. Google ScholarDigital Library
- H. Lin, A. Slagell, Z. Kalbarczyk, P. W. Sauer, and R. K. Iyer. Semantic security analysis of scada networks to detect malicious control commands in power grids. In Proceedings of the First ACM Workshop on Smart Energy Grid Security, SEGS '13, pages 29--34, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- B. Miller and D. Rowe. A survey SCADA of and critical infrastructure incidents. Proceedings of the 1st Annual conference on Research in information technology - RIIT '12, page 51, 2012. Google ScholarDigital Library
- V. Paxson. Bro: a system for detecting network intruders in real-time. Computer networks, 31(23):2435--2463, 1999. Google ScholarDigital Library
- R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee. McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks, (October 2008). Google ScholarDigital Library
- R. L. Plackett. Karl pearson and the chi-squared test. International Statistical Review / Revue Internationale de Statistique, 51(1):pp. 59--72, 1983.Google ScholarCross Ref
- F. Schuster, A. Paul, and H. König. Towards learning normality for anomaly detection in industrial control networks. In Emerging Management Mechanisms for the Future Internet, pages 61--72. Springer, 2013. Google ScholarDigital Library
- D. W. Scott. Scott's rule. Wiley Interdisciplinary Reviews: Computational Statistics, 2(4):497--502, 2010.Google ScholarDigital Library
- Siemens. Cpu-cpu communication with simatic controllers, 2013.Google Scholar
- A. Swales. Open modbus/tcp specification. Schneider Electric, 29, 1999.Google Scholar
- S. Wu and W. Banzhaf. The use of computational intelligence in intrusion detection systems: A review. Applied Soft Computing, (November), 2010. Google ScholarDigital Library
Index Terms
- Reading between the fields: practical, effective intrusion detection for industrial control systems
Recommendations
Super Detector: An Ensemble Approach for Anomaly Detection in Industrial Control Systems
Critical Information Infrastructures SecurityAbstractIndustrial Control Systems encompass supervisory systems (SCADA) and cyber-physical components (sensors/actuators), which are typically deployed in critical infrastructure to control physical processes. Their interconnectedness and controllability ...
A hybrid behavior- and Bayesian network-based framework for cyber–physical anomaly detection
AbstractIn recent years, the increasing Internet connectivity and heterogeneity of industrial protocols have been raising the number and nature of cyber-attacks against Industrial Control Systems (ICS). Such cyber-attacks may lead to cyber anomalies and ...
Highlights- Hybrid behavior- and Bayesian network-based cyber–physical anomaly detection.
- Hybrid anomaly detection framework based on both cyber and physical data from ICS.
- Identification of cyber, physical and cyber–physical anomalies in ICS.
DRACE: A Framework for Evaluating Anomaly Detectors for Industrial Control Systems
CPSS '24: Proceedings of the 10th ACM Cyber-Physical System Security WorkshopThe detection of process anomalies is a critical step in defending a physical plant against cyber-attacks. We propose a framework named DRACE that includes a set of metrics to evaluate the effectiveness of anomaly detectors, referred to as Intrusion ...
Comments