Multi-stage Cyber-Attacks Detection in the Industrial Control Systems

  • Tomáš Bajtoš
  • Pavol SokolEmail author
  • Terézia Mézešová
Part of the Studies in Systems, Decision and Control book series (SSDC, volume 255)


Industrial Control Systems are a prestigious target for attackers and the attacks are becoming more sophisticated. Intrusion detection systems can uncover suspicious activity and point towards steps of attacks. Detection systems raise an overwhelming number of alerts, so their aggregation and correlation are necessary. It is important for the security analysts to correlate the alerts raised by detection systems and project the next steps of the attack to better protect critical resources. In this chapter, we search for attack patterns in the correlated alerts from industrial control systems network. Our correlation approach is similarity-based according to IP addresses and ports. We construct a directed graph that describes all possible attack paths between multiple attack stages. Several interesting patterns are discussed.


Alert Aggregation Correlation Multi-stage Attack patterns 



We would like to thank our colleagues from the Czech chapter of The Honeynet Project for their comments and valuable input. This paper is funded by the Slovak APVV project under contract No. APVV-14-0598 and the Slovak APVV project under contract No. APVV-APVV-17-0561.


  1. 1.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9, 49–51 (2011). Scholar
  2. 2.
    Andreeva, O., Gordeychik, S., Gritsai, G., Kochetova, O., Potseluevskaya, E., Sidorov, S.I., Timorin, A.A.: Industrial Control Systems Vulnerabilities Statistics (2016) Google Scholar
  3. 3.
    Debar, H., Dacier, M., Wespi, A.: A revised taxonomy for intrusion-detection systems. Ann. Télécommun. 55, 361–378 (2000).
  4. 4.
    Husak, M., Komarkova, J., Bou-Harb, E., Celeda, P.: Survey of attack projection, prediction, and forecasting in cyber security. IEEE Commun. Surv. Tutor. 1–21 (2018).
  5. 5.
    de Alvarenga, S.C., Barbon, S., Miani, R.S., Cukier, M., Zarpelão, B.B.: Process mining and hierarchical clustering to help intrusion alert visualization. Comput. Secur. 73, 474–491 (2018). Scholar
  6. 6.
    Al-Mamory, S.O., Zhang, H.L.: A Survey on IDS Alerts Processing Techniques (2007)Google Scholar
  7. 7.
    Davis, J.J., Clark, A.J.: Data preprocessing for anomaly based network intrusion detection: a review. Comput. Secur. 30, 353–375 (2011). Scholar
  8. 8.
    Salah, S., Maciá-Fernández, G., Díaz-Verdejo, J.E.: A model-based survey of alert correlation techniques. Comput. Netw. 57, 1289–1317 (2013). Scholar
  9. 9.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF). (2007)
  10. 10.
    Arvidsson, J., Cormack, A., Demchenko, Y., Meijer, J.: Incident Object Description and Exchange Format Requirements. (2001)
  11. 11.
    Intrusion Detection Extensible Alert. (2018)
  12. 12.
    Cipriano, C., Zand, A., Houmansadr, A., Kruegel, C., Vigna, G.: Nexat: a history-based approach to predict attacker actions. In: ACSAC’11 Proceedings of the 27th Annual Computer Security Applications Conference, p. 383. ACM Press, New York, USA (2011)Google Scholar
  13. 13.
    Lee, S., Chung, B., Kim, H., Lee, Y., Park, C., Yoon, H.: Real-time analysis of intrusion detection alerts via correlation. Comput. Secur. 25, 169–183 (2006). Scholar
  14. 14.
    Soleimani, M., Ghorbani, A.A.: Multi-layer episode filtering for the multi-step attack detection. Comput. Commun. 35, 1368–1379 (2012). Scholar
  15. 15.
    Heigl, M., Doerr, L., Almaini, A., Fiala, D., Schram, M.: Incident reaction based on intrusion detections’ alert analysis. In: 2018 International Conference on Applied Electronics (AE), pp. 1–6. IEEE (2018)Google Scholar
  16. 16.
    Saad, S., Traore, I.: Semantic aware attack scenarios reconstruction. J. Inf. Secur. Appl. 18, 53–67 (2013). Scholar
  17. 17.
    Ramaki, A.A., Rasoolzadegan, A., Bafghi, A.G.: A systematic mapping study on intrusion alert analysis in intrusion detection systems. ACM Comput. Surv. 51, 1–41 (2018). Scholar
  18. 18.
    Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., Rajarajan, M.: Intrusion alert prioritisation and attack detection using post-correlation analysis. Comput. Secur. 50, 1–15 (2015). Scholar
  19. 19.
    Ramaki, A.A., Amini, M., Ebrahimi Atani, R.: RTECA: real time episode correlation algorithm for multi-step attack scenarios detection. Comput. Secur. (2015). Scholar
  20. 20.
    Ahmadinejad, S.H., Jalili, S., Abadi, M.: A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs. Comput. Netw. 55, 2221–2240 (2011). Scholar
  21. 21.
    Wang, Q., Jiang, J., Shi, Z., Wang, W., Lv, B., Qi, B., Yin, Q.: A novel multi-source fusion model for known and unknown attack scenarios. In: Proceedings of 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE), pp. 727–736 (2018).
  22. 22.
    Wang, C.-H., Chiou, Y.-C.: Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights. Int. J. Comput. Commun. Eng. 5, 1–10 (2015). Scholar
  23. 23.
    Liang, L.: Abnormal detection of electric security data based on scenario modeling. Procedia Comput. Sci. 139, 578–582 (2018). Scholar
  24. 24.
    Barzegar, M., Shajari, M.: Attack scenario reconstruction using intrusion semantics. Expert Syst. Appl. 108, 119–133 (2018). Scholar
  25. 25.
    Kavousi, F., Akbari, B.: Automatic learning of attack behavior patterns using Bayesian networks. In: 2012 6th International Symposium on Telecommunications (IST), pp. 999–1004 (2012).
  26. 26.
    Bahareth, F.A., Bamasak, O.O.: Constructing attack scenario using sequential pattern mining with correlated candidate sequences. II (2013)Google Scholar
  27. 27.
    Pierazzi, F., Casolari, S., Colajanni, M., Marchetti, M.: Exploratory security analytics for anomaly detection. Comput. Secur. 56, 28–49 (2016). Scholar
  28. 28.
    Lu, X., Han, J., Ren, Q., Dai, H., Li, J., Ou, J.: Network threat detection based on correlation analysis of multi-platform multi-source alert data. Multimed. Tools Appl. (2018). Scholar
  29. 29.
    Suarez-Tangil, G., Palomar, E., Ribagorda, A., Sanz, I.: Providing SIEM systems with self-adaptation. Inf. Fusion 21, 145–158 (2015). Scholar
  30. 30.
    SICS Geek Lounge: SCADA/ICS PCAP Files From 4SICS. (2019)
  31. 31.
    Choi, S., Yun, J.-H., Kim, S.-K.: A Comparison of ICS Datasets for Security Research Based on Attack Paths, Sept 2019Google Scholar
  32. 32.
    Lin, C.-Y., Nadjm-Tehrani, S., Asplund, M.: Timing-Based Anomaly Detection in SCADA Networks, Oct 2018Google Scholar
  33. 33.
    Hansch, G., Schneider, P., Plaga, S.: Packet-wise compression and forwarding of industrial network captures. In: 2017 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), pp. 66–70. IEEE (2017)Google Scholar
  34. 34.
    Muller, S., Lancrenon, J., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M.: A training-resistant anomaly detection system. Comput. Secur. 76, 1–11 (2018). Scholar
  35. 35.
    Hansson, L.: Scada SNORT Rules. (2019)

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Tomáš Bajtoš
    • 1
  • Pavol Sokol
    • 1
    Email author
  • Terézia Mézešová
    • 1
  1. 1.Faculty of Science, Institute of Computer SciencePavol Jozef Šafárik University in KošiceKošiceSlovakia

Personalised recommendations