Skip to main content
SpringerLink
Log in
Book cover

International Conference on Critical Information Infrastructures Security

CRITIS 2015: Critical Information Infrastructures Security pp 132–144Cite as

A Statechart-Based Anomaly Detection Model for Multi-Threaded SCADA Systems

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9578))

Abstract

SCADA traffic between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed SCADA streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA, and a high false-alarm rate. In this paper we introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We evaluated our solution on traces from a production SCADA system using the Siemens S7-0x72 protocol. We also stress-tested our solution on a collection of synthetically-generated traces. In all but the most extreme scenarios the Statechart model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.

This work was supported in part by a grant from the Israeli Ministry of Science and Technology.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Afcon Technologies: Pulse HMI Software (2015). Accessed 6 May 2015

    Google Scholar 

  2. Alcaraz, C., Cazorla, L., Fernández, G.: Context-awareness using anomaly-based detectors for smart grid domains. In: Proceedings of the 9th International Conference on Risks, and Security of Internet and Systems (CRISIS), Trento, Italy, September 2014

    Google Scholar 

  3. Atassi, A., Elhajj, I.H., Chehab, A., Kayssi, A.: The State of the Art in Intrusion Prevention and Detection, Auerbach Publications. In: Intrusion Detection for SCADA Systems, pp. 211–230. Auerbach Publications, January 2014

    Google Scholar 

  4. Briesemeister, L., Cheung, S., Lindqvist, U., Valdes, A.: Detection, correlation, and visualization of attacks against critical infrastructure systems. In: 8th International Conference on Privacy Security and Trust (PST), pp. 17–19 (2010)

    Google Scholar 

  5. Byres, E.J., Franz, M., Miller, D.: The use of attack trees in assessing vulnerabilities in SCADA systems. In: Proceedings of the International Infrastructure Survivability Workshop (2004)

    Google Scholar 

  6. Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, pp. 13–24. ACM, New York (2015)

    Google Scholar 

  7. Chen, C.-M., Hsiao, H.-W., Yang, P.-Y., Ya-Hui, O.: Defending malicious attacks in cyber physical systems. In: IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA), pp. 13–18, August 2013

    Google Scholar 

  8. Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using model-based intrusion detection for SCADA networks. In: Proceedings of the SCADA Security Scientific Symposium, pp. 127–134 (2007)

    Google Scholar 

  9. Electrical Engineering Blog: The top most used PLC systems around the world. Electrical installation & energy efficiency, May 2013. http://engineering.electrical-equipment.org/electrical-distribution/the-top-most-used-plc-systems-around-the-world.html

  10. Erez, N., Wool, A.: Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA networks. In: 9th Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA, March 2015

    Google Scholar 

  11. Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White Paper, Symantec Corporation, Security Response (2011)

    Google Scholar 

  12. Fovino, I.N., Carcano, A., De Lacheze Murel, T., Trombetta, A., Masera, M.: Modbus/DNP3 state-based intrusion detection system. In: 24th IEEE International Conference on Advanced Information Networking and Applications (AINA), pp. 729–736. IEEE (2010)

    Google Scholar 

  13. Goldenberg, N., Wool, A.: Accurate modeling of modbus/tcp for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013)

    Article  Google Scholar 

  14. Hadziosmanovic, D., Bolzoni, D., Hartel, P.H., Etalle, S.: MELISSA: towards automated detection of undesirable user actions in critical infrastructures. In: Proceedings of the European Conference on Computer Network Defense, EC2ND 2011, Gothenburg, Sweden, pp. 41–48, USA, IEEE Computer Society, September 2011

    Google Scholar 

  15. Harel, D.: Statecharts: a visual formalism for complex systems. Sci. Comput. Program. 8(3), 231–274 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  16. Kleinmann, A., Wool, A.: Accurate modeling of the siemens S7 SCADA protocol for intrusion detection and digital forensic. JDFSL 9(2), 37–50 (2014)

    Google Scholar 

  17. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)

    Article  Google Scholar 

  18. Marsh, R.T.: Critical foundations: protecting america’s infrastructures - the report of the president’s commission on critical infrastructure protection. Technical report, October 1997

    Google Scholar 

  19. Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Network 8(3), 26–41 (1994)

    Article  Google Scholar 

  20. Porras, P.A., Neumann, P.G.: EMERALD: event monitoring enabling responses to anomalous live disturbances. In: 1997 National Information Systems Security Conference, October 1997

    Google Scholar 

  21. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999)

    Google Scholar 

  22. Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316, May 2010

    Google Scholar 

  23. Valdes, A., Cheung, S.: Communication pattern anomaly detection in process control systems. In: IEEE Conference on Technologies for Homeland Security (HST), pp. 22–29. IEEE (2009)

    Google Scholar 

  24. Wiens, T.: S7comm wireshark dissector plugin, January 2014. http://sourceforge.net/projects/s7commwireshark

  25. Wikipedia: Variable-length quantity – Wikipedia, the free encyclopedia, (2015). Accessed 5 May 2015

    Google Scholar 

  26. Yang, D., Usynin, A., Hines, J.W.: Anomaly-based intrusion detection for SCADA systems. In: 5th Int International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies, pp. 12–16 (2006)

    Google Scholar 

  27. Ye, N., Zhang, Y., Borror, C.M.: Robustness of the markov-chain model for cyber-attack detection. IEEE Trans. Reliab. 53(1), 116–123 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Tel-Aviv University, 69978, Tel-aviv, Israel

    Amit Kleinmann & Avishai Wool

Authors
  1. Amit Kleinmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Avishai Wool
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amit Kleinmann .

Editor information

Editors and Affiliations

  1. Autonomus Intelligent Systems, Fraunhofer Institute, Sankt Augustin, Nordrhein-Westfalen, Germany

    Erich Rome

  2. Inst. Protec. & Security Citizen, Ispra, Italy

    Marianthi Theocharidou

  3. University of London, London, United Kingdom

    Stephen Wolthusen

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Kleinmann, A., Wool, A. (2016). A Statechart-Based Anomaly Detection Model for Multi-Threaded SCADA Systems. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2015. Lecture Notes in Computer Science(), vol 9578. Springer, Cham. https://doi.org/10.1007/978-3-319-33331-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-33331-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-33330-4

  • Online ISBN: 978-3-319-33331-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation