Abstract
Securing control networks (e.g. for power and gas distribution) requires dedicated approaches. Sequence-aware intrusion detection models the network traffic under normal operation to identify malicious behavior. Unfortunately, such models are often large and difficult to handle. This paper proposes a method that generates smaller traffic models and discusses the accuracy of those reduced models in the context of a real control infrastructure employing the IEC 60870-5-104 protocol.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
- 3.
The code used to modify the traces is available on github https://github.com/penc4ke/manipulateTraces.git.
References
Zhu, B., Joseph, A., Sastry, S.: A taxonomy of cyber attacks on SCADA systems. In: International Conference on Internet of Things and on Cyber, Physical and Social Computing, pp. 380–388. IEEE CS Press, Washington, DC (2011)
Burke, G., Fahey, J.: AP Investigation: U.S. Power Grid Vulnerable to Foreignhacks. http://lasvegassun.com/news/2015/dec/21/apinvestigation-us-power-grid-vulnerable-to-forei/. Accessed 06 June 2015
Goodin, D.: First known hacker-caused power outage signals troubling escalation. http://arstechnica.com/security/2016/01/first-known-hacker-caused-power-outage-signals-troubling-escalation/. Accessed 06 June 2015
Falliere, N., Murchu, L., Chien, E.: White Paper: W32. Stuxnet Dossier. Technical Report. Symantec Corporation (2011)
Caselli, M., Zambon, E., Petit, J., Kargl, F.: Modeling message sequences for intrusion detection in industrial control systems. In: Rice, M., Shenoi, S. (eds.) ICCIP 2015. IAICT, vol. 466, pp. 49–71. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26567-4_4
Barbosa, R.R.R., Sadre, R., Pras, A.: Flow whitelisting in SCADA networks. Int. J. Crit. Infrastruct. Prot. 6(3), 150–158 (2013)
Goldenberg, N., Wool, A.: Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013)
Kang, B., McLaughlin, K., Sezer, S.: Towards a stateful analysis framework for smart grid network intrusion detection. In: 4th International Symposium for ICS & SCADA Cyber Security Research, pp. 1–8. BCS Learning & Development Ltd., Swindon (2016)
Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P., Iyer, R.: Runtime semantic security analysis to detect and mitigate control-related attacks in power grids. IEEE Trans. Smart Grid 99, 1–16 (2016)
Barbosa, R.R.R., Sadre, R., Pras, A.: A first look into SCADA network traffic. In: IEEE/IFIP Network Operations and Management Symposium, pp. 518–521. IEEE CS Press, Maui, HI (2012)
Feng, C., Li, T., Chana, D.: Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks. In: 47th IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 1–12. IEEE CS Press, Denver, CO (2017)
Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: 1st ACM Workshop on Cyber-Physical System Security, pp. 13–24. ACM (2015)
Fovino, I.N., Coletta, A., Carcano, A., Masera, M.: Critical state-based filtering system for securing SCADA network protocols. IEEE Trans. Industr. Electron. 59(10), 3943–3950 (2012)
International Electrotechnical Commission: IEC 60870-5-104, Transmission Protocols, Network Access for IEC 60870-5-101Using Standard Transport Profiles (2003)
Alcaraz, C., Lopez, J., Zhou, J., Roman, R.: Secure SCADA framework for the protection of energy control systems. Concurrency Computation: Pract. Experience 23(12), 1431–1442 (2011)
Clarke, G., Reynders, D.: Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems. Newnes, Oxford (2004)
Burke, G., Fahey, J.: LIAN 98(en): Protocol IEC 60870–5-104, Telegram Structure. http://www.mayor.de/lian98/doc.en/html/u_iec104_struct.htm. Accessed 13 December 2017
Nugteren, J.: ACM completes investigation into power outage in diemen. https://www.acm.nl/en/publications/publication/16469/ACM-completes-investigation-into-power-outage-in-Diemen/. Accessed 18 December 2017
Associated Press: Flights cancelled at schiphol airport as power outage hits amsterdam. https://www.theguardian.com/world/2015/mar/27/flights-cancelled-schiphol-airport-power-outage-amsterdam. Accessed 26 June 2017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Ferling, B., Chromik, J., Caselli, M., Remke, A. (2018). Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models. In: German, R., Hielscher, KS., Krieger, U. (eds) Measurement, Modelling and Evaluation of Computing Systems. MMB 2018. Lecture Notes in Computer Science(), vol 10740. Springer, Cham. https://doi.org/10.1007/978-3-319-74947-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-74947-1_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74946-4
Online ISBN: 978-3-319-74947-1
eBook Packages: Computer ScienceComputer Science (R0)