Skip to main content
SpringerLink
Log in
Book cover

International Conference on Measurement, Modelling and Evaluation of Computing Systems

MMB 2018: Measurement, Modelling and Evaluation of Computing Systems pp 53–67Cite as

Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10740))

Abstract

Securing control networks (e.g. for power and gas distribution) requires dedicated approaches. Sequence-aware intrusion detection models the network traffic under normal operation to identify malicious behavior. Unfortunately, such models are often large and difficult to handle. This paper proposes a method that generates smaller traffic models and discusses the accuracy of those reduced models in the context of a real control infrastructure employing the IEC 60870-5-104 protocol.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    See also: https://github.com/jjchromik/intravis/blob/master/example/over.pdf.

  2. 2.

    See also: https://github.com/jjchromik/intravis/blob/master/example/all.pdf.

  3. 3.

    The code used to modify the traces is available on github https://github.com/penc4ke/manipulateTraces.git.

References

  1. Zhu, B., Joseph, A., Sastry, S.: A taxonomy of cyber attacks on SCADA systems. In: International Conference on Internet of Things and on Cyber, Physical and Social Computing, pp. 380–388. IEEE CS Press, Washington, DC (2011)

    Google Scholar 

  2. Burke, G., Fahey, J.: AP Investigation: U.S. Power Grid Vulnerable to Foreignhacks. http://lasvegassun.com/news/2015/dec/21/apinvestigation-us-power-grid-vulnerable-to-forei/. Accessed 06 June 2015

  3. Goodin, D.: First known hacker-caused power outage signals troubling escalation. http://arstechnica.com/security/2016/01/first-known-hacker-caused-power-outage-signals-troubling-escalation/. Accessed 06 June 2015

  4. Falliere, N., Murchu, L., Chien, E.: White Paper: W32. Stuxnet Dossier. Technical Report. Symantec Corporation (2011)

    Google Scholar 

  5. Caselli, M., Zambon, E., Petit, J., Kargl, F.: Modeling message sequences for intrusion detection in industrial control systems. In: Rice, M., Shenoi, S. (eds.) ICCIP 2015. IAICT, vol. 466, pp. 49–71. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26567-4_4

    Chapter  Google Scholar 

  6. Barbosa, R.R.R., Sadre, R., Pras, A.: Flow whitelisting in SCADA networks. Int. J. Crit. Infrastruct. Prot. 6(3), 150–158 (2013)

    Article  Google Scholar 

  7. Goldenberg, N., Wool, A.: Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013)

    Article  Google Scholar 

  8. Kang, B., McLaughlin, K., Sezer, S.: Towards a stateful analysis framework for smart grid network intrusion detection. In: 4th International Symposium for ICS & SCADA Cyber Security Research, pp. 1–8. BCS Learning & Development Ltd., Swindon (2016)

    Google Scholar 

  9. Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P., Iyer, R.: Runtime semantic security analysis to detect and mitigate control-related attacks in power grids. IEEE Trans. Smart Grid 99, 1–16 (2016)

    Google Scholar 

  10. Barbosa, R.R.R., Sadre, R., Pras, A.: A first look into SCADA network traffic. In: IEEE/IFIP Network Operations and Management Symposium, pp. 518–521. IEEE CS Press, Maui, HI (2012)

    Google Scholar 

  11. Feng, C., Li, T., Chana, D.: Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks. In: 47th IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 1–12. IEEE CS Press, Denver, CO (2017)

    Google Scholar 

  12. Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: 1st ACM Workshop on Cyber-Physical System Security, pp. 13–24. ACM (2015)

    Google Scholar 

  13. Fovino, I.N., Coletta, A., Carcano, A., Masera, M.: Critical state-based filtering system for securing SCADA network protocols. IEEE Trans. Industr. Electron. 59(10), 3943–3950 (2012)

    Article  Google Scholar 

  14. International Electrotechnical Commission: IEC 60870-5-104, Transmission Protocols, Network Access for IEC 60870-5-101Using Standard Transport Profiles (2003)

    Google Scholar 

  15. Alcaraz, C., Lopez, J., Zhou, J., Roman, R.: Secure SCADA framework for the protection of energy control systems. Concurrency Computation: Pract. Experience 23(12), 1431–1442 (2011)

    Article  Google Scholar 

  16. Clarke, G., Reynders, D.: Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems. Newnes, Oxford (2004)

    Google Scholar 

  17. Burke, G., Fahey, J.: LIAN 98(en): Protocol IEC 60870–5-104, Telegram Structure. http://www.mayor.de/lian98/doc.en/html/u_iec104_struct.htm. Accessed 13 December 2017

  18. Nugteren, J.: ACM completes investigation into power outage in diemen. https://www.acm.nl/en/publications/publication/16469/ACM-completes-investigation-into-power-outage-in-Diemen/. Accessed 18 December 2017

  19. Associated Press: Flights cancelled at schiphol airport as power outage hits amsterdam. https://www.theguardian.com/world/2015/mar/27/flights-cancelled-schiphol-airport-power-outage-amsterdam. Accessed 26 June 2017

Download references

Author information

Authors and Affiliations

  1. Westfälische Wilhelms-Universität Münster, Münster, Germany

    Benedikt Ferling & Anne Remke

  2. University of Twente, Enschede, The Netherlands

    Justyna Chromik & Anne Remke

  3. Siemens AG, München, Germany

    Marco Caselli

Authors
  1. Benedikt Ferling
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Justyna Chromik
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marco Caselli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anne Remke
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Justyna Chromik .

Editor information

Editors and Affiliations

  1. University of Erlangen-Nuremberg , Erlangen, Germany

    Reinhard German

  2. University of Erlangen-Nuremberg , Erlangen, Germany

    Kai-Steffen Hielscher

  3. Otto-Friedrich-Universität Bamberg , Bamberg, Germany

    Udo R. Krieger

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ferling, B., Chromik, J., Caselli, M., Remke, A. (2018). Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models. In: German, R., Hielscher, KS., Krieger, U. (eds) Measurement, Modelling and Evaluation of Computing Systems. MMB 2018. Lecture Notes in Computer Science(), vol 10740. Springer, Cham. https://doi.org/10.1007/978-3-319-74947-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-74947-1_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-74946-4

  • Online ISBN: 978-3-319-74947-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation