Timing-Based Anomaly Detection in SCADA Networks
Supervisory Control and Data Acquisition (SCADA) systems that operate our critical infrastructures are subject to increased cyber attacks. Due to the use of request-response communication in polling, SCADA traffic exhibits stable and predictable communication patterns. This paper provides a timing-based anomaly detection system that uses the statistical attributes of the communication patterns. This system is validated with three datasets, one generated from real devices and two from emulated networks, and is shown to have a False Positive Rate (FPR) under 1.4%. The tests are performed in the context of three different attack scenarios, which involve valid messages so they cannot be detected by whitelisting mechanisms. The detection accuracy and timing performance are adequate for all the attack scenarios in request-response communications. With other interaction patterns (i.e. spontaneous communications), we found instead that 2 out of 3 attacks are detected.
KeywordsSCADA Industrial Control System (ICS) Anomaly detection Traffic periodicity
This work was completed within RICS: the research centre on Resilient Information and Control Systems (www.rics.se) financed by Swedish Civil Contingencies Agency (MSB). The authors would also like to thank the support by Modio.
- 1.Bhatia, S., Kush, N., Djamaludin, C., Akane, J., Foo, E.: Practical Modbus flooding attack and detection. In: Proceedings of the Twelfth Australasian Information Security Conference, AISC (2014)Google Scholar
- 2.Valdes, A., Cheung S.: Communication pattern anomaly detection in process control systems. In: IEEE Conference on Technologies for Homeland Security, HST (2009)Google Scholar
- 3.Sayegh, N., Elhajj, H.I., Kayssi, A., Chehab, A.: SCADA Intrusion Detection System based on temporal behavior of frequent patterns. In: 17th IEEE Mediterranean Electrotechnical Conference (2014)Google Scholar
- 4.Barbosa, R.R.R., Sadre, R., Pras, A.: A first look into SCADA network traffic. In: IEEE Network Operations and Management Symposium, NOMS (2012)Google Scholar
- 5.Barbosa, R.R.R., Sadre, R., Pras, A.: Towards periodicity based anomaly detection in SCADA networks. In: IEEE Conference on Emerging Technologies & Factory Automation (2012)Google Scholar
- 6.Udd, R., Asplund, M., Nadjm-Tehrani, S., Kazemtabrizi, M., Ekstedt, M.: Exploiting Bro for intrusion detection in a SCADA system. In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, CPSS (2016)Google Scholar
- 8.Yang, Y., McLaughlin, K., Sezer, S., Yuan, Y., Huang, W.: Stateful intrusion detection for IEC 60870-5-104 SCADA security. In: IEEE PES General Meeting (2014)Google Scholar
- 10.Kleinmann, A., Wool, A.: Accurate modeling of the siemens S7 SCADA protocol for intrusion detection and digital forensic. J. Digit. Forensics Secur. Law 9(2), 4 (2014)Google Scholar
- 12.Kleinmann, A., Wool, A.: Automatic construction of statechart-based anomaly detection models for multi-threaded SCADA via spectral analysis. In: Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy (2016)Google Scholar
- 13.Caselli, M., Zambon, E., Kargl F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, CPSS (2015)Google Scholar
- 14.Morris, T.H., Gao, W.: Industrial control system cyber attacks. In: Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research (2013)Google Scholar