Abstract
Recent trends in automation technology lead to a rising exposition of industrial control systems (ICS) to new vulnerabilities. This requires the introduction of proper security approaches in this field. Prevalent in ICS is the use of access control. Especially in critical infrastructures, however, preventive security measures should be complemented by reactive ones, such as intrusion detection. Beginning from the characteristics of automation networks we outline the implications for a suitable application of intrusion detection in this field. On this basis, an approach for creation of self-learning anomaly detection for ICS protocols is presented. In contrast to other approaches, it takes all network data into account: flow information, application data, and the packet order. We discuss the challenges that have to be solved in each step of the network data analysis to identify future aspects of research towards learning normality in industrial control networks.
Chapter PDF
Similar content being viewed by others
Keywords
- Intrusion Detection
- Anomaly Detection
- Intrusion Detection System
- Critical Infrastructure
- Communication Relation
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Schuster, F., Paul, A.: A Distributed Intrusion Detection System for Industrial Automation Networks. In: Proc. of the 17th IEEE Intl. Conf. on Emerging Technologies and Factory Automation (ETFA 2012). IEEE (2012)
Hadziosmanović, D., Bolzoni, D., Etalle, S., Hartel, P.H.: Challenges and Opportunities in Securing Industrial Control Systems. In: Proc. of the IEEE Workshop on Complexity in Engineering (COMPENG 2012). IEEE (2012)
Barbosa, R.R.R., Pras, A.: Intrusion Detection in SCADA Networks. In: Stiller, B., De Turck, F. (eds.) AIMS 2010. LNCS, vol. 6155, pp. 163–166. Springer, Heidelberg (2010)
Hofstede, R., Pras, A.: Real-Time and Resilient Intrusion Detection: A Flow-Based Approach. In: Sadre, R., Novotný, J., Čeleda, P., Waldburger, M., Stiller, B. (eds.) AIMS 2012. LNCS, vol. 7279, pp. 109–112. Springer, Heidelberg (2012)
Barbosa, R.R., Sadre, R., Pras, A.: Difficulties in Modeling SCADA Traffic: A Comparative Analysis. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 126–135. Springer, Heidelberg (2012)
Åkerberg, J., Björkman, M.: Exploring Security in PROFINET IO. In: Proc. of the 33rd Annual IEEE Intl. Computer Software and Applications Conf. (COMPSAC 2009). IEEE (2009)
Liu, Y., Ning, P., Reiter, M.K.: False Data Injection Attacks Against State Estimation in Electric Power Grids. In: Proc. of the 16th ACM Conf. on Computer and Communications Security (CCS 2009). ACM (2009)
Gao, W., Morris, T., Reaves, B., Richey, D.: On SCADA Control System Command and Response Injection and Intrusion Detection. In: Proc. of the Fifth eCrime Researchers Summit, pp. 1–9. IEEE (2010)
Nai Fovino, I., Carcano, A., Masera, M., Trombetta, A.: An Experimental Investigation of Malware Attacks on SCADA Systems. Intl. Journal of Critical Infrastructure Protection 2(4), 139–145 (2009)
Jin, D., Nicol, D., Yan, G.: An Event Buffer Flooding Attack in DNP3 Controlled SCADA Systems. In: Proc. of the 2011 Winter Simulation Conf. IEEE (2011)
Hadziosmanović, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: N-Gram Against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 354–373. Springer, Heidelberg (2012)
Laskov, P., Düssel, P., Schäfer, C., Rieck, K.: Learning Intrusion Detection: Supervised or Unsupervised? In: Roli, F., Vitulano, S. (eds.) ICIAP 2005. LNCS, vol. 3617, pp. 50–57. Springer, Heidelberg (2005)
Carcano, A., Fovino, I.N., Masera, M., Trombetta, A.: State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept. In: Rome, E., Bloomfield, R. (eds.) CRITIS 2009. LNCS, vol. 6027, pp. 138–150. Springer, Heidelberg (2010)
Carcano, A., Coletta, A., Guglielmi, M., Masera, M., Fovino, I.N., Trombetta, A.: A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems. IEEE Trans. on Industrial Informatics 7(2), 179–186 (2011)
Rrushi, J., Kang, K.D.: Detecting Anomalies in Process Control Networks. In: Palmer, C., Shenoi, S. (eds.) Critical Infrastructure Protection III. IFIP AICT, vol. 311, pp. 151–165. Springer, Heidelberg (2009)
Linda, O., Vollmer, T., Manic, M.: Neural Network based Intrusion Detection System for Critical Infrastructures. In: Proc. of the 2009 Intl. Joint Conf. on Neural Networks (IJCNN 2009), pp. 1827–1834. IEEE (2009)
Yang, D., Usynin, A., Hines, J.W.: Anomaly-based Intrusion Detection for SCADA Systems. In: Proc of the Fifth Intl. Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies (NPIC/HMIT 2006), pp. 12–16. Curran Associates (2006)
Snort: Snort 2.9.4, http://www.snort.org
Neumann, P., Pöschmann, A.: Ethernet-based Real-time Communications with PROFINET IO. In: Proc. of the Seventh WSEAS Intl. Conf. on Automatic Control, Modeling and Simulation (ACMOS 2005), pp. 54–61. World Scientific and Engineering Academy and Society, WSEAS (2005)
Schölkopf, B., Smola, A.J.: Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT Press, Cambridge (2001)
Dougherty, J., Kohavi, R., Sahami, M.: Supervised and Unsupervised Discretization of Continuous Features. In: Proc. of the Twelfth Intl. Conf. on Machine Learning (ICML 1995), Morgan Kaufmann (1995)
Liu, H., Hussain, F., Tan, C.L., Dash, M.: Discretization: An Enabling Technique. Data Mining and Knowledge Discovery 6(4), 393–423 (2002)
Peng, L., Qing, W., Yujia, G.: Study on Comparison of Discretization Methods. In: Proc. of the Intl. Conf. on Artificial Intelligence and Computational Intelligence, AICI 2009. IEEE (2009)
Paul, A., Schuster, F., König, H.: Towards the Protection of Industrial Control Systems – Conclusions of a Vulnerability Analysis of Profinet IO. Accepted for the 10th Conf. on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2013 (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Schuster, F., Paul, A., König, H. (2013). Towards Learning Normality for Anomaly Detection in Industrial Control Networks. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds) Emerging Management Mechanisms for the Future Internet. AIMS 2013. Lecture Notes in Computer Science, vol 7943. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38998-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-38998-6_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38997-9
Online ISBN: 978-3-642-38998-6
eBook Packages: Computer ScienceComputer Science (R0)