Adapting Bro into SCADA

Lin, Hui; Slagell, Adam; Martino, Catello Di; Kalbarczyk, Zbigniew; Iyer, Ravishankar K.

doi:10.1145/2459976.2459982

Cited by 82 publications

(18 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Initially, it was intended for execution monitoring of security-critical programs in distributed system [10]. However, it has been applied to routing protocols such AODV [12], [13], [14] or OSLR [15], DNP3 protocol [16], [17], [18] Voice over IP [19], [20], [21] and other areas of CPS as discussed in section III. A practical experience in the use of specification-based intrusion is presented by Uppuluri and Sekar in [11].…”

Section: B Specification-based Intrusion Detectionmentioning

confidence: 99%

“…They abstract the specific details away of the protocols to focus on the physics models of the system. Unlike them, Lin et al in [16] and [17] employ only DNP3 as specification source to extract the normal behaviour of the system. Further, Berthier and Sanders in [27] use C12.22 standard protocol specification as specification source to ensure that all violations of the specified security policy of the system will be captured.…”

Section: A Specification Sourcementioning

confidence: 99%

“…1) Manual: Most of the specification extraction methods adopt a manual approach for the extraction of the correct system behaviour from the specification source [18], [27], [16], [12], [17], [24], [25], [26], [13], [14], [15], [35], [36], [33], [32], [31]. This method has been shown to be an expensive and very tedious process [27].…”

Section: B Specification Extractionmentioning

confidence: 99%

“…McParland et al in [18] use Bro scripts for specification modelling but the specific details of the communication protocols and technologies are removed to concentrate on the physics models of the devices being investigated. Similarly, the security specifications of DNP3 protocol have been modelled as a parser and integrated into Bro by Lin et al in [16], [17]. And Esquivel-Vargas et al in [30] use Bro for specification modelling of the automatically extracted correct system behaviour.…”

Section: ) Specification Modelling Using State-based Approachmentioning

confidence: 99%

See 3 more Smart Citations

A Survey of Specification-based Intrusion Detection Techniques for Cyber-Physical Systems

Nweke¹

2021

IJACSA

View full text Add to dashboard Cite

Cyber-physical systems (CPS) integrate computation and communication capabilities to monitor and control physical systems. Even though this integration improves the performance of the overall system and facilitates the application of CPS in several domains, it also introduces security challenges. Over the years, intrusion detection systems (IDS) have been deployed as one of the security controls for addressing these security challenges. Traditionally, there are three main approaches to IDS, namely: anomaly detection, misuse detection and specificationbased detection. However, due to the unique attributes of CPS, the traditional IDS need to be modified or completely replaced before it can be deployed for CPS. In this paper, we present a survey of specification-based intrusion detection techniques for CPS. We classify the existing specification-based intrusion detection techniques in the literature according to the following attributes: specification source, specification extraction, specification modelling, detection mechanism, detector placement and validation strategy. We also discuss the details of each attribute and describe our observations, concerns and future research directions. We argue that reducing the efforts and time needed to extract the system specification of specification-based intrusion detection techniques for CPS and verifying the correctness of the extracted system specification are open issues that must be addressed in the future.

show abstract

Section: B Specification-based Intrusion Detectionmentioning

confidence: 99%

Section: A Specification Sourcementioning

confidence: 99%

Section: B Specification Extractionmentioning

confidence: 99%

Section: ) Specification Modelling Using State-based Approachmentioning

confidence: 99%

See 2 more Smart Citations

A Survey of Specification-based Intrusion Detection Techniques for Cyber-Physical Systems

Nweke¹

2021

IJACSA

View full text Add to dashboard Cite

show abstract

“…Many previous efforts have focused on the modeling and detection of malicious behavior in networks, with survey papers in several domains [1], including those tailored to cyber-physical systems [7]. Efforts have also explored the intrusion detection problem specifically within smart grid and control system networks [8]. However, often these techniques cannot be deployed in production systems due to false alarms produced by base-rate fallacies [4], [9].…”

Section: Related Workmentioning

confidence: 99%

Evaluating the Observability of Network Security Monitoring Strategies With TOMATO

Halvorsen

Waite²,

Hahn

2019

IEEE Access

View full text Add to dashboard Cite

Monitoring systems for malicious behavior increasingly requires aggregating and analyzing data from various sources, such as network flows, host logs, and end-point monitoring platforms. However, there's currently a lack of metrics and methodologies to compute the observability and efficiency of a security monitoring strategy. This manuscript introduces TOMATO (Threat Observability & Monitoring Assessment Tool), which is a platform to evaluate the effectiveness of a security monitoring strategy by exploring both the number of known adversarial techniques that can be detected within a network, along with evaluating the number of false-positives produced by the monitoring strategy. The output produces both an observability score and efficiency score of a set of deployed monitoring techniques, which are evaluated based on the data from the environment, and simulated attacks generated from MITRE ATT&CK. The proposed approach is then integrated into an ELK stack and evaluated on real SCADA devices within the WSU Smart City Testbed.

show abstract

Cybersecurity ofSCADAwithin Substations

Hahn

Sun

Liu

2016

Smart Grid Handbook

View full text Add to dashboard Cite

The cybersecurity of modern substations is becoming increasingly important as they continue to integrate more digital control and communication technologies. This chapter will explore the cybersecurity threats to substations and will then discuss various mechanisms to protect them. The chapter will demonstrate how the security protections, such as encryption, authentication, access control, and intrusion detection, should be applied to substation systems. The chapter will then discuss the emerging cybersecurity requirements for both product vendors and utilities.

show abstract

Adapting Bro into SCADA

Cited by 82 publications

References 3 publications

A Survey of Specification-based Intrusion Detection Techniques for Cyber-Physical Systems

A Survey of Specification-based Intrusion Detection Techniques for Cyber-Physical Systems

Evaluating the Observability of Network Security Monitoring Strategies With TOMATO

Cybersecurity ofSCADAwithin Substations

Contact Info

Product

Resources

About