Anomaly Detection of ICS Communication Using Statistical Models

Burgetová, Ivana; Matoušek, Petr; Ryšavý, Ondřej

doi:10.23919/cnsm52442.2021.9615510

Cited by 4 publications

(2 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Regarding the anomaly detection methods for IEC-104, some multivariate access control and outlier detection approaches have been proposed using extracted packet information and communication statistics through Scapy [35] and CICFlowMeter [36] for anomaly detection [37]. In the area of statistically based anomaly detection on IEC-104, the work in [38] presents a 3-value detection method that independently compares the number of packets transmitted in three consecutive time windows against a statistical profile and reports anomalies when a deviation from the specified range is detected. To address the problem of missing labeled data, the work of [39] explores the use of unsupervised machine learning on IEC-104, in particular, one-class support vector machines, isolation forest, histogram-based outlier detection, and k-nearest neighbor are investigated.…”

Section: Related Workmentioning

confidence: 99%

On specification-based cyber-attack detection in smart grids

et al. 2022

View full text Add to dashboard Cite

The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.

show abstract

Section: Related Workmentioning

confidence: 99%

On specification-based cyber-attack detection in smart grids

et al. 2022

View full text Add to dashboard Cite

show abstract

“…ADS that leverage the overall network attributes such as throughput, number of protocols, bytes per packet are an active research area. These ADS usually adopt statistical models [138,19,137,25] or machine learning techniques [101,100,98,99,103,49,8,122] and test if the value of the selected parameters of the model is within certain boundaries. Values within the boundaries give a high probability to be a normal behavior.…”

Section: Learning Approachesmentioning

confidence: 99%

Network-based Anomaly Detection for SCADA Systems : Traffic Generation and Modeling

Lin

2022

Linköping Studies in Science and Technology. Dissertations

View full text Add to dashboard Cite

Supervisory Control and Data Acquisition (SCADA) systems control and monitor critical infrastructure in society, such as electricity transmission and distribution systems. Modern SCADA systems are increasingly adopting open standards and being connected to the Internet to enable remote control. A boost in sophisticated attacks against SCADA systems makes SCADA security a pressing issue. An Intrusion Detection System (IDS) is a security countermeasure that monitors a network and tracks unauthenticated activities inside the network. Most commercial IDSs used in general IT systems are signature-based, by which an IDS compares the system behaviors with known attack patterns. Unfortunately, recent attacks against SCADA systems exploit zero-day vulnerabilities which are undetectable by signature-based IDSs.This thesis aims to enhance SCADA system monitoring by network-based anomaly detection that models normal behaviors and finds deviations from the model. With network-based anomaly detection, zero-day attacks are possible to detect. There are two main challenges for network-based anomaly detection. The first challenge is the potentially large number of false positives coming from benign traffic that just deviates from the trained model due to the noises. To address this challenge, this thesis proposes several traffic modeling approaches based on statistics and machine learning techniques for the regular communication patterns in SCADA traffic. The second challenge is the lack of open datasets to evaluate the proposed approaches. Consequently, this thesis proposes a traffic generation framework.Thanks to Jonas Almroth, Erik Westring, and Peter Andersson in FOI and other industrial partners for helping with data collection and providing another point of view. Thanks the Swedish Civil Contingencies Agency (MSB) for financing the studies in this thesis within the Resilient Control and Information Systems (www.rics.se) project. I'm also grateful to all the PhD students, external experts, and professors that I have met within RICS project and SWITS association for the inspiring discussions and comments.Special thanks to all the administrative personnel. Thanks to Anne Moe for her compassionate support and assistance from onboarding to completion of thesis defense. I would also like to express my gratitude to former and current administrative members in the division, Eva Pelayo Danils, Åsa Kärrman, Lene Rosell, for their contributions to an efficient working environment for all of us in RTSLab and IDA.I would like to thank all the former and current members of RTSLab for contributing to an enjoyable and inspiring working environment. I appreciate their valuable input to my research and presentations during the RTS meetings or fikas. Thanks to my lunch companions for providing relaxing breaks that are full of fun and useful life experiences.Finally, I would like to express special thanks to my family and friends for encouragement and support in the past years. I would not have been able to get through the tough times without ...

show abstract