Communication Pattern Monitoring: Improving the Utility of Anomaly Detection for Industrial Control Systems

Yoon, Man-Ki; Ciocarlie, Gabriela F.

doi:10.14722/sent.2014.23012

Cited by 43 publications

(26 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Works such as [9,27] attempt to answer to this last issue. Goldenberg et al [9] focus on a industrial application protocol (Modbus) and use a deterministic finite automaton (DFA) to build a model from real traffic traces.…”

Section: Related Workmentioning

confidence: 99%

Sequence-aware Intrusion Detection in Industrial Control Systems

Caselli

Zambon

Kargl

2015

Proceedings of the 1st ACM Workshop on Cyber-Physical System Security

129

View full text Add to dashboard Cite

Nowadays, several threats endanger cyber-physical systems. Among these systems, industrial control systems (ICS) operating on critical infrastructures have been proven to be an attractive target for attackers. The case of Stuxnet has not only showed that ICSs are vulnerable to cyber-attacks, but also that some of these attacks rely on understanding the processes beyond the employed systems and using such knowledge to maximize the damage. This concept is commonly known as "semantic attack". Our paper discusses a specific type of semantic attack involving "sequences of events". Common network intrusion detection systems (NIDS) generally search for single, unusual or "not permitted" operations. In our case, rather than a malicious event, we show how a specific series of "permitted" operations can elude standard intrusion detection systems and still damage an infrastructure. Moreover, we present a possible approach to the development of a sequence-aware intrusion detection system (S-IDS). We propose a S-IDS reference architecture and we discuss all the steps through its implementations. Finally, we test the S-IDS on real ICS traffic samples captured from a water treatment and purification facility.

show abstract

Section: Related Workmentioning

confidence: 99%

Sequence-aware Intrusion Detection in Industrial Control Systems

Caselli

Zambon

Kargl

2015

Proceedings of the 1st ACM Workshop on Cyber-Physical System Security

129

View full text Add to dashboard Cite

show abstract

“…Some researchers have attempted to address this issue [5,26]. Goldenberg and Wool [5] used a deterministic finite state automaton to create a model from real Modbus traffic.…”

Section: Related Workmentioning

confidence: 99%

“…Yoon et al [26] have also focused on Modbus, but they modeled communications using dynamic Bayesian networks and probabilistic suffix trees. Each communications channel is reduced to a sequence of elements by parsing Modbus messages and pairing requests and responses.…”

Section: Related Workmentioning

confidence: 99%

Modeling Message Sequences for Intrusion Detection in Industrial Control Systems

Caselli

Zambon

Petit

et al. 2015

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing "sequence-aware" intrusion detection systems.Keywords: Industrial control systems, sequence attacks, intrusion detection IntroductionCritical infrastructure assets such as power plants, electric grids and water treatment facilities have used control systems for many decades; however, until the turn of the century, they were primarily standalone systems. The Internet and network convergence have brought about many changes to critical infrastructure assets, the most important being their transformation from standalone systems to highly interconnected systems. This transformation has introduced advantages and disadvantages. On one hand, it facilitates the remote monitoring and management of industrial processes. On the other hand, traditional information technology attacks can be launched from afar, includ-50 CRITICAL INFRASTRUCTURE PROTECTION IX ing over the Internet, to compromise industrial control systems and the critical infrastructure assets they manage. This is the case of denial-of-service and distributed denial-of-service attacks. These attacks can target a specific device in an industrial control network and flood it with a massive number of packets until it is no longer able to operate normally. This can reduce or eliminate operator situational awareness and eventually impact the coordination and control of infrastructure assets, potentially affecting the larger infrastructure and connected infrastructures, leading to serious consequences to industry, government and society.Another example involves semantic attacks. Unlike standard cyber attacks, semantic attacks exploit knowledge of specific control systems and physical processes to maximize damage. Stuxnet [4,16] is probably the most wellknown attack of this type. Meanwhile, numerous reports from the U.S. ICS-CERT have described exploits on industrial devices, such as programmable logic controllers and SCADA servers, that are triggered by carefully-crafted messages (see, e.g., [9]). Sequence attacks are a type of semantic attack. Instead of using modified message headers or pa...

show abstract

“…Works such as [162,163] focus on this last issue. Goldenberg et al analyze Modbus messages and use deterministic finite automata (DFAs) to build communication models from real traffic traces [162].…”

Section: State Of the Artmentioning

confidence: 99%

“…In the same way, Yoon et al focus on Modbus but they model communications using dynamic Bayesian networks (DBNs) and probabilistic suffix trees (PSTs) [163]. When a network communication is observed, the system looks at the likelihood of generating the related sequence of messages from the PST model.…”

Section: State Of the Artmentioning

confidence: 99%

Intrusion detection in networked control systems : from system knowledge to network security

Caselli¹

View full text Add to dashboard Cite

Communication Pattern Monitoring: Improving the Utility of Anomaly Detection for Industrial Control Systems

Cited by 43 publications

References 19 publications

Sequence-aware Intrusion Detection in Industrial Control Systems

Sequence-aware Intrusion Detection in Industrial Control Systems

Modeling Message Sequences for Intrusion Detection in Industrial Control Systems

Intrusion detection in networked control systems : from system knowledge to network security

Contact Info

Product

Resources

About