Cyber-Critical Infrastructure Protection Using Real-Time Payload-Based Anomaly Detection

“…Especially, the existing control systems are naturally short of the ability to detect or report anomalous activities [13]. In recent years, anomaly detection approaches in networked control systems have been developed, and it is in principle capable to identify novel attacks by measuring a deviation from a learned normal behavior [22]. However, it is a formidable task to completely and appropriately learn industrial communication behaviors from the network traffic of control systems, because the communication characteristics in networked control systems are strongly correlated to various industrial activities, and it not only need analyze the interaction contents in depth according to industrial communication protocols, but also need associate these contents with the time sequence.…”

Double Behavior Characteristics for One-Class Classification Anomaly Detection in Networked Control Systems

“…Especially, the existing control systems are naturally short of the ability to detect or report anomalous activities [13]. In recent years, anomaly detection approaches in networked control systems have been developed, and it is in principle capable to identify novel attacks by measuring a deviation from a learned normal behavior [22]. However, it is a formidable task to completely and appropriately learn industrial communication behaviors from the network traffic of control systems, because the communication characteristics in networked control systems are strongly correlated to various industrial activities, and it not only need analyze the interaction contents in depth according to industrial communication protocols, but also need associate these contents with the time sequence.…”

Double Behavior Characteristics for One-Class Classification Anomaly Detection in Networked Control Systems

“…The system is validated using 2 weeks of data from a real water treatment facility. The data was captured in the context of the Hermes, [20] network anomaly testbed aware Carcano et al [28,29,59] network anomaly simulation aware Cárdenas et al [31] network anomaly simulation aware Cheung et al [37] network anomaly testbed unaware D'Antonio et al [45] network anomaly none unaware Di Santo et al [49] network anomaly simulation aware Düssel et al [51] network anomaly measurement unaware Goldenberg and Wool [62] network anomaly measurement unaware Gonzalez and Papa [64] network anomaly testbed unaware Hadeli et al [69] network anomaly testbed unaware Hadiosmanovic et al [70] host anomaly measurement unaware Hoeve [76] network anomaly testbed unaware Linda et al [99] network anomaly testbed unaware McEvoy and Wolthusen [105] network anomaly simulation aware Oman and Phillips [116] network anomaly none unaware Premaratne et al [122] network signature testbed unaware Rrushi et al [125,126] network anomaly none aware Valdes and Cheung [145] network anomaly testbed unaware Xiao et al [151] network anomaly none aware Yang et al [152] host anomaly testbed unaware Table 4.2: Overview of surveyed IDS approaches Castor and Midas projects 4 , which also supported the work described in this thesis.…”

“…A number of classical machine learning methods are tested in [51]. The basic approach consists of extracting traffic information using Bro [118], then applying a different combination of feature extraction methods, similarity measures and anomaly detection methods.…”

Anomaly detection in SCADA systems : a network based approach

“…The way an n−gram builds feature space -The extracted n−grams can be used for building different feature spaces [37]: (a) count embedding (count the number of different n−grams to describe the payload), (b) frequency embedding (use relative frequency of byte values of an n−gram to describe the payload, e.g. [15,25,115]) and (c) binary embedding (use the presence/absence of specific n−grams to describe the payload, e.g., [114]).…”

“…For example, authors perform partial protocol parsing to enumerate functionality that Modbus clients use, aiming to detect unexpected deviations in requests sent to PLCs [32] and interpret events on a higher level [45], fingerprint and monitor current device configuration remotely [81,99]. Düssel et al [37] propose using application syntax (not semantics) for network-based anomaly detection; they use Bro to parse RPC, SMB, NetBIOS services inside process control networks, but do not further examine ICS-specific protocols. In terms of classic IDS signatures, DigitalBond provides Snort preprocessors that add support for matching on Modbus/DNP3/EtherNetIP protocol fields [128].…”

Process matters: cyber security in industrial control systems