Detecting Anomalies in Process Control Networks

Rrushi, Julian; Kang, Kyoung-Don

doi:10.1007/978-3-642-04798-5_11

Cited by 20 publications

(17 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The presented algorithm in [15] uses deep packet inspection and estimates if a network packet has anomal effect on a memory variable of an ICS device. This approach, however, requires both detailed understanding of the used ICS network protocol and extensive knowledge about variables stored in the RAM variable memory of all monitored PLCs of the ICS.…”

Section: Related Workmentioning

confidence: 99%

Towards Learning Normality for Anomaly Detection in Industrial Control Networks

Schuster

Paul

König

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Recent trends in automation technology lead to a rising exposition of industrial control systems (ICS) to new vulnerabilities. This requires the introduction of proper security approaches in this field. Prevalent in ICS is the use of access control. Especially in critical infrastructures, however, preventive security measures should be complemented by reactive ones, such as intrusion detection. Beginning from the characteristics of automation networks we outline the implications for a suitable application of intrusion detection in this field. On this basis, an approach for creation of self-learning anomaly detection for ICS protocols is presented. In contrast to other approaches, it takes all network data into account: flow information, application data, and the packet order. We discuss the challenges that have to be solved in each step of the network data analysis to identify future aspects of research towards learning normality in industrial control networks.

show abstract

Section: Related Workmentioning

confidence: 99%

Towards Learning Normality for Anomaly Detection in Industrial Control Networks

Schuster

Paul

König

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Packets are considered normal or abnormal based on the effect they have in the control system. Another approach, described in [9], is based on the observation that the contents of random access memory (RAM) of PLCs follow specific flows that persist over time. Packets are classified as normal or abnormal, by considering the effects they have in the contents of a PLC's RAM.…”

Section: Related Workmentioning

confidence: 99%

Intrusion Detection in SCADA Networks

Barbosa

Pras

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Supervisory Control and Data Acquisition (SCADA) systems are a critical part of large industrial facilities, such as water distribution infrastructures. With the goal of reducing costs and increasing efficiency, these systems are becoming increasingly interconnected. However, this has also exposed them to a wide range of network security problems. Our research focus on the development of a novel flow-based intrusion detection system. Based on the assumption that SCADA networks are well-behaved, we believe that it is possible to model the normal traffic by establishing relations between network flows. To improve accuracy and provide more information on the anomalous traffic, we will also research methods to derive a flow-based model for anomalous flows.

show abstract

“…The system is validated using 2 weeks of data from a real water treatment facility. The data was captured in the context of the Hermes, [20] network anomaly testbed aware Carcano et al [28,29,59] network anomaly simulation aware Cárdenas et al [31] network anomaly simulation aware Cheung et al [37] network anomaly testbed unaware D'Antonio et al [45] network anomaly none unaware Di Santo et al [49] network anomaly simulation aware Düssel et al [51] network anomaly measurement unaware Goldenberg and Wool [62] network anomaly measurement unaware Gonzalez and Papa [64] network anomaly testbed unaware Hadeli et al [69] network anomaly testbed unaware Hadiosmanovic et al [70] host anomaly measurement unaware Hoeve [76] network anomaly testbed unaware Linda et al [99] network anomaly testbed unaware McEvoy and Wolthusen [105] network anomaly simulation aware Oman and Phillips [116] network anomaly none unaware Premaratne et al [122] network signature testbed unaware Rrushi et al [125,126] network anomaly none aware Valdes and Cheung [145] network anomaly testbed unaware Xiao et al [151] network anomaly none aware Yang et al [152] host anomaly testbed unaware Table 4.2: Overview of surveyed IDS approaches Castor and Midas projects 4 , which also supported the work described in this thesis.…”

Section: Host/anomaly Basedmentioning

confidence: 99%

“…Process-aware approaches have also been proposed for nuclear power plants [125] (later tested in a simulated advanced boiling water reactor [126] [31]. An interesting aspect of [31] is the evaluation of the impact of different realistic attack scenarios and the discussion of responses to these attacks.…”

Section: Process-aware Approachesmentioning

confidence: 99%

See 1 more Smart Citation

Anomaly detection in SCADA systems : a network based approach

Barbosa¹

View full text Add to dashboard Cite

Detecting Anomalies in Process Control Networks

Cited by 20 publications

References 5 publications

Towards Learning Normality for Anomaly Detection in Industrial Control Networks

Towards Learning Normality for Anomaly Detection in Industrial Control Networks

Intrusion Detection in SCADA Networks

Anomaly detection in SCADA systems : a network based approach

Contact Info

Product

Resources

About