Exploiting System Model for Securing CPS: the Anomaly Based IDS Perspective

Colelli, Riccardo; Panzieri, Stefano; Pascucci, Federica

doi:10.1109/etfa.2018.8502495

Cited by 4 publications

(1 citation statement)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Due to this integration, ICSs have introduced new types of vulnerabilities, and attacks on these weaknesses may cause anomalous behaviour. There are various data sources in ICS networks that can be monitored for anomaly detection [15,16]. Different methods have been published for anomaly detection in a single source of ICS data [17,22,27].…”

Section: Background and Related Workmentioning

confidence: 99%

Automated detection-in-depth in industrial control systems

Jadidi

Foo

Hussain

et al. 2021

Int J Adv Manuf Technol

View full text Add to dashboard Cite

Legacy industrial control systems (ICSs) are not designed to be exposed to the Internet and linking them to corporate networks has introduced a large number of cyber security vulnerabilities. Due to the distributed nature of ICS devices, a detection-in-depth strategy is required to simultaneously monitor the behaviour of multiple sources of ICS data. While a detection-in-depth method leads to detecting attacks, like flooding attacks in earlier phases before the attacker can reach the end target, most research papers have focused on anomaly detection based on a single source of ICS data. Here, we present a detection-in-depth method for an ICS network. The new method is called automated flooding attack detection (AFAD) which consists of three stages: data acquisition, pre-processing, and a flooding anomaly detector. Data acquisition includes data collection from different sources like programmable logic controller (PLC) logs and network traffic. We then generate NetFlow data to provide light-weight anomaly detection in ICS networks. NetFlow-based analysis has been used as a scalable method for anomaly detection in high-speed networks. It only analyses packet headers, and it is an efficient method for detecting flooding attacks like denial of service attacks, and its performance is not affected by encrypted data. However, it has not been sufficiently studied in industrial control systems. Besides NetFlow data, ICS device logs are a rich source of information that can be used to detect abnormal behaviour. Both NetFlow traffic and log data are processed in our pre-processing stage. The third stage of AFAD is anomaly detection which consists of two parallel machine learning analysis methods, which respectively analyse the behaviours of device logs and NetFlow records. Due to the lack of enough labelled training datasets in most environments, an unsupervised predictor and an unsupervised clustering method are respectively used in the anomaly detection stage. We validated our approach using traffic captured in a factory automation dataset, Modbus dataset, and SWAT dataset. These datasets contain physical and network level normal and abnormal data. The performance of AFAD was compared with single-layer anomaly detection and with other studies. Results showed the high precision of AFAD in detecting flooding attacks.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Automated detection-in-depth in industrial control systems

Jadidi

Foo

Hussain

et al. 2021

Int J Adv Manuf Technol

View full text Add to dashboard Cite

show abstract

Last Line of Defense: Reliability Through Inducing Cyber Threat Hunting With Deception in SCADA Networks

et al. 2021

View full text Add to dashboard Cite

There exists a gap between existing security mechanisms and their ability to detect advancing threats. Antivirus and EDR (End Point Detection and Response) aim to detect and prevent threats; such security mechanisms are reactive. This approach did not prove to be effective in protecting against stealthy attacks. SCADA (Supervisory Control and Data Acquisition) security is crucial for any country. However, SCADA is always an easy target for adversaries due to a lack of security for heterogeneous devices. An attack on SCADA is mainly considered a national-level threat. Recent research on SCADA security has not considered "unknown threats," which has left a gap in security. The proactive approach, such as threat hunting, is the need of the hour. In this research, we investigated that threat hunting in conjunction with cyber deception and kill chain has countervailing effects on detecting SCADA threats and mitigating them. We have used the concept of "decoy farm" in the SCADA network, where all attacks are engaged. Moreover, we present a novel threat detection and prevention approach for SCADA, focusing on unknown threats. To test the effectiveness of approach, we emulated several Linux and Windows-based attacks on a simulated SCADA network. We have concluded that our approach detects and prevents the attacker before using the current reactive approach and security mechanism for SCADA with enhanced protection for heterogeneous devices. The results and experiments show that the proposed threat hunting approach has significantly improved the threat detection ability.

show abstract

Assessment of SCADA System Vulnerabilities

Yadav

Paul

2019

2019 24th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA)

View full text Add to dashboard Cite

Exploiting System Model for Securing CPS: the Anomaly Based IDS Perspective

Cited by 4 publications

References 4 publications

Automated detection-in-depth in industrial control systems

Automated detection-in-depth in industrial control systems

Last Line of Defense: Reliability Through Inducing Cyber Threat Hunting With Deception in SCADA Networks

Assessment of SCADA System Vulnerabilities

Contact Info

Product

Resources

About