Industrial Control System Network Intrusion Detection by Telemetry Analysis

Ponomarev, Stanislav; Atkison, Travis

doi:10.1109/tdsc.2015.2443793

Cited by 125 publications

(63 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A summary of the related work is listed in Table 1. There are reviews addressing the chal- Scientific Work Reviews [19,27] Graph-based methods [2,12,13,36,37,41,42] Graph-based and time-sensitive methods [1,45] Machine learning-based [6,14,32] Statistical processes [33,44,48,50] Wavelet analysis [25,31,35] Industrial Intrusion Detection [3,15,18,20,23,28,34,38,39,46] lenge of anomaly detection for intrusion detection. García-Teodoro et al address the challenges of this field of work while presenting techniques and systems [19].…”

Section: Related Workmentioning

confidence: 99%

“…Regis Barbosa and Pras present a novel flow-based intrusion and anomaly detection method [39]. Air gapped Industrial Control Systems (ICSs) and attacks on such Figure 1: Relation of Sub-Processes systems are evaluated by Ponomarev and Atkison [38]. Ghaeini and Tippenhauer present a hierarchical model for industrial intrusion detection to combine information from the physical, as well as the Programmable Logic Controller (PLC) layer [20].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Using Temporal and Topological Features for Intrusion Detection in Operational Networks

Antón¹,

Fraunholz²,

Schotten³

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home-and office-environments, such as working without feedback to the process and compatibility with legacy systems. Industrial systems are commonly used for several decades, updates are often difficult and expensive. Furthermore, most industrial protocols do not have inherent authentication or encryption mechanisms, allowing for easy lateral movement of an intruder once the perimeter is breached. In this work, an algorithm for motif discovery in time series, Matrix Profiles, is used to detect outliers in the timing behaviour of an industrial process. This process was monitored in an experimental environment, containing ground truth labels after attacks were performed. Furthermore, the graph representations of a different industrial data set that has been emulated are used to detect malicious activities. These activities can be derived from anomalous communication patterns, represented as edges in the graph. Finally, an integration concept for both methods is proposed.• Security and privacy → Intrusion detection systems; Network security; • Theory of computation → Design and analysis of algorithms; • Applied computing → Enterprise architectures.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Using Temporal and Topological Features for Intrusion Detection in Operational Networks

Antón¹,

Fraunholz²,

Schotten³

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…Kwon et al [26] present a behavior-based IDS for IEC 61850 protocol using both statistical analysis of traditional network features and specification-based metrics to secure smart grid network. Ponomarev and Atkison [27] give a network telemetry-based intrusion detection system to secure the communication of network attached ICSs, and network telemetry include temporal data of packet arrival, packet sizes, session times and sizes, amount of dropped packets and more. Although the statisticalbased approaches may identify some unknown attacks in some degree, the main drawbacks are that it is a difficult task to set the different metrics or parameters of traffic profile, and the deep industrial communication behaviors cannot be simply modeled by a statistical distribution.…”

Section: Related Workmentioning

confidence: 99%

Double Behavior Characteristics for One-Class Classification Anomaly Detection in Networked Control Systems

Wan

Shang

Zeng

2017

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Abstract-Due to the growing dependencies of information network technology, networked control systems are undergoing a severe blow of cyberattacks, and simply modeling cyberattacks is inadequate and impractical for the detection requirements, because of various vulnerabilities in these systems and the diversities of cyberattacks. Actually, a feasible viewpoint is to identify misbehaviors by constructing a normal model of industrial communication behaviors. However, one of the chief difficulties is how to completely and appropriately summarize industrial communication behaviors according to the specific communication characteristics. In view of process control and data acquisition, this paper associates industrial communication characteristics with the time sequence, and further extracts two distinct behaviors: function control behavior and process data behavior. Based on these double behavior characteristics, we introduce one-class classification to detect the corresponding anomalies, respectively. Besides, we also present the weighted mixed Kernel function and parameter optimization method to improve classification performance. Experimental results clearly demonstrate that the proposed approach has significant advantages of classification accuracy and detection efficiency.Index Terms-Function control behavior, process data behavior, one-class classification, networked control systems.

show abstract

“…Constraints on these measurements can be overcome by remote measurement method (telemetry) using UAV (Unmanned Aerial Vehicle) [3,4]. The telemetry process is the measurement of the parameters of an object (objects, space, natural conditions) whose measurement results will be sent elsewhere either via cable or wireless [5,6]. The telemetry communications UAV is carried out wirelessly.…”

Section: Introductionmentioning

confidence: 99%