Modeling Message Sequences for Intrusion Detection in Industrial Control Systems

Abstract: Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending mis… Show more

“…Sequence attacks are specific to industrial control systems and potentially harm a system by sending valid messages or commands, which are misplaced or outof-order [5]. To take control of the process, an attacker can either reprogram a PLC or directly control the process from the network, e.g., by taking control over the communication channel.…”

“…When controlling the process, an attacker sends commands in an order or timing not intended by the process. This potentially harmful sequence of commands is then called sequence attack [5].…”

“…Following the approach presented in [5] traffic is represented as a sequence of exchanges in terms of a Discrete Time Markov Chain (DTMC). In the following Algorithm 1: DTMC modeling of sequences as in [5] we use DTMC that can be defined as a tuple M = (S, T ), where S is a finite set of states and T is a transition relation, that assigns probabilities to states (s 1 , s 2 ) ∈ T , i.e.…”

“…In the following Algorithm 1: DTMC modeling of sequences as in [5] we use DTMC that can be defined as a tuple M = (S, T ), where S is a finite set of states and T is a transition relation, that assigns probabilities to states (s 1 , s 2 ) ∈ T , i.e. if there exists a transition between the states s 1 and s 2 .…”

“…Alg. 1 l. [1][2][3][4][5][6][7][8][9][10][11][12][13][14], processing its events. S2 extracts the attributes of an event and stores them in variable 'State DT M C ' (c.f.…”

Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models

“…Sequence attacks are specific to industrial control systems and potentially harm a system by sending valid messages or commands, which are misplaced or outof-order [5]. To take control of the process, an attacker can either reprogram a PLC or directly control the process from the network, e.g., by taking control over the communication channel.…”

“…When controlling the process, an attacker sends commands in an order or timing not intended by the process. This potentially harmful sequence of commands is then called sequence attack [5].…”

“…Following the approach presented in [5] traffic is represented as a sequence of exchanges in terms of a Discrete Time Markov Chain (DTMC). In the following Algorithm 1: DTMC modeling of sequences as in [5] we use DTMC that can be defined as a tuple M = (S, T ), where S is a finite set of states and T is a transition relation, that assigns probabilities to states (s 1 , s 2 ) ∈ T , i.e.…”

“…In the following Algorithm 1: DTMC modeling of sequences as in [5] we use DTMC that can be defined as a tuple M = (S, T ), where S is a finite set of states and T is a transition relation, that assigns probabilities to states (s 1 , s 2 ) ∈ T , i.e. if there exists a transition between the states s 1 and s 2 .…”

“…Alg. 1 l. [1][2][3][4][5][6][7][8][9][10][11][12][13][14], processing its events. S2 extracts the attributes of an event and stores them in variable 'State DT M C ' (c.f.…”

Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models

Protocol study and anomaly detection for server-driven traffic in SCADA networks

Attitudes and Perceptions of IoT Security in Critical Societal Services