liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Timing Patterns and Correlations in Spontaneous SCADA Traffic for Anomaly Detection
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (Real-time Systems Laboratory)ORCID iD: 0000-0003-2596-9355
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (Real-time Systems Laboratory)ORCID iD: 0000-0002-1485-0802
2019 (English)In: : 22nd International Symposium on Research on Attacks, Intrusions, and Defenses (RAID), USENIX - The Advanced Computing Systems Association, 2019, p. 73-88Conference paper, Published paper (Refereed)
Abstract [en]

Supervisory Control and Data Acquisition (SCADA) systems operate critical infrastructures in our modern society despite their vulnerability to attacks and misuse. There are several anomaly detection systems based on the cycles of polling mechanisms used in SCADA systems, but the feasibility of anomaly detection systems based on non-polling traffic, so called spontaneous events, is not well-studied. This paper presents a novel approach to modeling the timing characteristics of spontaneous events in an IEC-60870-5-104 network and exploits the model for anomaly detection. The system is tested with a dataset from a real power utility with injected timing effects from two attack scenarios. One attack causes timing anomalies due to persistent malfunctioning in the field devices, and the other generates intermittent anomalies caused by malware on the field devices, which is considered as stealthy. The detection accuracy and timing performance are promising for all the experiments with persistent anomalies. With intermittent anomalies, we found that our approach is effective for anomalies in low-volume traffic or attacks lasting over 1 hour.

Place, publisher, year, edition, pages
USENIX - The Advanced Computing Systems Association, 2019. p. 73-88
Keywords [en]
Anomaly detection, SCADA systems, IEC-60870-5-104, Critical infrastructure
National Category
Computer Engineering
Identifiers
URN: urn:nbn:se:liu:diva-161757OAI: oai:DiVA.org:liu-161757DiVA, id: diva2:1368913
Conference
22nd International Symposium on Research on Attacks, Intrusions, and Defenses (RAID), Beijing, China, September 23-25, 2019
Note

Funding Agencies: Swedish Civil Contingencies Agency (MSB) through the RICS project

Available from: 2019-11-08 Created: 2019-11-08 Last updated: 2020-05-14Bibliographically approved
In thesis
1. A timing approach to network-based anomaly detection for SCADA systems
Open this publication in new window or tab >>A timing approach to network-based anomaly detection for SCADA systems
2020 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

Supervisory Control and Data Acquisition (SCADA) systems control and monitor critical infrastructure in society, such as electricity transmission and distribution systems. Modern SCADA systems are increasingly adopting open architectures, protocols, and standards and being connected to the Internet to enable remote control. A boost in sophisticated attacks against SCADA systems makes SCADA security a pressing issue. An Intrusion Detection System (IDS) is a security countermeasure that monitors a network and tracks unauthenticated activities inside the network. Most commercial IDSs used in general IT systems are signature-based, by which an IDS compares the system behaviors with known attack patterns. Unfortunately, recent attacks against SCADA systems exploit zero-day vulnerabilities in SCADA devices which are undetectable by signature-based IDSs.

This thesis aims to enhance SCADA system monitoring by anomaly detection that models normal behaviors and finds deviations from the model. With anomaly detection, zero-day attacks are possible to detect. We focus on modeling the timing attributes of SCADA traffic for two reasons: (1) the timing regularity fits the automation nature of SCADA systems, and (2) the timing information (i.e., arrival time) of a packet is captured and sent by a network driver where an IDS is located. Hence, it’s less prone to intentional manipulation by an attacker, compared to the payload of a packet.

This thesis first categorises SCADA traffic into two groups, request-response and spontaneous traffic, and studies data collected in three different protocol formats (Modbus, Siemens S7, and IEC-60870-5-104). The request-response traffic is generated by a polling mechanism. For this type of traffic, we model the inter-arrival times for each command and response pair with a statistical approach. Results presented in this thesis show that request-response traffic exists in several SCADA traffic sets collected from systems with different sizes and settings. The proposed statistical approach for request-response traffic can detect attacks having subtle changes in timing, such as a single packet insertion and TCP prediction for two of the three SCADA protocols studied.

The spontaneous traffic is generated by remote terminal units when they see significant changes in measurement values. For this type of traffic, we first use a pattern mining approach to find the timing characteristics of the data. Then, we model the suggested attributes with machine learning approaches and run it on traffic collected in a real power facility. We test our anomaly detection model with two types of attacks. One causes persistent anomalies and another only causes intermittent ones. Our anomaly detector exhibits a 100% detection rate with at most 0.5% false positive rate for the attacks with persistent anomalies. For the attacks with intermittent anomalies, we find our approach effective when (1) the anomalies last for a longer period (over 1 hour), or (2) the original traffic has relatively low volume.

Place, publisher, year, edition, pages
Linköping: Linköping University Electronic Press, 2020. p. 32
Series
Linköping Studies in Science and Technology. Licentiate Thesis, ISSN 0280-7971 ; 1881
Keywords
SCADA securuty, anomaly detection
National Category
Computer Systems
Identifiers
urn:nbn:se:liu:diva-165155 (URN)10.3384/lic.diva-165155 (DOI)9789179298364 (ISBN)
Presentation
2020-06-11, Alan Turing, E-Building, Campus Valla, Linköping, 10:00 (English)
Opponent
Supervisors
Funder
Swedish Civil Contingencies Agency
Available from: 2020-05-14 Created: 2020-04-17 Last updated: 2020-06-02Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

https://www.usenix.org/conference/raid2019/presentation/lin

Authority records BETA

Lin, Chih-YuanNadjm-Tehrani, Simin

Search in DiVA

By author/editor
Lin, Chih-YuanNadjm-Tehrani, Simin
By organisation
Software and SystemsFaculty of Science & Engineering
Computer Engineering

Search outside of DiVA

GoogleGoogle Scholar

urn-nbn

Altmetric score

urn-nbn
Total: 23 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf