liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
RICSel21 Data Collection: Attacks in a Virtual Power Network
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering.ORCID iD: 0000-0003-2596-9355
Linköping University.
FOI, Swedish Defense Research Agency, Sweden.
FOI, Swedish Defense Research Agency, Sweden.
Show others and affiliations
2021 (English)In: 2021 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Institute of Electrical and Electronics Engineers (IEEE), 2021, p. 201-206Conference paper, Published paper (Refereed)
Abstract [en]

Attacks against Supervisory Control and Data Acquisition (SCADA) systems operating critical infrastructures have increased since the appearance of Stuxnet. To defend critical infrastructures, security researchers need realistic datasets to evaluate and benchmark their defense mechanisms such as Anomaly Detection Systems (ADS). However, real-world data collected from critical infrastructures are too sensitive to share openly. Therefore, testbed datasets have become a viable option to balance the requirement of openness and realism. This study provides a data generation framework based on a virtual testbed with a commercial SCADA system and presents an openly available dataset called RICSel21, with packets in IEC-60870-5-104 protocol streams. The dataset is the result of performing 12 attacks, identifying the impact of attacks on a power management system and recording the logs of the seven successful attacks.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2021. p. 201-206
Keywords [en]
Computers, Protocols, Computer worms, Power system management, Conferences, SCADA systems, Benchmark testing
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:liu:diva-189699DOI: 10.1109/SmartGridComm51999.2021.9632328Scopus ID: 2-s2.0-85123913802ISBN: 9781665430449 (print)ISBN: 9781665415026 (electronic)OAI: oai:DiVA.org:liu-189699DiVA, id: diva2:1708285
Conference
IEEE International Conference on Smart Grid Communications (SmartGridComm), Aachen, Germany, 25-28 October, 2021
Funder
Swedish Civil Contingencies AgencyAvailable from: 2022-11-03 Created: 2022-11-03 Last updated: 2022-11-09Bibliographically approved
In thesis
1. Network-based Anomaly Detection for SCADA Systems: Traffic Generation and Modeling
Open this publication in new window or tab >>Network-based Anomaly Detection for SCADA Systems: Traffic Generation and Modeling
2022 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Supervisory Control and Data Acquisition (SCADA) systems control and monitor critical infrastructure in society, such as electricity transmission and distribution systems. Modern SCADA systems are increasingly adopting open standards and being connected to the Internet to enable remote control. A boost in sophisticated attacks against SCADA systems makes SCADA security a pressing issue. An Intrusion Detection System (IDS) is a security countermeasure that monitors a network and tracks unauthenticated activities inside the network. Most commercial IDSs used in general IT systems are signature-based, by which an IDS compares the system behaviors with known attack patterns. Unfortunately, recent attacks against SCADA systems exploit zero-day vulnerabilities which are undetectable by signature-based IDSs. 

This thesis aims to enhance SCADA system monitoring by network-based anomaly detection that models normal behaviors and finds deviations from the model. With network-based anomaly detection, zero-day attacks are possible to detect. There are two main challenges for network-based anomaly detection. The first challenge is the potentially large number of false positives coming from benign traffic that just deviates from the trained model due to the noises. To address this challenge, this thesis proposes several traffic modeling approaches based on statistics and machine learning techniques for the regular communication patterns in SCADA traffic. The second challenge is the lack of open datasets to evaluate the proposed approaches. Consequently, this thesis proposes a traffic generation framework. 

For traffic modeling, this thesis first categorises SCADA traffic into two groups, request-response and non-requested traffic, and studies data collected in a diverse set of protocol for-mats (Modbus, Siemens S7, S7+, MMS, IEC-60870-5-104). The request-response traffic is generated by a polling mechanism. For this type of traffic, we model the inter-arrival times for each request and response pair with a statistical approach. Results presented in this thesis show that request-response traffic exists in several SCADA traffic sets collected from systems with different sizes and settings. The proposed statistical approach for request-response traffic can detect attacks having subtle changes in timing. 

The non-requested traffic is generated by remote terminal units at predefined times or when they see significant changes in measurement values. For this type of traffic, we first use a pattern mining approach to find the timing characteristics of the data. Then, we model the suggested attributes with machine learning approaches. We test our anomaly detection model with two types of attacks. One causes persistent anomalies and another only causes intermittent ones. Our anomaly detector exhibits a 100% detection rate with at most 0.5% false positive rate for the attacks with persistent anomalies. For the attacks with intermittent anomalies, we find our approach effective when anomalous patterns last for a longer period (over 30 minutes). 

For traffic generation, this thesis conducts a comparative analysis between network traces collected from testbeds and a real power utility. The analysis shows that the testbed traffic may be prone to overly regular patterns. This is considered to be the result of lack of plausible human interactions within the testbed. Therefore, this thesis proposes a traffic generation framework built upon a virtual testbed. The framework provides programmable BOTs to mimic human activities such as commands from the operators and attacks. 

Place, publisher, year, edition, pages
Linköping: Linköping University Electronic Press, 2022. p. 55
Series
Linköping Studies in Science and Technology. Dissertations, ISSN 0345-7524 ; 2266
National Category
Computer Systems
Identifiers
urn:nbn:se:liu:diva-189703 (URN)10.3384/9789179295189 (DOI)9789179295172 (ISBN)9789179295189 (ISBN)
Public defence
2022-12-19, Ada Lovelace, B-building, Campus Valla, Linköping, 13:15 (English)
Opponent
Supervisors
Funder
Swedish Civil Contingencies Agency
Available from: 2022-11-03 Created: 2022-11-03 Last updated: 2022-11-21Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Lin, Chih-YuanNadjm-Tehrani, Simin

Search in DiVA

By author/editor
Lin, Chih-YuanFundin, AugustNadjm-Tehrani, Simin
By organisation
Software and SystemsFaculty of Science & EngineeringLinköping University
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 387 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf