liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Timing-Based Anomaly Detection in SCADA Networks
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (RTSLAB - Real-Time Systems Laboratory)ORCID iD: 0000-0003-2596-9355
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (RTSLAB - Real-Time Systems Laboratory)ORCID iD: 0000-0002-1485-0802
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (RTSLAB - Real-Time Systems Laboratory)ORCID iD: 0000-0003-1916-3398
2018 (English)In: Critical Information Infrastructures Security, Springer, 2018, p. 48-59Conference paper, Published paper (Refereed)
Abstract [en]

Supervisory Control and Data Acquisition (SCADA) systems that operate our critical infrastructures are subject to increased cyber attacks. Due to the use of request-response communication in polling, SCADA traffic exhibits stable and predictable communication patterns. This paper provides a timing-based anomaly detection system that uses the statistical attributes of the communication patterns. This system is validated with three datasets, one generated from real devices and two from emulated networks, and is shown to have a False Positive Rate (FPR) under 1.4%. The tests are performed in the context of three different attack scenarios, which involve valid messages so they cannot be detected by whitelisting mechanisms. The detection accuracy and timing performance are adequate for all the attack scenarios in request-response communications. With other interaction patterns (i.e. spontaneous communications), we found instead that 2 out of 3 attacks are detected.

Place, publisher, year, edition, pages
Springer, 2018. p. 48-59
Series
Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349
Keywords [en]
SCADA, Industrial Control System (ICS), Anomaly detection, Traffic periodicity
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:liu:diva-154394DOI: 10.1007/978-3-319-99843-5_5ISBN: 978-3-319-99842-8 (print)ISBN: 978-3-319-99843-5 (electronic)OAI: oai:DiVA.org:liu-154394DiVA, id: diva2:1287404
Conference
CRITIS, Lucca, Italy, 8-13 October, 2017
Projects
RICS (Resilient Information and Control Systems)Available from: 2019-02-11 Created: 2019-02-11 Last updated: 2019-02-15Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full text

Authority records BETA

Lin, Chih-YuanNadjm-Tehrani, SiminAsplund, Mikael

Search in DiVA

By author/editor
Lin, Chih-YuanNadjm-Tehrani, SiminAsplund, Mikael
By organisation
Software and SystemsFaculty of Science & Engineering
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 20 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf