liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Timing Patterns and Correlations in Spontaneous SCADA Traffic for Anomaly Detection
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (Real-time Systems Laboratory)ORCID iD: 0000-0003-2596-9355
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (Real-time Systems Laboratory)ORCID iD: 0000-0002-1485-0802
2019 (English)In: : 22nd International Symposium on Research on Attacks, Intrusions, and Defenses (RAID), USENIX - The Advanced Computing Systems Association, 2019Conference paper, Published paper (Refereed)
Abstract [en]

Supervisory Control and Data Acquisition (SCADA) systems operate critical infrastructures in our modern society despite their vulnerability to attacks and misuse. There are several anomaly detection systems based on the cycles of polling mechanisms used in SCADA systems, but the feasibility of anomaly detection systems based on non-polling traffic, so called spontaneous events, is not well-studied. This paper presents a novel approach to modeling the timing characteristics of spontaneous events in an IEC-60870-5-104 network and exploits the model for anomaly detection. The system is tested with a dataset from a real power utility with injected timing effects from two attack scenarios. One attack causes timing anomalies due to persistent malfunctioning in the field devices, and the other generates intermittent anomalies caused by malware on the field devices, which is considered as stealthy. The detection accuracy and timing performance are promising for all the experiments with persistent anomalies. With intermittent anomalies, we found that our approach is effective for anomalies in low-volume traffic or attacks lasting over 1 hour.

Place, publisher, year, edition, pages
USENIX - The Advanced Computing Systems Association, 2019.
Keywords [en]
Anomaly detection, SCADA systems, IEC-60870-5-104, Critical infrastructure
National Category
Computer Engineering
Identifiers
URN: urn:nbn:se:liu:diva-161757OAI: oai:DiVA.org:liu-161757DiVA, id: diva2:1368913
Conference
22nd International Symposium on Research on Attacks, Intrusions, and Defenses (RAID), Beijing, China, September 23-25, 2019
Available from: 2019-11-08 Created: 2019-11-08 Last updated: 2019-11-18Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

https://www.usenix.org/conference/raid2019/presentation/lin

Authority records BETA

Lin, Chih-YuanNadjm-Tehrani, Simin

Search in DiVA

By author/editor
Lin, Chih-YuanNadjm-Tehrani, Simin
By organisation
Software and SystemsFaculty of Science & Engineering
Computer Engineering

Search outside of DiVA

GoogleGoogle Scholar

urn-nbn

Altmetric score

urn-nbn
Total: 2 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf