Exploiting Bro for Intrusion Detection in a SCADA System
2016 (English)In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, ACM Digital Library, 2016, 44-51 p.Conference paper (Refereed)
Supervisory control and data acquisition (SCADA) systemsthat run our critical infrastructure are increasingly run withInternet-based protocols and devices for remote monitoring.The embedded nature of the components involved, and thelegacy aspects makes adding new security mechanisms in anefficient manner far from trivial. In this paper we studyan anomaly detection based approach that enables detect-ing zero-day malicious threats and benign malconfigurationsand mishaps. The approach builds on an existing platform(Bro) that lends itself to modular addition of new proto-col parsers and event handling mechanisms. As an examplewe have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector withmixed results. The detection accuracy and false positiverate, as well as real-time response was adequate for 3 ofour 4 created attacks. We also discovered some additionalwork that needs to be done to an existing protocol parser toextend its reach.
Place, publisher, year, edition, pages
ACM Digital Library, 2016. 44-51 p.
Anomaly detection, IDS, Bro, SCADA, IEC 60870-5-104
IdentifiersURN: urn:nbn:se:liu:diva-131559DOI: 10.1145/2899015.2899028ISBN: 978-1-4503-4288-9OAI: oai:DiVA.org:liu-131559DiVA: diva2:974379
2nd ACM Cyber-Physical System Security Workshop (CPSS 2016), held in conjunction with ACM Asia Conference on Computer and Communications Security (Asia CCS'16), Xi’an, China, May 30 - June 03, 2016
FunderVINNOVASwedish Civil Contingencies AgencyLinköpings universitet