liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Exploiting Bro for Intrusion Detection in a SCADA System
Sectra AB, Linköping, Sweden.
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (Real-time Systems Laboratory)ORCID iD: 0000-0003-1916-3398
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (Real-time Systems Laboratory)
The Royal Institute of Technology, Stockholm, Sweden. (Industrial Information and Control Systems)
Show others and affiliations
2016 (English)In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, ACM Digital Library, 2016, 44-51 p.Conference paper, Published paper (Refereed)
Abstract [en]

Supervisory control and data acquisition (SCADA) systemsthat run our critical infrastructure are increasingly run withInternet-based protocols and devices for remote monitoring.The embedded nature of the components involved, and thelegacy aspects makes adding new security mechanisms in anefficient manner far from trivial. In this paper we studyan anomaly detection based approach that enables detect-ing zero-day malicious threats and benign malconfigurationsand mishaps. The approach builds on an existing platform(Bro) that lends itself to modular addition of new proto-col parsers and event handling mechanisms. As an examplewe have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector withmixed results. The detection accuracy and false positiverate, as well as real-time response was adequate for 3 ofour 4 created attacks. We also discovered some additionalwork that needs to be done to an existing protocol parser toextend its reach.

Place, publisher, year, edition, pages
ACM Digital Library, 2016. 44-51 p.
Keyword [en]
Anomaly detection, IDS, Bro, SCADA, IEC 60870-5-104
National Category
Computer Science
Identifiers
URN: urn:nbn:se:liu:diva-131559DOI: 10.1145/2899015.2899028ISBN: 978-1-4503-4288-9 (print)OAI: oai:DiVA.org:liu-131559DiVA: diva2:974379
Conference
2nd ACM Cyber-Physical System Security Workshop (CPSS 2016), held in conjunction with ACM Asia Conference on Computer and Communications Security (Asia CCS'16), Xi’an, China, May 30 - June 03, 2016
Funder
VINNOVASwedish Civil Contingencies AgencyLinköpings universitet
Available from: 2016-09-26 Created: 2016-09-26 Last updated: 2016-10-03Bibliographically approved

Open Access in DiVA

fulltext(1667 kB)116 downloads
File information
File name FULLTEXT02.pdfFile size 1667 kBChecksum SHA-512
f404392f842b95bae2ba5a56f165673a561c444c400ce075f3c07fba452581d52cf008393d37064d74abc8773a181d3dfd022ba9825088876cb90ccf060fb1f8
Type fulltextMimetype application/pdf

Other links

Publisher's full text

Search in DiVA

By author/editor
Asplund, MikaelNadjm-Tehrani, Simin
By organisation
Software and SystemsFaculty of Science & Engineering
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 116 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 93 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf