Detection, correlation, and visualization of attacks against critical infrastructure systems

PST 2010: 2010 8th International Conference on Privacy, Security and Trust

Volumn , Issue , 2010, Pages 15-22

  Briesemeister, Linda ^a   Cheung, Steven ^a   Lindqvist, Ulf ^a   Valdes, Alfonso ^a  

^a SRI INTERNATIONAL   (United States)

Author keywords

Alert correlation; Control system security; Critical infrastructure security; Intrusion and anomaly detection; Security information event management

Indexed keywords

ALERT CORRELATION; ANOMALY DETECTION; CONTROL SYSTEM SECURITY; CRITICAL INFRASTRUCTURE; EVENT MANAGEMENT;

COMPUTER CRIME; CONTROL SYSTEM ANALYSIS; CORRELATION METHODS; DIGITAL CONTROL SYSTEMS; INDUSTRIAL WATER TREATMENT; INTRUSION DETECTION; NETWORK LAYERS; PUBLIC WORKS; VISUALIZATION;

PROCESS CONTROL;

EID: 78549288504     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/PST.2010.5593242     Document Type: Conference Paper

References (22)

1. S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, and A. Valdes, "Using model-based intrusion detection for SCADA networks," in Proceedings of the SCADA Security Scientific Symposium, Miami Beach, Florida, Jan. 2007.
2. A. Blum, D. Song, and S. Venkataraman, "Detection of interactive stepping stones: Algorithms and confidence bounds," in Recent Advances in Intrusion Detection (RAID). Springer, 2004, pp. 258-277.
3. S. Staniford-Chen and L. Heberlein, "Holding intruders accountable on the Internet," in Proceedings of the 1995 IEEE Symposium on Security and Privacy, 1995, pp. 39-49.
4. British Columbia Institute of Technology (BCIT), "NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks. Revision 14," Feb. 2005.
5. M. Roesch, "Snort: Lightweight intrusion detection for networks," in Proceedings of LISA '99: 13th Systems Administration Conference, Seattle, Washington, Nov. 7-12, 1999, pp. 229-238.
6. A. Valdes and K. Skinner, "Adaptive, model-based monitoring for cyber attack detection," in Recent Advances in Intrusion Detection (RAID 2000), ser. LNCS, H. Debar, L. Me, and F. Wu, Eds., Toulouse, France, Oct. 2000.
7. P. Porras and P. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," in Network Information Security Conference, 1997.
8. U. Lindqvist and P. A. Porras, "Detecting computer and network misuse through the production-based expert system toolset (P-BEST)," in Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California, May 9-12, 1999, pp. 146-161.
9. "Symantec Endpoint Protection System," last accessed March 25, 2010. [Online]. Available: http://www.symantec.com/business/endpoint-protection
10. "McAfee Antivirus Enterprise," last accessed March 30, 2010. [Online]. Available: http://www.mcafee.com/us/enterprise/products/system- security/servers/virusscan-enterprise.html
11. Digital Bond, "IDS signatures," last accessed April 20, 2010. [Online]. Available: http://www.digitalbond.com/index.php/research/scada-idsips/ ids-signatures/
12. A. Valdes and S. Cheung, "Communication pattern anomaly detection in process control systems," in 2009 IEEE International Conference on Technologies for Homeland Security, Waltham, MA, May 11-12, 2009.
13. P. Porras, M. Fong, and A. Valdes, "A mission-impact-based approach to INFOSEC alarm correlation," in Proceedings of Recent Advances in Intrusion Detection, October 2002, pp. 95-114. [Online]. Available: http://www.csl.sri.com/papers/mcorrelator/
14. "Invensys process systems," last accessed March 23, 2010. [Online]. Available: http://www.ips.invensys.com/en/products/autocontrols/Pages/ DistributedControl-IASeries-P018.aspx
15. M. McDonald, J. Mulder, B. Richardson, R. Cassidy, A. Chavez, N. Pattengale, G. Pollock, J. Urrea, M. Schwartz, W. Atkins, and R. Halbgewachs, "Modeling and Simulation for Cyber-physical System Security Research, Development and Applications," Sandia National Laboratories, Tech. Rep. Sandia Report SAND2010-0568, Feb. 2010.
16. "ICCP," last accessed April 21, 2010. [Online]. Available: http://intelligrid.ipower.com/IntelliGrid-Architecture/NewTechnologies/ Tech-IEC-60870-6-%28ICCP%29.htm
17. "DATES demo at DistribuTech 2010," last accessed April 21, 2010. [Online]. Available: http://www.csl.sri.com/projects/dates/distributech. html
18. J. Eisenhauer, P. Donnelly, M. Ellis, and M. O'Brien, "Roadmap to secure control systems in the energy sector." [Online]. Available: http://www.oe.energy.gov/Roadmap-to-Secure-Control-Systems-in-the-Energy-Sector. pdf
19. J. Stamp, M. Berg, and M. Baca, "Reference Model for Control and Automation Systems in Electrical Power," Sandia National Laboratories, Tech. Rep., 2005.
20. "Linking the oil and gas industry to improve cybersecurity," last accessed March 23, 2010. [Online]. Available: http://www.cyber.st.dhs.gov/ logiic.html
21. "Tofino," last accessed April 20, 2010. [Online]. Available: http://www.tofinosecurity.com/products/Tofino-Firewall-LSM
22. "Industrial defender," last accessed April 20, 2010. [Online]. Available: http://www.industrialdefender.com/