A log mining approach for process monitoring in SCADA

International Journal of Information Security

Volumn 11, Issue 4, 2012, Pages 231-251

  Hadžiosmanović, Dina ^a   Bolzoni, Damiano ^a   Hartel, Pieter H ^a  

^a UNIVERSITY OF TWENTE   (Netherlands)

Author keywords

Frequent pattern mining; HAZOP; ICS; Log analysis; MELISSA; PHEA; Process related threat; SCADA; SCADA log; Security

Indexed keywords

FREQUENT PATTERN MINING; HAZOP; ICS; LOG ANALYSIS; MELISSA; PHEA; PROCESS RELATED THREAT; SCADA; SCADA LOG; SECURITY;

INTELLIGENT CONTROL; PROCESS MONITORING; WELL LOGGING;

SCADA SYSTEMS;

EID: 84864415794     PISSN: 16155262     EISSN: 16155270     Source Type: Journal    
DOI: 10.1007/s10207-012-0163-8     Document Type: Article

References (37)

1. Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Bocca, J. B., Jarke, M., Zaniolo, C. (eds.) In: Proceedings of the 20th International Conference on VLDB, pp. 487-499. Morgan Kaufmann (1994).
2. Balducelli C., Lavalle L., Vicoli G.: Novelty detection and management to safeguard information-intensive critical infrastructures. Int. J. Emerg. Manag. 4(1), 88-103 (2007).
3. Begnum K., Burgess M.: Principle components and importance ranking of distributed anomalies. Mach. Learn. 58, 217-230 (2005).
4. Bellettini, C., Rrushi, J.: Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness. In: John Hill, L. T. C. (ed.) Proceedings of 8th IEEE SMC Information Assurance Workshop, pp. 341-348. IEEE Press (2007).
5. Bigham J., Gamez D., Lu, N.: Safeguarding SCADA systems with anomaly detection. In: Proceedings of 2nd International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security, LNCS 2776, pp. 171-182. Springer (2003).
6. Brijs, T., Geurts, K., Wets, G., Vanhoof, K.: Profiling high frequency accident locations using association rules. In: Proceedings of 82nd Annual Transportation Research Board, Washington DC (USA), pp. 123-130. Transportation Research Board (2003).
7. Burdick D., Calimlim M., Flannick J., Gehrke J., Yiu T.: MAFIA: A maximal frequent itemset algorithm. IEEE Trans. Knowl. Data Eng. 17, 1490-1504 (2005).
8. Burns, L., Hellerstein, J. L., Ma, S., Perng, C. S., Rabenhorst, D. A., Taylor, D. J.: Towards discovery of event correlation rules. In: Proceedings of IEEE/IFIP International Symposium on Integrated Network Management, pp. 345-359 (2001).
9. Control Systems Security Program. Common cybersecurity vulnerabilities in industrial control systems. U. S. Department of Homeland Security (2011).
10. Goethals, B., Zaki, M. (eds.): FIMI '03, Frequent itemset mining implementations, Florida, USA, vol. 90 of CEUR Workshop Proceedings (2003).
11. Grahne G., Zhu J.: Fast algorithms for frequent itemset mining using FP-Trees. IEEE Trans. Knowl. Data Eng. 17, 1347-1362 (2005).
12. Han J., Kamber M.: Data mining concepts and techniques, 2 pap edn. Morgan Kaufmann, San Francisco, CA (2006).
13. Hellerstein J. L., Ma S., Perng C.-S.: Discovering actionable patterns in event data. IBM Syst. J. 41, 475-493 (2002).
14. Hieb J., Graham J., Guan J.: An ontology for identifying cyber intrusion induced faults in process control systems. In: Palmer, C., Shenoi, S. (eds.) Critical Infrastructure Protection III, vol. 311 of IFIP Advances in Information and Communication Technolog, pp. 125-138. Springer, Boston (2009).
15. Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '02, pp. 366-375. ACM, New York, NY, USA (2002).
16. Lee, W., Stolfo, S.: Data mining approaches for intrusion detection. In: Proceedings of 7th Conference on USENIX Security Symposium-vol. 7, pp. 6-6. Berkeley, CA, USA, USENIX Association (1998).
17. Lim, N., Singh, N., Yajnik, S.: A log mining approach to failure analysis of enterprise telephony systems. In: Proceedings of the IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, pp. 398-403. (2008).
18. Lees F. P.: Less' Loss Prevention in the Process Industries. 3rd edn. Butterworth-Heinemann, Guildford (2005).
19. Liu, Y., Ning, P., Reiter, M.: False data injection attacks against state estimation in electric power grids. In: Proceedings of 16th ACM Conference on Computer and Communications Security, CCS '09, pp. 21-32. ACM, New York, NY, USA (2009).
20. Manganaris S., Christensen M., Zerkle D., Hermiz K.: A data mining analysis of RTID alarms. Comput. Netw. 34, 571-577 (2000).
21. Naedele, M., Biderbost, O.: Human-assisted intrusion detection for process control systems. Accepted for 2nd Int. Conf. on Applied Cryptography and Network Security (ACNS) (2004).
22. Narayanan N. H., Viswanadham N.: A methodology for knowledge acquisition and reasoning in failure analysis of systems. IEEE Trans. Syst. Man Cybern. 17(2), 274-288 (1987).
23. Oliner, A., Stearley, J.: What supercomputers say: a study of five system logs. In: Proceedings of 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 575-584. (2007).
24. Paxson V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435-2463 (1999).
25. Ponemon Institute.: State of it security: Study of utilities and energy companies, 2011. http://q1labs. com/resource-center/white-papers. aspx.
26. Rantala, R.: Cybercrime against businesses. Technical report, U. S. Dept. of Justice, Office of Justice Programs, Bureau of Justice Statistics, Washington, DC (2004).
27. Rege-Patwardhan A.: Cybercrimes against critical infrastructures: a study of online criminal organization and techniques. Crim. Justice Stud. 22(3), 261-271 (2009).
28. Rouillard, J.: Real-time log file analysis using the simple event correlator (sec). In: Proceedings of 18th USENIX conference on System administration, pp. 133-150. USENIX Association, Berkeley, CA, USA (2004).
29. Salfner, F., Tschirpke, S.: Error log processing for accurate failure prediction. In: Proceedings of 1st USENIX conference on Analysis of system logs, WASL'08, pp. 4-4. USENIX Association, Berkeley, CA, USA (2008).
30. Salfner, F., Tschirpke, S., Malek, M.: Comprehensive logfiles for autonomic systems. In: Proceedings of 18th International Symposium on Parallel and Distributed Processing, p. 211 (2004).
31. Shaw, W. T.: Cybersecurity for SCADA Systems. PennWell Corp. Tulsa (2006).
32. Slay J., Miller M.: Lessons learned from the maroochy water breach. In: Goetz, E., Shenoi, S. (eds.) Critical Infrastructure Protection, vol. 253 of IFIP International Federation for Information Processing, pp. 73-82. Springer, Boston (2007).
33. Srivatanakul, T., Clark, J., Polack, F.: Effective security requirements analysis: Hazop and use cases. In: Information Security: 7th International Conference, LNCS 3225, pp. 416-427. Springer (2004).
34. Stouffer, K., Falco, J., Scarfone, K.: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82. National Institute of Standards and Technology (2011).
35. Vaarandi, R.: Tools and technigues for event log analysis. PhD thesis, Tallinn University of Technology (2005).
36. Winther, R., Johnsen, O., Gran, B.: Security assessments of safety critical systems using hazops. In: SAFECOMP '01: Proceedings of 20th International Conference on Computer Safety, Reliability and Security, LNCS 2187, pp. 14-24. Springer, London, UK (2001).
37. Xu, W., Huang, L., Fox, A., Patterson, D., Jordan, M.: Mining console logs for large-scale system problem detection. In: Proceedings of 3rd Conference on Tackling Computer Systems Problems with Machine Learning Techniques, SysML'08, pp. 4-4. USENIX Association, Berkeley, CA, USA (2008).