Sequence-aware intrusion detection in industrial control systems

CPSS 2015 - Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, Part of ASIACCS 2015

Volumn , Issue , 2015, Pages 13-24

  Caselli, Marco ^a   Zambon, Emmanuele ^a   Kargl, Frank ^a,b  

^a UNIVERSITY OF TWENTE   (Netherlands)

^b UNIVERSITY OF ULM   (Germany)

Author keywords

Cyber physical system; Intrusion detection system; Semantic attack; Sequence attack

Indexed keywords

COMPUTER CRIME; CONTROL SYSTEMS; CYBER PHYSICAL SYSTEM; DAMAGE DETECTION; EMBEDDED SYSTEMS; NETWORK SECURITY; SEMANTICS; WATER TREATMENT;

COMMON NETWORKS; CYBER-ATTACKS; INDUSTRIAL CONTROL SYSTEMS; INTRUSION DETECTION SYSTEMS; PURIFICATION FACILITIES; REFERENCE ARCHITECTURE; SEMANTIC ATTACKS; SEQUENCE ATTACK;

INTRUSION DETECTION;

EID: 84929713854     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2732198.2732200     Document Type: Conference Paper

References (27)

1. R. R. R. Barbosa, R. Sadre, and A. Pras. Flow whitelisting in scada networks. International journal of critical infrastructure protection, 6(3):150-158, 2013.
2. D. Bolzoni, S. Etalle, and P. Hartel. Poseidon: a 2-tier anomaly-based network intrusion detection system. In Information Assurance, 2006. IWIA 2006. Fourth IEEE International Workshop on, pages 10-pp.
3. M. Caselli, E. Zambon, J. Petit, and F. Kargl. Modeling message sequences for intrusion detection in industrial control systems. In Critical Infrastructure Protection IX. Springer, 2015. To appear.
4. V. Chandola, A. Banerjee, and V. Kumar. Anomaly detection for discrete sequences: A survey. Knowledge and Data Engineering, IEEE Transactions on, 24(5):823-839, 2012.
5. H. Debar, M. Dacier, and A. Wespi. Towards a taxonomy of intrusion-detection systems. Elsevier Computer Networks, 31(8):805-822, 1999.
6. Equipment, IEC Telecontrol. Systems-part 5-104: Transmission protocols-network access for iec 60870-5-101 using standard transport profiles. IEC Standard, 60870, 2006.
7. N. Falliere, L. O. Murchu, and E. Chien. W32. stuxnet dossier. White paper, Symantec Corp., Security Response, 2011.
8. I. N. Fovino, A. Carcano, T. D. L. Murel, A. Trombetta, and M. Masera. Modbus/DNP3 State-Based Intrusion Detection System. IEEE Advanced Information Networking and Applications, International Conference on, 0:729-736, 2010.
9. N. Goldenberg and A. Wool. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. Elsevier International Journal of Critical Infrastructure Protection, 6(2):63-75, 2013.
10. D. Hadžiosmanović, L. Simionato, D. Bolzoni, E. Zambon, and S. Etalle. N-gram against the machine: On the feasibility of the n-gram network analysis for binary protocols. In RAID, pages 354-373. Springer, 2012.
11. D. Hadžiosmanović, R. Sommer, E. Zambon, and P. H. Hartel. Through the eye of the plc: semantic security monitoring for industrial processes. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 126-135. ACM, 2014.
12. S. Haris, G. M. W. Al-Saadoon, A. P. D. R. Ahmad, and M. Ghani. Anomaly detection of IP header threats. CSC International Journal of Computer Science and Security, 4(6):497, 2011.
13. S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of computer security, 6(3):151-180, 1998.
14. ISO 9506-1:2003. Industrial automation systems - Manufacturing Message Specification-Part 1: Service definition, 2003.
15. M.-S. Kim, H.-J. Kong, S.-C. Hong, S.-H. Chung, and J. W. Hong. A ow-based method for abnormal network traffic detection. In Network Operations and Management Symposium, 2004. NOMS 2004. IEEE/IFIP, volume 1, pages 599-612. IEEE, 2004.
16. T. Krueger, H. Gascon, N. Krämer, and K. Rieck. Learning stateful models for network honeypots. In Proceedings of the 5th ACM workshop on Security and artificial intelligence, pages 37-48. ACM, 2012.
17. T. Lane, C. E. Brodley, et al. Sequence matching and learning in anomaly detection for computer security. In AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, pages 43-49, 1997.
18. M. V. Mahoney and P. K. Chan. PHAD: Packet header anomaly detection for identifying hostile network traffic. 2001.
19. G. Mao, J. Zhang, and X. Wu. Intrusion detection based on the short sequence model. In 7th IEEE World Congress on Intelligent Control and Automation, pages 1449-1454, 2008.
20. Modbus, IDA. Modbus application protocol specification v1.1a. North Grafton, Massachusetts (www.modbus.org/specs.php ), 2004.
21. W. Scheirer and M. C. Chuah. Network intrusion detection with semantics-aware capability. In Parallel and Distributed Processing Symposium, 2006. IPDPS 2006. 20th International, pages 7-pp. IEEE, 2006.
22. R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou. Specification-based anomaly detection: a new approach for detecting network intrusions. In 9th ACM conference on Computer and communications security, pages 265-274, 2002.
23. K. Stouffer, J. Falco, and K. Scarfone. Guide to industrial control systems (ICS) security. NIST Special Publication, 800(82):16-16, 2008.
24. United States President's Commission on Critical Infrastructure Protection and Marsh, Robert T. Critical Foundations: Protecting America's Infrastructures: the Report. The Commission, 1997.
25. K. Wang and S. J. Stolfo. Anomalous payload-based network intrusion detection. In Recent Advances in Intrusion Detection, pages 203-222. Springer, 2004.
26. C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy, pages 133-145, 1999.
27. M.-K. Yoon and G. F. Ciocarlie. Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems. 2014.