Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems

International Journal of Critical Infrastructure Protection

Volumn 10, Issue , 2015, Pages 59-70

  Erez, Noam ^a   Wool, Avishai ^a  

^a TEL AVIV UNIVERSITY   (Israel)

Author keywords

Anomaly Detection; Modbus TCP Protocol; SCADA Systems; Security

Indexed keywords

SCADA SYSTEMS;

ANOMALY DETECTION SYSTEMS; AUTOMATIC CLASSIFIERS; CLASSIFICATION RATES; CONSTANT REGISTERS; CONTROL VARIABLE; FALSE ALARM RATE; MODBUS/TCP; SECURITY;

ANOMALY DETECTION;

EID: 84939271847     PISSN: 18745482     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.ijcip.2015.05.001     Document Type: Article

References (34)

1. C. Alcaraz, L. Cazorla, G. Fernandez, Context-awareness using anomaly-based detectors for smart grid domains, Proceedings of the Ninth International Conference on Risks and Security of the Internet and Systems, 2014.
2. Anderson T., Darling D. A test of goodness of fit. Journal of the American Statistical Association 1954, vol. 49(268):765-769.
3. T. Batu, L. Fortnow, R. Rubinfeld, W. Smith, P. White, Testing that distributions are close, Proceedings of the Forty-First Annual Symposium on the Foundations of Computer Science, pp. 259-269, 2000.
4. L. Briesemeister, S. Cheung, U. Lindqvist and A. Valdes, Detection, correlation and visualization of attacks against critical infrastructure systems, Proceedings of the Eighth International Conference on Privacy, Security and Trust, pp. 17-19, 2010.
5. E. Byres, M. Franz and D. Miller, The use of attack trees in assessing vulnerabilities in SCADA systems, Proceedings of the International Infrastructure Survivability Workshop, 2004.
6. Chen T. Stuxnet, the real start of cyber warfare?. IEEE Network 2010, vol. 24(6):2-3.
7. S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, A. Valdes, Using model-based intrusion detection for SCADA networks, Proceedings of the SCADA Security Scientific Symposium, pp. 127-134, 2007.
8. Cox D., Miller H. The Theory of Stochastic Processes 1977, CRC Press, Boca Raton, Florida.
9. J. Diaz, Using Snort for Intrusion Detection in Modbus TCP/IP Communications, InfoSec Reading Room, SANS Institute, Bethesda, Maryland (), 2011. http://www.sans.org/reading-room/whitepapers/detection/%20snort-intrusion-detection-modbus-tcp-ip-communications-33844.
10. Digital Bond, Modbus TCP rules, Sunrise, Florida . http://www.digitalbond.com/tools/quickdraw/modbus-tcp-rules.
11. Gardner E. Exponential smoothing: The state of the art. Journal of Forecasting 1985, vol. 4(1):1-28.
12. P. Geurts, Pattern extraction for time series classification, Proceedings of the Fifth European Conference on Principles and Practices of Knowledge Discovery in Databases, pp. 115-127, 2001.
13. P. Geurts and L. Wehenkel, Segment and combine approach for nonparametric time-series classification, Proceedings of the Ninth European Conference on Principles and Practice of Knowledge Discovery in Databases, pp. 478-485, 2005.
14. Goldenberg N., Wool A. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. International Journal of Critical Infrastructure Protection 2013, vol. 6(2):63-75.
15. Goldreich O., Ron D. On testing expansion in bounded-degree graphs, in Studies in Complexity and Cryptography: Miscellanea on the Interplay between Randomness and Computation 2011, 68-75. Springer-Verlag, Berlin Heidelberg, Germany. O. Goldreich (Ed.).
16. D. Hadiosmanovic, D. Bolzoni, P. Hartel and S. Etalle, Melissa: Towards automated detection of undesirable user actions in critical infrastructures, Proceedings of the Seventh European Conference on Computer Network Defense, pp. 41-48, 2011.
17. Hoel P. On indices of dispersion. The Annals of Mathematical Statistics 1943, vol. 14(2):155-162.
18. Kleinmann A., Wool A. Accurate modeling of the Siemens S7 SCADA protocol for intrusion detection and digital forensics. Journal of Digital Forensics, Security and Law 2014, vol. 9(2):37-50.
19. Langner R. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security and Privacy 2011, vol. 9(3):49-51.
20. Lilliefors H. On the Kolmogorov-Smirnov test for normality with mean and variance unknown. Journal of the American Statistical Association 1967, vol. 62(318):399-402.
21. Massey F. The Kolmogorov-Smirnov test for goodness of fit. Journal of the American Statistical Association 1951, vol. 46(253):68-78.
22. Mukherjee B., Heberlein L., Levitt K. Network intrusion detection. IEEE Network 1994, vol. 8(3):26-41.
23. I. Nai Fovino, A. Carcano, T. De Lacheze Murel, A. Trombetta and M. Masera, Modbus/DNP3 state-based intrusion detection system, Proceedings of the Twenty-Fourth IEEE International Conference on Advanced Information Networking and Applications, pp. 729-736, 2010.
24. The State of the Art in Intrusion Prevention and Detection 2014, CRC Press, Boca Raton, Florida. A. Pathan (Ed.).
25. Pearson K. On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. The London, Edinburgh, and Dublin Philosophical Magazine and Journal of Science 1900, vol. 50(302):157-175.
26. Perry J., Mead R. On the power of the index of dispersion test to detect spatial patterns. Biometrics 1979, vol. 35(3):613-622.
27. M. Roesch, Snort - Lightweight intrusion detection for networks, Proceedings of the Thirteenth USENIX Conference on System Administration, pp. 226-238, 1999.
28. Shapiro S., Wilk M. An analysis of variance test for normality (complete samples). Biometrika 1965, vol. 52(3-4):591-611.
29. R. Sommer and V. Paxson, Outside the closed world: On using machine learning for network intrusion detection, Proceedings of the IEEE Symposium on Security and Privacy, pp. 305-316, 2010.
30. SRI International, Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD), Menlo Park, California (). http://www.csl.sri.com/projects/emerald.
31. A. Valdes and S. Cheung, Communication pattern anomaly detection in process control systems, Proceedings of the IEEE Conference on Technologies for Homeland Security, pp. 22-29, 2009.
32. A. Valdes and S. Cheung, Intrusion monitoring in process control systems, Proceedings of the Forty-Second Hawaii International Conference on System Sciences, 2009.
33. D. Yang, A. Usynin and J. Hines, Anomaly-based intrusion detection for SCADA systems, Proceedings of the Fifth International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies, pp. 12-16, 2006.
34. Ye N., Zhang Y., Borror C. Robustness of the Markov-chain model for cyber-attack detection. IEEE Transactions on Reliability 2004, vol. 53(1):116-123.