Industrial Control System Network Intrusion Detection by Telemetry Analysis

IEEE Transactions on Dependable and Secure Computing

Volumn 13, Issue 2, 2016, Pages 252-260

  Ponomarev, Stanislav ^a   Atkison, Travis ^b  

^a Bogard Hall M116A   (United States)

^b LOUISIANA TECH UNIVERSITY   (United States)

Author keywords

Control systems; Intrusion detection; Networked control systems; Nonlinear network analysis; Telemetry

Indexed keywords

CONTROL SYSTEM ANALYSIS; CONTROL SYSTEMS; ENGINEERS; INTELLIGENT CONTROL; INTRUSION DETECTION; NETWORKED CONTROL SYSTEMS; NONLINEAR NETWORK ANALYSIS; TELEMETERING; TELEMETERING EQUIPMENT;

AIR-GAPS; INDUSTRIAL CONTROL SYSTEMS; NETWORK INTRUSION DETECTION; SECURITY ENVIRONMENTS; SECURITY FEATURES; SECURITY MEASURE; TRANSMISSION PROTOCOLS; VARIOUS ATTACKS;

NETWORK SECURITY;

EID: 84963984264     PISSN: 15455971     EISSN: 19410018     Source Type: Journal    
DOI: 10.1109/TDSC.2015.2443793     Document Type: Article

References (40)

1. CSSP and DHS, "Recommended practice: Improving industrial control systems cybersecurity with defense-in-depth strategies," US-CERT Defense In Depth, 2009.
2. J. Gao, J. Liu, B. Rajan, R. Nori, B. Fu, Y. Xiao, W. Liang, C. Philip Chen, "SCADA communication and security issues," Security Commun. Netw., vol. 7, no. 1, pp. 175-194, 2014.
3. L. T. Heberlein and M. Bishop, "Attack class: Address spoofing," in Proc. 19th Nat. Inf. Syst. Security Conf., 1996, pp. 371-377.
4. S. Ponomarev, N. Wallace, T. Atkison, "Detection of SSH host spoofing in control systems through network telemetry analysis," in Proc. Cyber Inf. Security Res. Conf., 2014, pp. 1-12.
5. N. Falliere, L. O. Murchu, E. Chien, "W32. stuxnet dossier," White Paper, Symantec Corp., Security Response, 2011.
6. B. Schneier, "The story behind the stuxnet virus," Forbes. com, 2010.
7. A. Matrosov, E. Rodionov, D. Harley, J. Malcho, "Stuxnet under the microscope," ESET LLC, Sep. 2010.
8. N. Wallace, S. Ponomarev, T. Atkison, "A dimensional transformation scheme for power grid cyber event detection," in Proc. Cyber Inf. Security Res. Conf., 2014, pp. 1-12.
9. A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, A. Trombetta, "A multidimensional critical state analysis for detecting intrusions in SCADA systems," IEEE Trans. Ind. Informat., vol. 7, no. 2, pp. 179-186, May 2011.
10. S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, A. Valdes, "Using Model-based intrusion detection for SCADA networks," in Proc. SCADA Security Sci. Symp., 2007, pp. 1-12.
11. M. Long, C.-H. J. Wu, J. Y. Hung, "Denial of service attacks on network-based control systems: Impact and mitigation," IEEE Trans. Ind. Informat., vol. 1, no. 2, pp. 85-96, May 2005.
12. G. C. Goodwin, S. F. Graebe, M. E. Salgado, Control System Design, vol. 240. Englewood Cliffs, NJ, USA: Prentice-Hall, 2001.
13. K. Stouffer, J. Falco, K. Scarfone, "Guide to industrial control systems (ICS) security," NIST Special Publication, pp. 800-82, 2011.
14. S. Oh, H. Chung, S. Lee, K. Lee, "Advanced protocol to prevent Man-in-the-middle attack in SCADA system," vol. 8, p. 1, 2014.
15. N. Sayegh, I. H. Elhajj, A. Kayssi, A. Chehab, "Scada intrusion detection system based on temporal behavior of frequent patterns," in Proc. 17th IEEE Mediterranean Electrotechnical Conf., 2014, pp. 432-438.
16. B. Zhu, A. Joseph, S. Sastry, "A taxonomy of cyber attacks on SCADA systems," in Proc. Int. Conf. Internet Things 4th Int. Conf. Cyber, Phys. Social Comput., 2011, pp. 380-388.
17. D. Beresford, "Exploiting siemens simatic s7 plcs," Black Hat USA, 2011.
18. F. Guo and T.-c. Chiueh, "Sequence Number-based MAC address spoof detection," in Proc. 8th Int. Conf. Recent Adv. Intrusion Detection, 2006, pp. 309-329.
19. A. Belenky and N. Ansari, "IP traceback with deterministic packet marking," IEEE Commun. Lett., vol. 7, no. 4, pp. 162-164, Apr. 2003.
20. Y. Sheng, K. Tan, G. Chen, D. Kotz, A. Campbell, "Detecting 802.11 MAC layer spoofing using received signal strength," in Proc. IEEE 27th Conf. Comput. Commun., 2008, pp. 1768-1776.
21. M. Bellare, T. Kohno, C. Namprempre, "Authenticated encryption in SSH: Provably fixing the SSH binary packet protocol," in Proc. 9th ACM Conf. Comput. Commun. Security, 2002, pp. 1-11.
22. K. Apostol, Brute-Force Attack. SaluPress, 2012.
23. Y. Zhang, F. Monrose, M. K. Reiter, "The security of modern password expiration: An algorithmic framework and empirical analysis," in Proc. 17th ACM Conf. Comput. Commun. Security, 2010, pp. 176-186.
24. V. Chandola, A. Banerjee, V. Kumar, "Anomaly detection: A survey," ACM Comput. Surveys, vol. 41, no. 3, p. 15, 2009.
25. D. Apiletti, E. Baralis, T. Cerquitelli, V. DElia, "Characterizing network traffic by means of the NetMine framework," Comput. Netw., vol. 53, no. 6, pp. 774-789, 2009.
26. J. Erman, M. Arlitt, A. Mahanti, "Traffic classification using clustering algorithms," in Proc. SIGCOMM Workshop Mining Netw. Data, 2006, pp. 281-286.
27. A. Orebaugh, G. Ramirez, J. Beale, Wireshark & Ethereal Network Protocol Analyzer Toolkit. Syngress, 2006.
28. N. Goldenberg and A. Wool, "Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems," Int. J. Critical Infrastructure Protection, vol. 6, no. 2, pp. 63-75, 2013.
29. N. Wallace and T. Atkison, "Observing industrial control system attacks launched via metasploit framework," in Proc. 51st ACM Southeast Conf., 2013, pp. 22:1-22:4.
30. L. Rist, J. Vestergaard, D. Haslinger, J. Smith. Conpot ICS/SCADA honeypot. Honeynet Project. [Online]. Available: conpot. org, 2015.
31. G. James, D. Witten, T. Hastie, R. Tibshirani, An Introduction to Statistical Learning. New York, NY, USA: Springer, 2013.
32. D. D. Lewis, "Naive (Bayes) at forty: The independence assumption in information retrieval," in Proc. 10th Eur. Conf. Mach. Learning, 1998, pp. 4-15.
33. A. McCallum, K. Nigam et al.,"A comparison of event models for naive Bayes text classification," in Proc. AAAI-98 Workshop Learning Text Categorization, 1998, vol. 752, pp. 41-48.
34. D. W. Hosmer, S. Lemeshow, R. X. Sturdivant, Introduction to the Logistic Regression Model. New York, NY, USA: Wiley Online Library, 2000.
35. C. L. Devasena, T. Sumathi, V. Gomathi, M. Hemalatha, "Effectiveness evaluation of rule based classifiers for the classification of iris data set," Bonfring Int. J. Man Mach. Interface, vol. 1, no. Inaugural Special Issue, pp. 05-09, 2011.
36. I. H. Witten, E. Frank, L. E. Trigg, M. A. Hall, G. Holmes, S. J. Cunningham, "Weka: Practical machine learning tools and techniques with java implementations," 1999.
37. J. R. Quinlan, C4. 5: Programs for Machine Learning, vol. 1. San Mateo, CA, USA: Morgan Kaufmann, 1993.
38. N. Cardwell, S. Savage, T. Anderson, "Modeling TCP latency," in Proc. 19th Annu. Joint Conf. IEEE Comput. Commun. Soc., 2000, vol. 3, pp. 1742-1751.
39. F. Hisch, "Performance evaluation of TCP flows," Network, vol. 79, pp. 79-88, 2014.
40. L. M. Garcia, "Programming with libpcap-sniffing the network from our own application," Hakin9-Comput. Security Mag., vol. 9, pp. 2-2008, 2008.