Specification mining for intrusion detection in networked control systems

Proceedings of the 25th USENIX Security Symposium

Volumn , Issue , 2016, Pages 791-806

  Caselli, Marco ^a   Zambon, Emmanuele ^a   Amann, Johanna ^b   Sommer, Robin ^b   Kargl, Frank ^c  

^a UNIVERSITY OF TWENTE   (Netherlands)

^b LAWRENCE BERKELEY NATIONAL LABORATORY   (United States)

^c UNIVERSITY OF ULM   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATION; INTELLIGENT BUILDINGS; INTRUSION DETECTION; MAN MACHINE SYSTEMS; SPECIFICATIONS;

BUILDING AUTOMATION SYSTEMS; COMPREHENSIVE DOCUMENTATION; INTRUSION DETECTION SYSTEMS; LAWRENCE BERKELEY NATIONAL LABORATORY; MISCONFIGURATIONS; NETWORK TRAFFIC; SPECIFICATION MINING; UNIVERSITY OF TWENTE;

NETWORKED CONTROL SYSTEMS;

EID: 85029448151     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (65)

1. ANSI/ASHRAE STANDARD 135-2012. A data communication protocol for building automation and control networks, 2012.
2. BACNET INTEREST GROUP EUROPE. Engineering data exchange template for BACnet systems - “description of the EDE data fields”, 2007.
3. BALEPIN, I., MALTSEV, S., ROWE, J., AND LEVITT, K. N. Using specification-based intrusion detection for automated response. In Recent Advances in Intrusion Detection, 6th International Symposium, RAID 2003, Pittsburgh, PA, USA, September 8-10, Proceedings (2003), pp. 136–154.
4. BERTHIER, R., AND SANDERS, W. H. Specification-based intrusion detection for advanced metering infrastructures. In 17th IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2011, Pasadena, CA, USA, December 12-14 (2011), pp. 184–193.
5. CASELLI, M., HADŽIOSMANOVIĆ, D., ZAMBON, E., AND KARGL, F. On the feasibility of device fingerprinting in industrial control systems. In Critical Information Infrastructures Security - 8th International Workshop, CRITIS 2013, Amsterdam, The Netherlands, September 16-18, Revised Selected Papers (2013), pp. 155–166.
6. ČELEDA, P., KREJČÍ, R., AND KRMÍČEK, V. Flow-based security issue detection in building automation and control networks. In Information and Communication Technologies - 18th EUNICE/ IFIP WG 6.2, 6.6 International Conference, EUNICE 2012, Budapest, Hungary, August 29-31, Proceedings (2012), pp. 64–75.
7. CHAUGULE, A., XU, Z., AND ZHU, S. A specification based intrusion detection framework for mobile phones. In Applied Cryptography and Network Security - 9th International Conference, ACNS 2011, Nerja, Spain, June 7-10, Proceedings (2011), pp. 19–37.
8. CHEUNG, S., DUTERTRE, B., FONG, M., LINDQVIST, U., SKINNER, K., AND VALDES, A. Using model-based intrusion detection for SCADA networks. In Proceedings of the SCADA Security Scientific Symposium, Miami Beach, Florida, USA, 7 December (2007), pp. 1–12.
9. DENNING, D. E. An intrusion-detection model. In Proceedings of the 1986 IEEE Symposium on Security and Privacy, Oakland, California, USA, April 7-9 (1986), pp. 118–133.
10. DIST-1815-WG. IEEE standard for electric power systems communications-distributed network protocol (DNP3), 2012. https://standards.ieee.org/findstds/standard/1815-2012.html.
11. ECHELON CORPORATION. LonTalk protocol specification v3.0, 1994. http://www.enerlon.com/JobAids/Lontalk%20Protocol%20Spec.pdf.
12. EQUIPMENT, IEC TELECONTROL. Systems—part 5-104: Transmission protocols - network access for IEC 60870-5-101 using standard transport profiles.
13. FORREST, S., HOFMEYR, S. A., SOMAYAJI, A., AND LONGSTAFF, T. A. A sense of self for Unix processes. In IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 6-8 (1996), pp. 120–128.
14. FOVINO, I. N., CARCANO, A., MUREL, T. D. L., TROMBETTA, A., AND MASERA, M. Modbus/DNP3 state-based intrusion detection system. In 24th IEEE International Conference on Advanced Information Networking and Applications, AINA 2010, Perth, Australia, April 20-13 (2010), pp. 729–736.
15. GILDEA, D., AND JURAFSKY, D. Automatic labeling of semantic roles. Computational Linguistics 28, 3 (2002), 245–288.
16. GILL, R., SMITH, J., AND CLARK, A. J. Specification-based intrusion detection in WLANs. In 22nd Annual Computer Security Applications Conference (ACSAC 2006), Miami Beach, Florida, USA, 11-15 December (2006), pp. 141–152.
17. GRANZER, W., KASTNER, W., NEUGSCHWANDTNER, G., AND PRAUS, F. Security in networked building automation systems. Tech. rep., 2005.
18. GRANZER, W., PRAUS, F., AND KASTNER, W. Security in building automation systems. IEEE Trans. Industrial Electronics 57, 11 (2010), 3622–3630.
19. GRÖNKVIST, J., HANSSON, A., AND SKÖLD, M. Evaluation of a specification-based intrusion detection system for AODV. In The Sixth Annual Mediterranean Ad Hoc Networking Workshop (2007), pp. 121–128.
20. GUPTA, R. A., AND CHOW, M. Networked control system: Overview and research trends. IEEE Trans. Industrial Electronics 57, 7 (2010), 2527–2535.
21. HADELI, H., SCHIERHOLZ, R., BRAENDLE, M., AND TUDUCE, C. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. In Proceedings of 12th IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2009, Palma de Mallorca, Spain, September 22-25 (2009), pp. 1–8.
22. HADŽIOSMANOVIĆ, D., BOLZONI, D., ETALLE, S., AND HARTEL, P. H. Challenges and opportunities in securing industrial control systems. In Complexity in Engineering, COMPENG 2012, Aachen, Germany, June 11-13 (2012), pp. 1–6.
23. HASSAN, H. M., MAHMOUD, M., AND EL-KASSAS, S. Securing the AODV protocol using specification-based intrusion detection. In Q2SWinet’06 - Proceedings of the Second ACM Workshop on Q2S and Security for Wireless and Mobile Networks, Terromolinos, Spain, October 2 (2006), pp. 33–36.
24. HOLMBERG, D. G., AND EVANS, D. BACnet Wide Area Network Security Threat Assessment. US Department of Commerce, National Institute of Standards and Technology NIST, 2003.
25. ISO. Industrial automation systems – manufacturing message specification – part 2: Protocol specification, 2003.
26. JIEKE, P., REDOL, J., AND CORREIA, M. Specification-based intrusion detection system for carrier ethernet. In WEBIST 2007 - Proceedings of the Third International Conference on Web Information Systems and Technologies, Volume IT, Barcelona, Spain, March 3-6 (2007), pp. 426–429.
27. JOKAR, P., NICANFAR, H., AND LEUNG, V. C. M. Specification-based intrusion detection for home area networks in smart grids. In IEEE Second International Conference on Smart Grid Communications, SmartGridComm 2011, Brussels, Belgium, October 17-20 (2011), pp. 208–213.
28. KASTNER, W., NEUGSCHWANDTNER, G., SOUCEK, S., AND NEWMAN, M. H. Communication systems for building automation and control. Proceedings of the IEEE 93, 6 (2005), 1178–1203.
29. KAUR, J., TONEJC, J., WENDZEL, S., AND MEIER, M. Securing BACnet’s pitfalls. In ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany, May 26-28, Proceedings (2015), pp. 616–629.
30. KIM, K., AND KUMAR, P. R. The importance, design and implementation of a middleware for networked control systems. Springer Lecture Notes in Control and Information Sciences 406, 1 (2010), 1–29.
31. KLEBERGER, P., OLOVSSON, T., AND JONSSON, E. Security aspects of the in-vehicle network in the connected car. In IEEE Intelligent Vehicles Symposium (IV), 2011, Baden-Baden, Germany, June 5-9 (2011), pp. 528–533.
32. KNX ASSOCIATION. KNX Standard, 2011. https://www.knx.org.
33. KO, C., BRUTCH, P., ROWE, J., TSAFNAT, G., AND LEVITT, K. N. System health and intrusion monitoring using a hierarchy of constraints. In Recent Advances in Intrusion Detection, 4th International Symposium, RAID 2001 Davis, CA, USA, October 10-12, Proceedings (2001), pp. 190–204.
34. KO, C., FINK, G., AND LEVITT, K. N. Automated detection of vulnerabilities in privileged programs by execution monitoring. In 10th Annual Computer Security Applications Conference, ACSAC 1994, Orlando, FL, USA, 5-9 December (1994), pp. 134–144.
35. KO, C., RUSCHITZKA, M., AND LEVITT, K. N. Execution monitoring of security-critical programs in distributed systems: A specification-based approach. In IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 4-7 (1997), pp. 175–187.
36. LARSON, U. E., NILSSON, D. K., AND JONSSON, E. An approach to specification-based attack detection for in-vehicle networks. In IEEE Intelligent Vehicles Symposium (IV), 2008, Eindhoven, the Netherlands, June 4-6 (2008), pp. 220–225.
37. LIN, H., SLAGELL, A. J., MARTINO, C. D., KALBARCZYK, Z., AND IYER, R. K. Adapting Bro into SCADA: Building a specification-based intrusion detection system for the DNP3 protocol. In Cyber Security and Information Intelligence, CSIIRW ’13, Oak Ridge, TN, USA, January 8-10 (2013), p. 5.
38. LYON, G. F. Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure, 2009. https://nmap.org/.
39. MANYIKA, J., CHUI, M., BUGHIN, J., DOBBS, R., BISSON, P., AND MARRS, A. Disruptive technologies: Advances that will transform life, business, and the global economy. Tech. rep., 2013.
40. MATHERLY, J. C. SHODAN: the computer search engine, Jun 2016. http://www.shodanhq.com/.
41. MODBUS-IDA. Modbus application protocol specification v1.1b3, 2012. http://www.modbus.org.
42. NATIONAL JOINT APPRENTICESHIP & TECHNICAL COMMITTEE. Building Automation: Control Devices and Applications. American Technical Publishers, Inc., 2008.
43. NEWMAN, M. BACnet: The Global Standard for Building Automation and Control Networks. Momentum Press, 2013.
44. ORSET, J., ALCALDE, B., AND CAVALLI, A. R. An EFSMbased intrusion detection system for ad hoc networks. In Automated Technology for Verification and Analysis, Third International Symposium, ATVA 2005, Taipei, Taiwan, October 4-7, Proceedings (2005), pp. 400–413.
45. PAN, Z., HARIRI, S., AND AL-NASHIF, Y. B. Anomaly based intrusion detection for building automation and control networks. In 11th IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2014, Doha, Qatar, November 10-13 (2014), pp. 72–77.
46. PAXSON, V. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, USA, January 26-29 (1998).
47. PEACOCK, M. D., AND JOHNSTONE, M. N. An analysis of security issues in building automation systems.
48. PETRONI, N. L., FRASER, T., WALTERS, A., AND ARBAUGH, W. A. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, Canada, July 31 - August 4 (2006).
49. SALSBURY, T. I. The smart building. In Springer Handbook of Automation. Springer, 2009, pp. 1079–1093.
50. SANEIFAR, H., BONNIOL, S., LAURENT, A., PONCELET, P., AND ROCHE, M. Terminology extraction from log files. In Database and Expert Systems Applications, 20th International Conference, DEXA 2009, Linz, Austria, August 31 - September 4, Proceedings (2009), pp. 769–776.
51. SANNER, M. F. Python: a programming language for software integration and development. J Mol Graph Model 17, 1 (1999), 57–61. https://www.python.org/.
52. SEKAR, R., CAI, Y., AND SEGAL, M. A specification-based approach for building survivable systems. In Proceedings of the National Information Systems Security Conference (NISSC’98) (1998), pp. 338–347.
53. SEKAR, R., GUPTA, A. K., FRULLO, J., SHANBHAG, T., TIWARI, A., YANG, H., AND ZHOU, S. Specification-based anomaly detection: A new approach for detecting network intrusions. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, November 18-22 (2002), pp. 265–274.
54. SEKAR, R., AND UPPULURI, P. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In Proceedings of the 8th USENIX Security Symposium, Washington, D.C., August 23-26 (1999).
55. SOMMER, R., AMANN, J., AND HALL, S. Spicy: A unified deep packet inspection framework dissecting all your data. Tech. rep., ICSI, 2015. TR-15-004.
56. SONG, T., KO, C., TSENG, C. H., BALASUBRAMANYAM, P., CHAUDHARY, A., AND LEVITT, K. N. Formal reasoning about a specification-based intrusion detection for dynamic auto-configuration protocols in ad hoc networks. In Formal Aspects in Security and Trust, Third International Workshop, FAST 2005, Newcastle upon Tyne, UK, July 18-19, Revised Selected Papers (2005), pp. 16–33.
57. STRZALKOWSKI, T. Natural language information retrieval. Inf. Process. Manage. 31, 3 (1995), 397–417.
58. SZLÓSARCZYK, S., WENDZEL, S., KAUR, J., MEIER, M., AND SCHUBERT, F. Towards suppressing attacks on and improving resilience of building automation systems - an approach exemplified using BACnet. In Sicherheit 2014: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 7. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 19.-21. März 2014, Wien, Österreich (2014), pp. 407–418.
59. TRUONG, P., NIEH, D., AND MOH, M. Specification-based intrusion detection for H.323-based voice over IP. In Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2005), Athens, Greece, December 18-21 (2005), pp. 387–392.
60. TSENG, C., BALASUBRAMANYAM, P., KO, C., LIMPRASITTIPORN, R., ROWE, J., AND LEVITT, K. N. A specification-based intrusion detection system for AODV. In Proceedings of the 1st ACM Workshop on Security of ad hoc and Sensor Networks, SASN 2003, Fairfax, Virginia, USA (2003), pp. 125–134.
61. TSENG, C. H., SONG, T., BALASUBRAMANYAM, P., KO, C., AND LEVITT, K. N. A specification-based intrusion detection model for OLSR. In Recent Advances in Intrusion Detection, 8th International Symposium, RAID 2005, Seattle, WA, USA, September 7-9, Revised Papers (2005), pp. 330–350.
62. UPPULURI, P., AND SEKAR, R. Experiences with specification-based intrusion detection. In Recent Advances in Intrusion Detection, 4th International Symposium, RAID 2001 Davis, CA, USA, October 10-12, Proceedings (2001), pp. 172–189.
63. WENDZEL, S., KAHLER, B., AND RIST, T. Covert channels and their prevention in building automation protocols: A prototype exemplified using BACnet. In 2012 IEEE International Conference on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing, GreenCom/iThings/CPSCom 2012, Besancon, France, November 20-23 (2012), pp. 731–736.
64. ZALEWSKI, M. P0f: Passive OS fingerprinting tool, 2006. lcamtuf.coredump.cx/p0f3/.
65. ZHANG, P. Industrial Control Technology: A Handbook for Engineers and Researchers. William Andrew Inc., 2008.