A timing approach to network-based anomaly detection for SCADA systems

↓ Direkt till sidans innehåll
↓ Direkt till sidans sekundära innehåll (sidomenyn)

Sökning: WFRF:(Asplund Mikael 1981 ) > A timing approach t...

LIBRIS Formathandbok (Information om MARC21)

Fältnamn	Indikatorer	Metadata
000		05255nam a2200397 4500
001		oai:DiVA.org:liu-165155
003		SwePub
008		200417s2020 \| \|\|\|\|\|\|\|\|\|\|\|000 \|\|eng\|
020		a 9789179298364q print
024	7	a https://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-1651552 URI
024	7	a https://doi.org/10.3384/lic.diva-1651552 DOI
040		a (SwePub)liu
041		a engb eng
042		9 SwePub
072	7	a vet2 swepub-contenttype
072	7	a lic2 swepub-publicationtype
100	1	a Lin, Chih-Yuan,d 1987-u Linköpings universitet,Programvara och system,Tekniska fakulteten,RTSLAB - Real-Time Systems Laboratory4 aut0 (Swepub:liu)chili83
245	1 0	a A timing approach to network-based anomaly detection for SCADA systems
264	1	a Linköping :b Linköping University Electronic Press,c 2020
300		a 32 s.
338		a electronic2 rdacarrier
520		a Supervisory Control and Data Acquisition (SCADA) systems control and monitor critical infrastructure in society, such as electricity transmission and distribution systems. Modern SCADA systems are increasingly adopting open architectures, protocols, and standards and being connected to the Internet to enable remote control. A boost in sophisticated attacks against SCADA systems makes SCADA security a pressing issue. An Intrusion Detection System (IDS) is a security countermeasure that monitors a network and tracks unauthenticated activities inside the network. Most commercial IDSs used in general IT systems are signature-based, by which an IDS compares the system behaviors with known attack patterns. Unfortunately, recent attacks against SCADA systems exploit zero-day vulnerabilities in SCADA devices which are undetectable by signature-based IDSs.This thesis aims to enhance SCADA system monitoring by anomaly detection that models normal behaviors and finds deviations from the model. With anomaly detection, zero-day attacks are possible to detect. We focus on modeling the timing attributes of SCADA traffic for two reasons: (1) the timing regularity fits the automation nature of SCADA systems, and (2) the timing information (i.e., arrival time) of a packet is captured and sent by a network driver where an IDS is located. Hence, it’s less prone to intentional manipulation by an attacker, compared to the payload of a packet.This thesis first categorises SCADA traffic into two groups, request-response and spontaneous traffic, and studies data collected in three different protocol formats (Modbus, Siemens S7, and IEC-60870-5-104). The request-response traffic is generated by a polling mechanism. For this type of traffic, we model the inter-arrival times for each command and response pair with a statistical approach. Results presented in this thesis show that request-response traffic exists in several SCADA traffic sets collected from systems with different sizes and settings. The proposed statistical approach for request-response traffic can detect attacks having subtle changes in timing, such as a single packet insertion and TCP prediction for two of the three SCADA protocols studied.The spontaneous traffic is generated by remote terminal units when they see significant changes in measurement values. For this type of traffic, we first use a pattern mining approach to find the timing characteristics of the data. Then, we model the suggested attributes with machine learning approaches and run it on traffic collected in a real power facility. We test our anomaly detection model with two types of attacks. One causes persistent anomalies and another only causes intermittent ones. Our anomaly detector exhibits a 100% detection rate with at most 0.5% false positive rate for the attacks with persistent anomalies. For the attacks with intermittent anomalies, we find our approach effective when (1) the anomalies last for a longer period (over 1 hour), or (2) the original traffic has relatively low volume.
650	7	a TEKNIK OCH TEKNOLOGIERx Elektroteknik och elektronikx Datorsystem0 (SwePub)202062 hsv//swe
650	7	a ENGINEERING AND TECHNOLOGYx Electrical Engineering, Electronic Engineering, Information Engineeringx Computer Systems0 (SwePub)202062 hsv//eng
653		a SCADA securuty
653		a anomaly detection
700	1	a Nadjm-Tehrani, Simin,c Professor,d 1958-u Linköpings universitet,Programvara och system,Tekniska fakulteten4 ths0 (Swepub:liu)simna73
700	1	a Asplund, Mikael,c Senior Lecturer,d 1981-u Linköpings universitet,Programvara och system,Tekniska fakulteten4 ths0 (Swepub:liu)mikas34
700	1	a Mathur, Aditya P,c Professoru Purdue University and Singapore University of Technology and Design, Singapore4 opn
710	2	a Linköpings universitetb Programvara och system4 org
856	4	u https://doi.org/10.3384/lic.diva-165155y Fulltext
856	4	u https://liu.diva-portal.org/smash/get/diva2:1424481/FULLTEXT01.pdfx primaryx Raw objecty fulltext
856	4	u https://liu.diva-portal.org/smash/get/diva2:1424481/PREVIEW01.pngx Previewy preview image
856	4	u http://liu.diva-portal.org/smash/get/diva2:1424481/FULLTEXT01
856	4 8	u https://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-165155
856	4 8	u https://doi.org/10.3384/lic.diva-165155

Hitta via bibliotek

A timing approach to network-based anomaly detection for SCADA systems (Sök publikationen i LIBRIS)

Till lärosätets databas

Hitta mer i SwePub

Av författaren/redakt...: Lin, Chih-Yuan, ...; Nadjm-Tehrani, S ...; Asplund, Mikael, ...; Mathur, Aditya P ...

Om ämnet

TEKNIK OCH TEKNOLOGIER: TEKNIK OCH TEKNO ...; och Elektroteknik oc ...; och Datorsystem

Av lärosätet: Linköpings universitet

Sök utanför SwePub

Sök vidare i:: Google; Google Book Search; Google Scholar

Kungliga biblioteket hanterar dina personuppgifter i enlighet med EU:s dataskyddsförordning (2018), GDPR. Läs mer om hur det funkar här.
Så här hanterar KB dina uppgifter vid användning av denna tjänst.

LIBRIS.kb.se