Abstract
Digitization of the industry comes along with improvements for modern production, because the processes can be influenced, monitored and coordinated. A digitized facility needs the possibility of communication between distributed nodes, e.g. to react to events or to provide useful information to adjust the production process. However, processes of communication can be misused by attackers. Security holes in different information systems can be found by third parties and exploited. Thus, growing data exchange needs growing security of communication. Modern intrusion detection systems (IDS) often do not fulfill the requirements of industrial systems, because they either neglect safety aspects or are not failure resistant or interrupt the data flow. The aim of this paper is to propose improvements regarding all those issues. In this paper, an online intrusion detection system architecture for industrial Ethernet is being researched on an industrial line testbed. In the current work, the requirements for intrusion detection in an industrial environment are analyzed and a hardware architecture to carry out online intrusion detection for Ethernet-based connections using a passive sniffer approach is proposed. The data is being processed in-place in a microcontroller. For the developed platform an intrusion detection algorithm using self-organizing map algorithm was implemented. The model has to be trained with normal vectors in a semi-supervised way. A prototype of the proposed architecture is evaluated on an industrial line testbed (cyber-physical factory) using TCP/IP/Ethernet header analysis. The proposed IDS, which is based on two microcontrollers, monitors an Ethernet 100-BaseTX cable and was able to detect TCP port scans, remote denial-of-service exploits and ARP cache poisoning which targeted the programmable logic controller in an industrial testbed. The proposed architecture can be used for online intrusion detection under speed restrictions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Albayrak, S., Scheel, C., Milosevic, D., Muller, A.: Combining self-organizing map algorithms for robust and scalable intrusion detection. In: International Conference on Computational Intelligence for Modelling, Control and Automation and International Conference on Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC’06), vol. 2, pp. 123–130, November 2005. https://doi.org/10.1109/CIMCA.2005.1631456
Alghushairy, O., Alsini, R., Soule, T., Ma, X.: A review of local outlier factor algorithms for outlier detection in big data streams. Big Data Cogn. Comput. 5(1) (2021). https://doi.org/10.3390/bdcc5010001
Arregoces, M., Portolani, M.: Data Center Fundamentals. Cisco Press, Indianapolis (2003)
Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical report (2000). http://www1.cs.columbia.edu/~locasto/projects/candidacy/papers/axelsson00intrusion.pdf. Accessed 20 Mar 2021
Belenguer, J., Calafate, C.T.: A low-cost embedded ids to monitor and prevent man-in-the-middle attacks on wired LAN environments. In: The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007), pp. 122–127, October 2007. https://doi.org/10.1109/SECUREWARE.2007.4385321
Bolzoni, D., Etalle, S., Hartel, P.H., Zambon, E.: POSEIDON: a 2-tier anomaly-based network intrusion detection system. In: Fourth IEEE International Workshop on Information Assurance (IWIA 2006), pp. 144–156. IEEE Computer Society (2006). https://doi.org/10.1109/IWIA.2006.18
Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. In: Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, SIGMOD 2000, pp. 93–104. Association for Computing Machinery, New York (2000). https://doi.org/10.1145/342009.335388
Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016). https://doi.org/10.1109/COMST.2015.2494502
Clotet, X., Moyano, J., León, G.: A real-time anomaly-based ids for cyber-attack detection at the industrial process level of critical infrastructures. Int. J. Crit. Infrastruct. Prot. 23, 11–20 (2018). https://doi.org/10.1016/j.ijcip.2018.08.002. http://www.sciencedirect.com/science/article/pii/S1874548217300884
Collobert, R., Sinz, F., Weston, J., Bottou, L.: Large scale transductive SVMs. J. Mach. Learn. Res. 7, 1687–1712 (2006)
Cruz, T., et al.: A distributed ids for industrial control systems. Int. J. Cyber Warfare Terrorism (IJCWT) (2014). https://doi.org/10.4018/ijcwt.2014040101. https://www.igi-global.com/article/a-distributed-ids-for-industrial-control-systems/123509
Festo: CP factory - the cyber-physical factory (2019). www.festo-didactic.com/int-en/learning-systems/learning-factories, cim-fms-systems/cp-factory/cp-factory-the-cyber-physical-factory.htm. Accessed 20 Mar 2021
Ghaeini, H.R., Tippenhauer, N.O.: Hamids: hierarchical monitoring intrusion detection system for industrial control systems. In: Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, CPS-SPC 2016, pp. 103–111. Association for Computing Machinery, New York (2016). https://doi.org/10.1145/2994487.2994492
Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 126–135. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2664243.2664277
Hoglund, A.J., Hatonen, K., Sorvari, A.S.: A computer host-based user anomaly detection system using the self-organizing map. In: Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks. IJCNN 2000. Neural Computing: New Challenges and Perspectives for the New Millennium, vol. 5, pp. 411–416, July 2000. https://doi.org/10.1109/IJCNN.2000.861504
Hormann, R., Fischer, E.: Detecting anomalies by using self-organizing maps in industrial environments. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, pp. 336–344. INSTICC, SciTePress (2019). https://doi.org/10.5220/0007364803360344
Hutchings, B.L., Franklin, R., Carver, D.: Assisting network intrusion detection with reconfigurable hardware. In: Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, pp. 111–120, April 2002. https://doi.org/10.1109/FPGA.2002.1106666
Hutchins, E.M., Cloppert, M.J., Amin, R.M., et al.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)
Kohonen, T.: Self-organized formation of topologically correct feature maps. Biol. Cybern. 43(1), 59–69 (1982). https://doi.org/10.1007/bf00337288
Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful intrusion detection for high-speed networks. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 285–293, May 2002. https://doi.org/10.1109/SECPRI.2002.1004378
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011). https://doi.org/10.1109/msp.2011.67
Liao, H.J., Richard Lin, C.H., Lin, Y.C., Tung, K.Y.: Review: intrusion detection system: a comprehensive review. J. Netw. Comput. Appl. 36(1), 16–24 (2013). https://doi.org/10.1016/j.jnca.2012.09.004
Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P.W., Iyer, R.K.: Semantic security analysis of SCADA networks to detect malicious control commands in power grids. In: Proceedings of the First ACM Workshop on Smart Energy Grid Security, SEGS 2013, pp. 29–34. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2516930.2516947
Linda, O., Vollmer, T., Manic, M.: Neural network based intrusion detection system for critical infrastructures. In: 2009 International Joint Conference on Neural Networks, pp. 1827–1834, June 2009. https://doi.org/10.1109/IJCNN.2009.5178592
Livni, R., Shalev-Shwartz, S., Shamir, O.: On the computational efficiency of training neural networks. In: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems, vol. 27. Curran Associates, Inc. (2014). https://proceedings.neurips.cc/paper/2014/file/3a0772443a0739141292a5429b952fe6-Paper.pdf
Lotfi Shahreza, M., Moazzami, D., Moshiri, B., Delavar, M.: Anomaly detection using a self-organizing map and particle swarm optimization. Sci. Iran. 18(6), 1460–1468 (2011). https://doi.org/10.1016/j.scient.2011.08.025
McCulloch, W.S., Pitts, W.: A logical calculus of the ideas immanent in nervous activity. Bull. Math. Biophys. 5(4), 115–133 (1943)
Mitchell, R., Chen, I.R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. 46(4) (2014). https://doi.org/10.1145/2542049
Montague, P., Kim, J.: An efficient semi-supervised SVM for anomaly detection. In: 2017 International Joint Conference on Neural Networks (IJCNN), pp. 2843–2850 (2017). https://doi.org/10.1109/IJCNN.2017.7966207
MultiMedia LLC: German steel mill cyber attack (2014). https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf. Accessed 20 Mar 2021
Qu, X., et al.: A survey on the development of self-organizing maps for unsupervised intrusion detection. Mob. Netw. Appl. 26(2), 808–829 (2019). https://doi.org/10.1007/s11036-019-01353-0
Rhodes, B., Mahaffey, J., Cannady, J.: Multiple self-organizing maps for intrusion detection. In: Proceedings of the 23rd National Information Systems Security Conference, pp. 16–19 (2000)
Ross, R.S.: Assessing security and privacy controls in federal information systems and organizations (2014). https://doi.org/10.6028/nist.sp.800-53ar4
Roussinov, D.G., Chen, H.: A scalable self-organizing map algorithm for textual classification: a neural network approach to thesaurus generation. In: Communication Cognition and Artificial Intelligence, Spring, vol. 15, pp. 81–112 (1998)
Salehi, M., Leckie, C., Bezdek, J.C., Vaithianathan, T., Zhang, X.: Fast memory efficient local outlier detection in data streams. IEEE Trans. Knowl. Data Eng. 28(12), 3246–3260 (2016). https://doi.org/10.1109/TKDE.2016.2597833
Schuehler, D.V., Moscola, J., Lockwood, J.: Architecture for a hardware based, TCP/IP content scanning system [intrusion detection system applications]. In: Proceedings of 11th Symposium on High Performance Interconnects, pp. 89–94, August 2003. https://doi.org/10.1109/CONECT.2003.1231483
Sellappan, D., Srinivasan, R.: Performance comparison for intrusion detection system using neural network with KDD dataset. ICTACT J. Soft Comput. 4, 743–752 (2014). https://doi.org/10.21917/ijsc.2014.0106
Skeie, T., Johannessen, S., Holmeide, O.: Timeliness of real-time IP communication in switched industrial ethernet networks. IEEE Trans. Industr. Inf. 2(1), 25–39 (2006). https://doi.org/10.1109/TII.2006.869934
Spafford, E.H., Zamboni, D.: Data collection mechanisms for intrusion detection systems. Technical report, Center for Education and Research in Information Assurance and Security, CERIAS (2000)
Thomas, P.: Review of “semi-supervised learning” by O. Chapelle, B. SchöLkopf, and A. Zien, Eds. London, UK, MIT Press, 2006. IEEE Trans. Neural Netw. 20(3), 542 (2009). https://doi.org/10.1109/TNN.2009.2015974
Valova, I., Georgiev, G., Gueorguieva, N., Olson, J.: Initialization issues in self-organizing maps. Procedia Comput. Sci. 20, 52–57 (2013). https://doi.org/10.1016/j.procs.2013.09.238. https://www.sciencedirect.com/science/article/pii/S1877050913010387
Vapnik, V.N.: Statistical Learning Theory. Wiley-Interscience, New York (1998)
Zanero, S.: Analyzing TCP traffic patterns using self organizing maps. In: Roli, F., Vitulano, S. (eds.) ICIAP 2005. LNCS, vol. 3617, pp. 83–90. Springer, Heidelberg (2005). https://doi.org/10.1007/11553595_10
Zanero, S.: Improving self organizing map performance for network intrusion detection. In: SDM 2005 Workshop on Clustering High Dimensional Data and Its Applications (2005)
Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM Symposium on Applied Computing, SAC 2004, pp. 412–419. Association for Computing Machinery, New York (2004). https://doi.org/10.1145/967900.967988
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Author Contributions
A.K. conceived the project, performed the laboratory work and experiments, designed and implemented the software, also worked on the hardware design, and wrote the manuscript. Estimated percentage of contribution is 80%. A.Z. supervised the laboratory work and project, developed and implemented the hardware platform. Estimated percentage of contribution is 20%.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kharitonov, A., Zimmermann, A. (2021). WiP: Distributed Intrusion Detection System for TCP/IP-Based Connections in Industrial Environments Using Self-organizing Maps. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2021. Lecture Notes in Computer Science(), vol 12809. Springer, Cham. https://doi.org/10.1007/978-3-030-81645-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-81645-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81644-5
Online ISBN: 978-3-030-81645-2
eBook Packages: Computer ScienceComputer Science (R0)