Skip to main content

WiP: Distributed Intrusion Detection System for TCP/IP-Based Connections in Industrial Environments Using Self-organizing Maps

  • Conference paper
  • First Online:
Applied Cryptography and Network Security Workshops (ACNS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12809))

Included in the following conference series:

Abstract

Digitization of the industry comes along with improvements for modern production, because the processes can be influenced, monitored and coordinated. A digitized facility needs the possibility of communication between distributed nodes, e.g. to react to events or to provide useful information to adjust the production process. However, processes of communication can be misused by attackers. Security holes in different information systems can be found by third parties and exploited. Thus, growing data exchange needs growing security of communication. Modern intrusion detection systems (IDS) often do not fulfill the requirements of industrial systems, because they either neglect safety aspects or are not failure resistant or interrupt the data flow. The aim of this paper is to propose improvements regarding all those issues. In this paper, an online intrusion detection system architecture for industrial Ethernet is being researched on an industrial line testbed. In the current work, the requirements for intrusion detection in an industrial environment are analyzed and a hardware architecture to carry out online intrusion detection for Ethernet-based connections using a passive sniffer approach is proposed. The data is being processed in-place in a microcontroller. For the developed platform an intrusion detection algorithm using self-organizing map algorithm was implemented. The model has to be trained with normal vectors in a semi-supervised way. A prototype of the proposed architecture is evaluated on an industrial line testbed (cyber-physical factory) using TCP/IP/Ethernet header analysis. The proposed IDS, which is based on two microcontrollers, monitors an Ethernet 100-BaseTX cable and was able to detect TCP port scans, remote denial-of-service exploits and ARP cache poisoning which targeted the programmable logic controller in an industrial testbed. The proposed architecture can be used for online intrusion detection under speed restrictions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://wireshark.org/.

  2. 2.

    https://www.xmos.com/download/xCONNECT-Architecture(1.0).pdf.

References

  1. Albayrak, S., Scheel, C., Milosevic, D., Muller, A.: Combining self-organizing map algorithms for robust and scalable intrusion detection. In: International Conference on Computational Intelligence for Modelling, Control and Automation and International Conference on Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC’06), vol. 2, pp. 123–130, November 2005. https://doi.org/10.1109/CIMCA.2005.1631456

  2. Alghushairy, O., Alsini, R., Soule, T., Ma, X.: A review of local outlier factor algorithms for outlier detection in big data streams. Big Data Cogn. Comput. 5(1) (2021). https://doi.org/10.3390/bdcc5010001

  3. Arregoces, M., Portolani, M.: Data Center Fundamentals. Cisco Press, Indianapolis (2003)

    Google Scholar 

  4. Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical report (2000). http://www1.cs.columbia.edu/~locasto/projects/candidacy/papers/axelsson00intrusion.pdf. Accessed 20 Mar 2021

  5. Belenguer, J., Calafate, C.T.: A low-cost embedded ids to monitor and prevent man-in-the-middle attacks on wired LAN environments. In: The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007), pp. 122–127, October 2007. https://doi.org/10.1109/SECUREWARE.2007.4385321

  6. Bolzoni, D., Etalle, S., Hartel, P.H., Zambon, E.: POSEIDON: a 2-tier anomaly-based network intrusion detection system. In: Fourth IEEE International Workshop on Information Assurance (IWIA 2006), pp. 144–156. IEEE Computer Society (2006). https://doi.org/10.1109/IWIA.2006.18

  7. Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. In: Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, SIGMOD 2000, pp. 93–104. Association for Computing Machinery, New York (2000). https://doi.org/10.1145/342009.335388

  8. Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016). https://doi.org/10.1109/COMST.2015.2494502

  9. Clotet, X., Moyano, J., León, G.: A real-time anomaly-based ids for cyber-attack detection at the industrial process level of critical infrastructures. Int. J. Crit. Infrastruct. Prot. 23, 11–20 (2018). https://doi.org/10.1016/j.ijcip.2018.08.002. http://www.sciencedirect.com/science/article/pii/S1874548217300884

  10. Collobert, R., Sinz, F., Weston, J., Bottou, L.: Large scale transductive SVMs. J. Mach. Learn. Res. 7, 1687–1712 (2006)

    MathSciNet  MATH  Google Scholar 

  11. Cruz, T., et al.: A distributed ids for industrial control systems. Int. J. Cyber Warfare Terrorism (IJCWT) (2014). https://doi.org/10.4018/ijcwt.2014040101. https://www.igi-global.com/article/a-distributed-ids-for-industrial-control-systems/123509

  12. Festo: CP factory - the cyber-physical factory (2019). www.festo-didactic.com/int-en/learning-systems/learning-factories, cim-fms-systems/cp-factory/cp-factory-the-cyber-physical-factory.htm. Accessed 20 Mar 2021

  13. Ghaeini, H.R., Tippenhauer, N.O.: Hamids: hierarchical monitoring intrusion detection system for industrial control systems. In: Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, CPS-SPC 2016, pp. 103–111. Association for Computing Machinery, New York (2016). https://doi.org/10.1145/2994487.2994492

  14. Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 126–135. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2664243.2664277

  15. Hoglund, A.J., Hatonen, K., Sorvari, A.S.: A computer host-based user anomaly detection system using the self-organizing map. In: Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks. IJCNN 2000. Neural Computing: New Challenges and Perspectives for the New Millennium, vol. 5, pp. 411–416, July 2000. https://doi.org/10.1109/IJCNN.2000.861504

  16. Hormann, R., Fischer, E.: Detecting anomalies by using self-organizing maps in industrial environments. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, pp. 336–344. INSTICC, SciTePress (2019). https://doi.org/10.5220/0007364803360344

  17. Hutchings, B.L., Franklin, R., Carver, D.: Assisting network intrusion detection with reconfigurable hardware. In: Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, pp. 111–120, April 2002. https://doi.org/10.1109/FPGA.2002.1106666

  18. Hutchins, E.M., Cloppert, M.J., Amin, R.M., et al.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)

    Google Scholar 

  19. Kohonen, T.: Self-organized formation of topologically correct feature maps. Biol. Cybern. 43(1), 59–69 (1982). https://doi.org/10.1007/bf00337288

    Article  MathSciNet  MATH  Google Scholar 

  20. Kruegel, C., Valeur, F., Vigna, G., Kemmerer, R.: Stateful intrusion detection for high-speed networks. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 285–293, May 2002. https://doi.org/10.1109/SECPRI.2002.1004378

  21. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011). https://doi.org/10.1109/msp.2011.67

    Article  Google Scholar 

  22. Liao, H.J., Richard Lin, C.H., Lin, Y.C., Tung, K.Y.: Review: intrusion detection system: a comprehensive review. J. Netw. Comput. Appl. 36(1), 16–24 (2013). https://doi.org/10.1016/j.jnca.2012.09.004

    Article  Google Scholar 

  23. Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P.W., Iyer, R.K.: Semantic security analysis of SCADA networks to detect malicious control commands in power grids. In: Proceedings of the First ACM Workshop on Smart Energy Grid Security, SEGS 2013, pp. 29–34. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2516930.2516947

  24. Linda, O., Vollmer, T., Manic, M.: Neural network based intrusion detection system for critical infrastructures. In: 2009 International Joint Conference on Neural Networks, pp. 1827–1834, June 2009. https://doi.org/10.1109/IJCNN.2009.5178592

  25. Livni, R., Shalev-Shwartz, S., Shamir, O.: On the computational efficiency of training neural networks. In: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems, vol. 27. Curran Associates, Inc. (2014). https://proceedings.neurips.cc/paper/2014/file/3a0772443a0739141292a5429b952fe6-Paper.pdf

  26. Lotfi Shahreza, M., Moazzami, D., Moshiri, B., Delavar, M.: Anomaly detection using a self-organizing map and particle swarm optimization. Sci. Iran. 18(6), 1460–1468 (2011). https://doi.org/10.1016/j.scient.2011.08.025

    Article  Google Scholar 

  27. McCulloch, W.S., Pitts, W.: A logical calculus of the ideas immanent in nervous activity. Bull. Math. Biophys. 5(4), 115–133 (1943)

    Article  MathSciNet  Google Scholar 

  28. Mitchell, R., Chen, I.R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. 46(4) (2014). https://doi.org/10.1145/2542049

  29. Montague, P., Kim, J.: An efficient semi-supervised SVM for anomaly detection. In: 2017 International Joint Conference on Neural Networks (IJCNN), pp. 2843–2850 (2017). https://doi.org/10.1109/IJCNN.2017.7966207

  30. MultiMedia LLC: German steel mill cyber attack (2014). https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf. Accessed 20 Mar 2021

  31. Qu, X., et al.: A survey on the development of self-organizing maps for unsupervised intrusion detection. Mob. Netw. Appl. 26(2), 808–829 (2019). https://doi.org/10.1007/s11036-019-01353-0

    Article  Google Scholar 

  32. Rhodes, B., Mahaffey, J., Cannady, J.: Multiple self-organizing maps for intrusion detection. In: Proceedings of the 23rd National Information Systems Security Conference, pp. 16–19 (2000)

    Google Scholar 

  33. Ross, R.S.: Assessing security and privacy controls in federal information systems and organizations (2014). https://doi.org/10.6028/nist.sp.800-53ar4

  34. Roussinov, D.G., Chen, H.: A scalable self-organizing map algorithm for textual classification: a neural network approach to thesaurus generation. In: Communication Cognition and Artificial Intelligence, Spring, vol. 15, pp. 81–112 (1998)

    Google Scholar 

  35. Salehi, M., Leckie, C., Bezdek, J.C., Vaithianathan, T., Zhang, X.: Fast memory efficient local outlier detection in data streams. IEEE Trans. Knowl. Data Eng. 28(12), 3246–3260 (2016). https://doi.org/10.1109/TKDE.2016.2597833

    Article  Google Scholar 

  36. Schuehler, D.V., Moscola, J., Lockwood, J.: Architecture for a hardware based, TCP/IP content scanning system [intrusion detection system applications]. In: Proceedings of 11th Symposium on High Performance Interconnects, pp. 89–94, August 2003. https://doi.org/10.1109/CONECT.2003.1231483

  37. Sellappan, D., Srinivasan, R.: Performance comparison for intrusion detection system using neural network with KDD dataset. ICTACT J. Soft Comput. 4, 743–752 (2014). https://doi.org/10.21917/ijsc.2014.0106

  38. Skeie, T., Johannessen, S., Holmeide, O.: Timeliness of real-time IP communication in switched industrial ethernet networks. IEEE Trans. Industr. Inf. 2(1), 25–39 (2006). https://doi.org/10.1109/TII.2006.869934

    Article  Google Scholar 

  39. Spafford, E.H., Zamboni, D.: Data collection mechanisms for intrusion detection systems. Technical report, Center for Education and Research in Information Assurance and Security, CERIAS (2000)

    Google Scholar 

  40. Thomas, P.: Review of “semi-supervised learning” by O. Chapelle, B. SchöLkopf, and A. Zien, Eds. London, UK, MIT Press, 2006. IEEE Trans. Neural Netw. 20(3), 542 (2009). https://doi.org/10.1109/TNN.2009.2015974

  41. Valova, I., Georgiev, G., Gueorguieva, N., Olson, J.: Initialization issues in self-organizing maps. Procedia Comput. Sci. 20, 52–57 (2013). https://doi.org/10.1016/j.procs.2013.09.238. https://www.sciencedirect.com/science/article/pii/S1877050913010387

  42. Vapnik, V.N.: Statistical Learning Theory. Wiley-Interscience, New York (1998)

    MATH  Google Scholar 

  43. Zanero, S.: Analyzing TCP traffic patterns using self organizing maps. In: Roli, F., Vitulano, S. (eds.) ICIAP 2005. LNCS, vol. 3617, pp. 83–90. Springer, Heidelberg (2005). https://doi.org/10.1007/11553595_10

    Chapter  Google Scholar 

  44. Zanero, S.: Improving self organizing map performance for network intrusion detection. In: SDM 2005 Workshop on Clustering High Dimensional Data and Its Applications (2005)

    Google Scholar 

  45. Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM Symposium on Applied Computing, SAC 2004, pp. 412–419. Association for Computing Machinery, New York (2004). https://doi.org/10.1145/967900.967988

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Aleksei Kharitonov .

Editor information

Editors and Affiliations

Ethics declarations

Author Contributions

A.K. conceived the project, performed the laboratory work and experiments, designed and implemented the software, also worked on the hardware design, and wrote the manuscript. Estimated percentage of contribution is 80%. A.Z. supervised the laboratory work and project, developed and implemented the hardware platform. Estimated percentage of contribution is 20%.

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kharitonov, A., Zimmermann, A. (2021). WiP: Distributed Intrusion Detection System for TCP/IP-Based Connections in Industrial Environments Using Self-organizing Maps. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2021. Lecture Notes in Computer Science(), vol 12809. Springer, Cham. https://doi.org/10.1007/978-3-030-81645-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81645-2_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81644-5

  • Online ISBN: 978-3-030-81645-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics