Abstract
This work presents a network intrusion detection system (NIDS) for SCADA developed as an extension to Snort NIDS, a popular open-source solution targeted at intrusion detection in Internet. The concept of anomaly-based intrusion detection and its applicability in the specific situation of industrial network traffic is discussed. The idea of modelling allowed communication patterns for Modbus RTU protocol is explained and the system concept, utilising n-gram analysis of packet contents, statistical analysis of selected packet features and a Bayesian Network as data fusion component is presented. The implementation details are outlined, including the concept of building the system as a preprocessor for the Snort NIDS. The chapter is concluded by results of test conducted in simulated environment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier. In: Symantec Security Response (2011), http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf (accessed January 19, 2013)
Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using Model-based Intrusion Detection for SCADA Networks. In: Proceedings of the SCADA Security Scientific Symposium, Miami Beach, Florida (2007)
Valdes, A., Cheung, S.: Intrusion Monitoring in Process Control Systems. In: Proceedings of the 42nd Hawaii International Conference on System Sciences, Waikoloa, Big Island, Hawaii (2009)
Valdes, A., Cheung, S.: Communication Pattern Anomaly Detection in Process Control Systems. In: Proceedings of the IEEE International Conference on Technologies for Homeland Security, Waltham, Massachusetts (2009)
Viking Project homepage (2011), http://www.vikingproject.eu (accessed January 14, 2013)
Digital Bond Quickdraw SCADA IDS (2010), http://www.digitalbond.com/tools/quickdraw (accessed January 14, 2013)
Modbus RTU specification (2012), http://www.modbus.org/specs.php (accessed January 14, 2013)
Snort home page (2013), https://www.snort.org (accessed January 14, 2013)
Tylman, W.: Native Support for Modbus RTU Protocol in Snort Intrusion Detection System. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds.) New Results in Dependability & Comput. Syst. AISC, vol. 224, pp. 479–487. Springer, Heidelberg (2013)
Wang, K., Stolfo, S.J.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Kriegel, H.-P., Kröger, P., Zimek, A.: Clustering high-dimensional data: A survey on subspace clustering, pattern-based clustering, and correlation clustering. ACM Transactions on Knowledge Discovery from Data 3(1), 1–58 (2009), doi:10.1145/1497577.1497578
Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers, San Mateo (1988)
Tylman, W.: Anomaly-Based Intrusion Detection Using Bayesian Networks. In: Proceedings of the Third International Conference on Dependability of Computer Systems DepCoS-RELCOMEX 2008, Szklarska Poręba (2008)
Null-modem emulator com0com (2012), http://com0com.sourceforge.net (accessed January 2013)
Modpoll Modbus Master Simulator (2012), http://www.modbusdriver.com/modpoll.html (accessed January 14, 2013)
Modbus PLC Simulator (2011), http://www.plcsimulator.org (accessed January 14, 2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Tylman, W. (2013). SCADA Intrusion Detection Based on Modelling of Allowed Communication Patterns. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds) New Results in Dependability and Computer Systems. Advances in Intelligent Systems and Computing, vol 224. Springer, Heidelberg. https://doi.org/10.1007/978-3-319-00945-2_45
Download citation
DOI: https://doi.org/10.1007/978-3-319-00945-2_45
Publisher Name: Springer, Heidelberg
Print ISBN: 978-3-319-00944-5
Online ISBN: 978-3-319-00945-2
eBook Packages: Chemistry and Materials ScienceChemistry and Material Science (R0)