Skip to main content
SpringerLink
Log in

SCADA Intrusion Detection Based on Modelling of Allowed Communication Patterns

  • Conference paper
New Results in Dependability and Computer Systems

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 224))

Abstract

This work presents a network intrusion detection system (NIDS) for SCADA developed as an extension to Snort NIDS, a popular open-source solution targeted at intrusion detection in Internet. The concept of anomaly-based intrusion detection and its applicability in the specific situation of industrial network traffic is discussed. The idea of modelling allowed communication patterns for Modbus RTU protocol is explained and the system concept, utilising n-gram analysis of packet contents, statistical analysis of selected packet features and a Bayesian Network as data fusion component is presented. The implementation details are outlined, including the concept of building the system as a preprocessor for the Snort NIDS. The chapter is concluded by results of test conducted in simulated environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier. In: Symantec Security Response (2011), http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf (accessed January 19, 2013)

  2. Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using Model-based Intrusion Detection for SCADA Networks. In: Proceedings of the SCADA Security Scientific Symposium, Miami Beach, Florida (2007)

    Google Scholar 

  3. Valdes, A., Cheung, S.: Intrusion Monitoring in Process Control Systems. In: Proceedings of the 42nd Hawaii International Conference on System Sciences, Waikoloa, Big Island, Hawaii (2009)

    Google Scholar 

  4. Valdes, A., Cheung, S.: Communication Pattern Anomaly Detection in Process Control Systems. In: Proceedings of the IEEE International Conference on Technologies for Homeland Security, Waltham, Massachusetts (2009)

    Google Scholar 

  5. Viking Project homepage (2011), http://www.vikingproject.eu (accessed January 14, 2013)

  6. Digital Bond Quickdraw SCADA IDS (2010), http://www.digitalbond.com/tools/quickdraw (accessed January 14, 2013)

  7. Modbus RTU specification (2012), http://www.modbus.org/specs.php (accessed January 14, 2013)

  8. Snort home page (2013), https://www.snort.org (accessed January 14, 2013)

  9. Tylman, W.: Native Support for Modbus RTU Protocol in Snort Intrusion Detection System. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds.) New Results in Dependability & Comput. Syst. AISC, vol. 224, pp. 479–487. Springer, Heidelberg (2013)

    Google Scholar 

  10. Wang, K., Stolfo, S.J.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  11. Kriegel, H.-P., Kröger, P., Zimek, A.: Clustering high-dimensional data: A survey on subspace clustering, pattern-based clustering, and correlation clustering. ACM Transactions on Knowledge Discovery from Data 3(1), 1–58 (2009), doi:10.1145/1497577.1497578

    Article  Google Scholar 

  12. Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann Publishers, San Mateo (1988)

    Google Scholar 

  13. Tylman, W.: Anomaly-Based Intrusion Detection Using Bayesian Networks. In: Proceedings of the Third International Conference on Dependability of Computer Systems DepCoS-RELCOMEX 2008, Szklarska Poręba (2008)

    Google Scholar 

  14. Null-modem emulator com0com (2012), http://com0com.sourceforge.net (accessed January 2013)

  15. Modpoll Modbus Master Simulator (2012), http://www.modbusdriver.com/modpoll.html (accessed January 14, 2013)

  16. Modbus PLC Simulator (2011), http://www.plcsimulator.org (accessed January 14, 2013)

Download references

Author information

Authors and Affiliations

  1. Department of Microelectronics and Computer Science, Łódź University of Technology, ul. Wólczańska 221/223, 90-924, Łódź, Poland

    Wojciech Tylman

Authors
  1. Wojciech Tylman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wojciech Tylman .

Editor information

Editors and Affiliations

  1. , Institute of Computer Engineering, Wrocław University of Technology, ul. Janiszewskiego 11/17, Wrocław, 50-372, Poland

    Wojciech Zamojski

  2. , Institute of Computer Engineering, Wrocław University of Technology, ul. Janiszewskiego 11/17, Wrocław, 50-372, Poland

    Jacek Mazurkiewicz

  3. , Institute of Computer Engineering, Wrocław University of Technology, ul. Janiszewskiego 11/17, Wrocław, 50-372, Poland

    Jarosław Sugier

  4. , Institute of Computer Engineering, Wrocław University of Technology, ul. Janiszewskiego 11/17, Wrocław, 50-372, Poland

    Tomasz Walkowiak

  5. , Systems Research Institute, Polish Academy of Sciences, ul. Newelska 6, Warszawa, 01-447, Poland

    Janusz Kacprzyk

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Tylman, W. (2013). SCADA Intrusion Detection Based on Modelling of Allowed Communication Patterns. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds) New Results in Dependability and Computer Systems. Advances in Intelligent Systems and Computing, vol 224. Springer, Heidelberg. https://doi.org/10.1007/978-3-319-00945-2_45

Download citation

Publish with us

Policies and ethics

Search

Navigation