Abstract
SCADA traffic between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed SCADA streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA, and a high false-alarm rate. In this paper we introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We evaluated our solution on traces from a production SCADA system using the Siemens S7-0x72 protocol. We also stress-tested our solution on a collection of synthetically-generated traces. In all but the most extreme scenarios the Statechart model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.
Keywords
- Anomaly Detection
- Intrusion Detection System
- Programmable Logic Controller
- Human Machine Interface
- Deterministic Finite Automaton
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This work was supported in part by a grant from the Israeli Ministry of Science and Technology.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Afcon Technologies: Pulse HMI Software (2015). Accessed 6 May 2015
Alcaraz, C., Cazorla, L., Fernández, G.: Context-awareness using anomaly-based detectors for smart grid domains. In: Proceedings of the 9th International Conference on Risks, and Security of Internet and Systems (CRISIS), Trento, Italy, September 2014
Atassi, A., Elhajj, I.H., Chehab, A., Kayssi, A.: The State of the Art in Intrusion Prevention and Detection, Auerbach Publications. In: Intrusion Detection for SCADA Systems, pp. 211–230. Auerbach Publications, January 2014
Briesemeister, L., Cheung, S., Lindqvist, U., Valdes, A.: Detection, correlation, and visualization of attacks against critical infrastructure systems. In: 8th International Conference on Privacy Security and Trust (PST), pp. 17–19 (2010)
Byres, E.J., Franz, M., Miller, D.: The use of attack trees in assessing vulnerabilities in SCADA systems. In: Proceedings of the International Infrastructure Survivability Workshop (2004)
Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, pp. 13–24. ACM, New York (2015)
Chen, C.-M., Hsiao, H.-W., Yang, P.-Y., Ya-Hui, O.: Defending malicious attacks in cyber physical systems. In: IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA), pp. 13–18, August 2013
Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using model-based intrusion detection for SCADA networks. In: Proceedings of the SCADA Security Scientific Symposium, pp. 127–134 (2007)
Electrical Engineering Blog: The top most used PLC systems around the world. Electrical installation & energy efficiency, May 2013. http://engineering.electrical-equipment.org/electrical-distribution/the-top-most-used-plc-systems-around-the-world.html
Erez, N., Wool, A.: Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA networks. In: 9th Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA, March 2015
Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White Paper, Symantec Corporation, Security Response (2011)
Fovino, I.N., Carcano, A., De Lacheze Murel, T., Trombetta, A., Masera, M.: Modbus/DNP3 state-based intrusion detection system. In: 24th IEEE International Conference on Advanced Information Networking and Applications (AINA), pp. 729–736. IEEE (2010)
Goldenberg, N., Wool, A.: Accurate modeling of modbus/tcp for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013)
Hadziosmanovic, D., Bolzoni, D., Hartel, P.H., Etalle, S.: MELISSA: towards automated detection of undesirable user actions in critical infrastructures. In: Proceedings of the European Conference on Computer Network Defense, EC2ND 2011, Gothenburg, Sweden, pp. 41–48, USA, IEEE Computer Society, September 2011
Harel, D.: Statecharts: a visual formalism for complex systems. Sci. Comput. Program. 8(3), 231–274 (1987)
Kleinmann, A., Wool, A.: Accurate modeling of the siemens S7 SCADA protocol for intrusion detection and digital forensic. JDFSL 9(2), 37–50 (2014)
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
Marsh, R.T.: Critical foundations: protecting america’s infrastructures - the report of the president’s commission on critical infrastructure protection. Technical report, October 1997
Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Network 8(3), 26–41 (1994)
Porras, P.A., Neumann, P.G.: EMERALD: event monitoring enabling responses to anomalous live disturbances. In: 1997 National Information Systems Security Conference, October 1997
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999)
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316, May 2010
Valdes, A., Cheung, S.: Communication pattern anomaly detection in process control systems. In: IEEE Conference on Technologies for Homeland Security (HST), pp. 22–29. IEEE (2009)
Wiens, T.: S7comm wireshark dissector plugin, January 2014. http://sourceforge.net/projects/s7commwireshark
Wikipedia: Variable-length quantity – Wikipedia, the free encyclopedia, (2015). Accessed 5 May 2015
Yang, D., Usynin, A., Hines, J.W.: Anomaly-based intrusion detection for SCADA systems. In: 5th Int International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies, pp. 12–16 (2006)
Ye, N., Zhang, Y., Borror, C.M.: Robustness of the markov-chain model for cyber-attack detection. IEEE Trans. Reliab. 53(1), 116–123 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kleinmann, A., Wool, A. (2016). A Statechart-Based Anomaly Detection Model for Multi-Threaded SCADA Systems. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2015. Lecture Notes in Computer Science(), vol 9578. Springer, Cham. https://doi.org/10.1007/978-3-319-33331-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-33331-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-33330-4
Online ISBN: 978-3-319-33331-1
eBook Packages: Computer ScienceComputer Science (R0)