Abstract
Industrial control systems (ICS) can be subject to highly sophisticated attacks which may lead the process towards critical states. Due to the particular context of ICS, protection mechanisms are not always practical, nor sufficient. On the other hand, developing a process-aware intrusion detection solution with satisfactory alert characterization remains an open problem. This paper focuses on process-aware attacks detection in sequential control systems. We build on results from runtime verification and specification mining to automatically infer and monitor process specifications. Such specifications are represented by sets of temporal safety properties over states and events corresponding to sensors and actuators. The properties are then synthesized as monitors which report violations on execution traces. We develop an efficient specification mining algorithm and use filtering rules to handle the large number of mined properties. Furthermore, we introduce the notion of activity and discuss its relevance to both specification mining and attack detection in the context of sequential control systems. The proposed approach is evaluated in a hardware-in-the-loop setting subject to targeted process-aware attacks. Overall, due to the explicit handling of process variables, the solution provides a better characterization of the alerts and a more meaningful understanding of false positives.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Common cyber security vulnerabilities in ICS. Technical report, U.S DHS (2011)
Bauer, A.: Monitorability of omega-regular languages. CoRR abs/1006.3638 (2010)
Bauer, N., Huuck, R., Lukoschus, B., Engell, S.: A unifying semantics for sequential function charts. In: Ehrig, H., Damm, W., Desel, J., Große-Rhode, M., Reif, W., Schnieder, E., Westkämper, E. (eds.) Integration of Software Specification Techniques for Applications in Engineering. LNCS, vol. 3147, pp. 400–418. Springer, Heidelberg (2004). doi:10.1007/978-3-540-27863-4_22
Carcano, A., Coletta, A., et al.: A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans. Ind. Inf. 7(2), 179–186 (2011)
Cárdenas, A., Amin, S., et al.: Challenges for securing cyber physical systems. In: Workshop on Future Directions in Cyber-physical Systems Security, July 2009
Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop CPSS, pp. 13–24 (2015)
Cheung, S., Skinner, K.: Using model-based intrusion detection for SCADA networks. In: Proceedings of SCADA Security Scientific Symposium, pp. 127–134 (2007)
d’Amorim, M., Roşu, G.: Efficient monitoring of \({\omega }\)-languages. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 364–378. Springer, Heidelberg (2005). doi:10.1007/11513988_36
De Giacomo, G., Masellis, R.D., Montali, M.: Reasoning on LTL on finite traces: insensitivity to infiniteness. In: Proceedings of AAAI 2014, pp. 1027–1033 (2014)
Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: Proceedings of ICSE (1999)
Dzung, D., Naedele, M., Von Hoff, T.P., Crevatin, M.: Security for industrial communication systems. Proc. IEEE 93, 1152–1177 (2005)
Falliere, N., Murchu, L.O., et al.: W32.Stuxnet Dossier-Symantec security response. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf. Accessed June 2016
Foulard, C., Flaus, J.M., Jacomino, M.: Automatique pour les classes préparatoires, 1st edn. Hermés-Lavoisier, Paris (1997)
Hadziosmanovic, D., Sommer, R., et al.: Through the eye of the PLC: towards semantic security monitoring for industrial control systems. In: Proceedings of ACSAC (2014)
ISO/IEC 29192 - Information technology - Security techniques - Lightweight cryptography. Standard, ISO, Geneva, Switzerland (2012)
John, K.H., Tiegelkamp, M.: IEC 61131–3: Programming Industrial Automation, 2nd edn. Springer, Heidelberg (2010)
Larsen, J.: Breakage-Black Hat (2008). https://www.blackhat.com/presentations/bh-dc-08/Larsen/Presentation/bh-dc-08-larsen.pdf. Accessed June 2016
Lemieux, C., Park, D., Beschastnikh, I.: General LTL specification mining. In: Proceedings fo ASE 2015, pp. 81–92 (2015)
Leucker, M., Schallhart, C.: A brief account of runtime verification. J. Logic Algebraic Program. 78(5), 293–303 (2009)
Li, W., Forin, A., Seshia, S.A.: Scalable specification mining for verification and diagnosis. In: 47th ACM/IEEE DAC, pp. 755–760 (2010)
Lin, H., Slagell, A., Di Martino, C., et al.: Adapting bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. In: Proceedings of CSIIRW 2013, pp. 1–4 (2013)
Mitchell, R., Chen, I.R.: Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems. IEEE Trans Depend. Sec. Comp. 12(1), 16–30 (2014)
Pnueli, A.: The temporal logic of programs. In: Proceedings of SFCS 1977, pp. 46–57. IEEE Computer Society, Washington, DC (1977)
Puaun, D.O., Chechik, M.: On closure under stuttering. FAC 14, 342–368 (2003)
Schumann, J., Moosbrugger, P., Rozier, K.Y.: R2U2: monitoring and diagnosis of security threats for unmanned aerial systems. In: Bartocci, E., Majumdar, R. (eds.) RV 2015. LNCS, vol. 9333, pp. 233–249. Springer, Heidelberg (2015). doi:10.1007/978-3-319-23820-3_15
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE S&P, pp. 305–316 (2010)
Stouffer, K., Falco, J., Scarfone, K.: Spp. 800–82 Rev 2. Guide to Industrial Control Systems (ICS) Security. NIST (2015)
Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Banff Higher Order Workshop 1995 (1996)
Yoon, M.k., Ciocarlie, G.F.: Communication pattern monitoring: improving the utility of anomaly detection for industrial control systems. In: SENT (2014)
Zimmer, C., Bhat, B., et al.: Time-based intrusion detection in cyber-physical systems. In: Proceedings of First ACM/IEEE International Conference on CPS, pp. 109–118 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Koucham, O., Mocanu, S., Hiet, G., Thiriet, JM., Majorczyk, F. (2016). Detecting Process-Aware Attacks in Sequential Control Systems. In: Brumley, B., Röning, J. (eds) Secure IT Systems. NordSec 2016. Lecture Notes in Computer Science(), vol 10014. Springer, Cham. https://doi.org/10.1007/978-3-319-47560-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-47560-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47559-2
Online ISBN: 978-3-319-47560-8
eBook Packages: Computer ScienceComputer Science (R0)