ABSTRACT
The Modbus/TCP protocol is commonly used in the industrial control systems for communications between the human-machine interface and the industrial controllers. This paper proposes a real-time intrusion detection method based on bidirectional access of the Modbus/TCP protocol. The method doesnt require key observation that Modbus/TCP traffic to and from master device or slave device is periodic. Anomaly detection can be realized in time by the method after checking only two packets. And even though invader modifies the legal function code to another legal one in the packet from master device to slave device, the method can also figure it out. The test results show that the presented method has traits of timeliness, low false positive rate and low false negative rate.
- Goldenberg, N., and Wool, A. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. INT J CRIT INFR PROT, 6, 2 2013), 63--75. DOI=http://www.sciencedirect.com/science/article/pii/S1874548213000243Google ScholarCross Ref
- Kleinman, A., and Wool, A. Accurate modeling of the Siemens S7 SCADA protocol for intrusion detection and digital forensics. The Journal of Digital Forensics, Security and Law: JDFSL, 9, 2 2014), 37. DOI=http://commons.erau.edu/jdfsl/vol9/iss2/4/Google Scholar
- Alcaraz, C., Cazorla, L. and Fernandez, G. Context-awareness using anomaly-based detectors for smart grid domains. Springer, 2014.Google Scholar
- Byres, E. J., Franz, M. and Miller, D. The use of attack trees in assessing vulnerabilities in SCADA systems., 2004. DOI=https://pdfs.semanticscholar.org/02fa/72c0bfd76c731201156f81c40952b9da80d1.pdfGoogle Scholar
- Erez, N., and Wool, A. Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems. INT J CRIT INFR PROT, 102015), 59--70. DOI=http://www.sciencedirect.com/science/article/pii/S1874548215000396 Google ScholarDigital Library
- Automation, S. MODBUS over serial line--Specification and Implementation guide. V2002).Google Scholar
- Modbus, I. Modbus messaging on tcp/ip implementation guide v1. 0b. North Grafton, Massachusetts (www. modbus. org/specs. php)2006).Google Scholar
- Huitsing, P., Chandia, R., Papa, M. and Shenoi, S. Attack taxonomies for the Modbus protocols. INT J CRIT INFR PROT, 12008), 37--44. DOI=http://www.sciencedirect.com/science/article/pii/S187454820800005XGoogle Scholar
- Langner, R. Stuxnet: Dissecting a cyberwarfare weapon. IEEE SECUR PRIV, 9, 3 2011), 49--51. DOI=http://ieeexplore.ieee.org/abstract/document/5772960/ Google ScholarDigital Library
- Hayes, G. and El-Khatib, K. Securing modbus transactions using hash-based message authentication codes and stream transmission control protocol. IEEE, 2013.Google ScholarCross Ref
- Roesch, M. Snort: Lightweight Intrusion Detection for Networks., 1999.Google Scholar
- Bhatia, S., Kush, N., Djamaludin, C., Akande, J. and Foo, E. Practical modbus flooding attack and detection. Australian Computer Society, Inc., 2014.Google Scholar
- Roesch, M. Snort-the de facto standard for intrusion detection/prevention., 2005.Google Scholar
- Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K. and Valdes, A. Using model-based intrusion detection for SCADA networks. Citeseer, 2007.Google Scholar
- Schneier, B., Gross, A. H. and Callas, J. D. Method and system for dynamic network intrusion monitoring, detection and response. Google Patents, 2007.Google Scholar
- Bhatia, S., Kush, N., Djamaludin, C., Akande, J. and Foo, E. Practical modbus flooding attack and detection. Australian Computer Society, Inc., 2014.Google Scholar
- Shang, W. L., Zhang, S. S. and Wan, M. Modbus/TCP Communication Anomaly Detection Based on PSO-SVM. Trans Tech Publ, 2014.Google ScholarCross Ref
- Erez, N. and Wool, A. Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems. INT J CRIT INFR PROT, 102015), 59--70. DOI=http://www.sciencedirect.com/science/article/pii/S1874548215000396 Google ScholarDigital Library
Recommendations
Delay-based early congestion detection and adaptation in TCP: impact on web performance
Concerns over the scalability of TCP's end-to-end approach to congestion control and its AIMD congestion adaptation have led to proposals for router-based congestion control, specifically, active queue management (AQM). In this paper we present an end-...
TCP-Real: receiver-oriented congestion control
We introduce a receiver-oriented approach to congestion control, demonstrated by an experimental protocol, TCP-Real. The protocol allows for a measurement-based transmission strategy, which complements the "blind" increase/ decrease window adjustments. ...
Comments