ABSTRACT
Supervisory Control and Data Acquisition (SCADA) systems have been designed with the assumption that the system would run within a closed environment. They have only generated concerns for security issues that may appear during system deployment, and there are no clear methods to assess security threats when considered. Recent technological and economic trends have driven SCADA systems from serial communication networks to networks based on TCP/IP. This exposes legacy SCADA systems to new security threats they were not designed to defend against. This work examines the viability of machine learning techniques in detecting new security threats specific to SCADA systems and the Modbus protocol. Machine learning-based anomaly detection algorithms were used to detect malicious traffic in a generated dataset of Remote Terminal Unit (RTU) communications using the Modbus protocol. The implemented algorithms are Support Vector Machines, decision trees, k-nearest neighbors, and k-means clustering. While the algorithms performed well overall, Support Vector Machine, Decision Trees, and K-nearest Neighbors algorithms had the best performance with individual attack types. K-means clustering did not perform satisfactorily with specific attack types.
- Acromag. 2005. Introduction to Modbus TCP/IP. Technical Reference -- Modbus TCP/IP.Google Scholar
- L. Ahrens, J. Ahrens, and H. Schotten. 2019. A Machine-learning Phase Classification Scheme for Anomaly Detection in Signals with Periodic Characteristics. EURASIP Journal on Advances in Signal Process. Article 27, (May 2019). DOI:https://doi. org/10.1186/s13634-019-0619-3Google ScholarCross Ref
- C. Alcaraz, L. Cazorla, and G. Fernandez. 2015. Context-awareness using Anomaly-based Detectors for Smart Grid Domains. Lecture Notes in Computer Science, Vol. 8924, (April 2015), pp. 17--34. DOI:https://doi.org/10.1007/978-3-319-17127-2_2Google ScholarCross Ref
- N. Altman. 2019. An Introduction to Kernel and Nearest-Neighbor Nonparametric Regression, The American Statistician, Vol. 46, No. 3 (August 1992), pp. 175--185, Taylor & Francis, Ltd.Google Scholar
- Digital Bond. Modbus TCP Rules. Retrieved from www.digitalbond.com/tools/quickdraw/modbus-tcp-rulesGoogle Scholar
- R. Bridgelall. 2017. Introduction to Support Vector Machines. Retrieved from http://www.svms.org/introduction.htmlGoogle Scholar
- E. Byres, M. Franz, and D. Miller. 2004. The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems. In Proceedings of the International Infrastructure Survivability Workshop (IISW 2004), Lisbon, Portugal.Google Scholar
- A. Cárdenas, S. Amin, and S. Sastry. 2008. Research Challenges for the Security of Control Systems. In Proceedings of the 2008 3rd Conference on Hot Topics in Security (HotSec 2008), San Jose, CA, USA.Google Scholar
- T. Chen. 2010. Stuxnet, the Real Start of Cyber Warfare? IEEE Network, Vol. 24, No. 6, pp. 2--3.Google ScholarDigital Library
- H. Klee and R. Allen, Simulation of Dynamic Systems with MATLAB and Simulink, 3rd edition, CRC Press, November 2017.Google Scholar
- C. Cortes and V. Vapnik. 2001. Support-Vector Networks. Assembly 44, 13 (2001), 97.Google Scholar
- N. Elssied, O. Ibrahim, and A. Osman. 2014. A Novel Feature Selection based on One-way ANOVA F-test for E-mail Spam Classification. Research Journal of Applied Sciences, Engineering and Technology, Vol. 7, No. 3, (January 2014), pp. 625--638. DOI:https://doi.org/10.19026/rjaset.7.299.Google ScholarCross Ref
- I. Galván, J. Valls, N. Lecomte, and P. Isasi. 2009. A Lazy Approach for Machine Learning Algorithms. IFIP International Federation for Information Processing. Vol. 296, (2009), pp. 517--522. DOI:https://doi.org/10.1007/978-1-4419-0221-4_60Google Scholar
- W. Gao, T. Morris, B. Reaves, and D. Richey. 2010. On SCADA Control System Command and Response Injection and Intrusion Detection. In 2010 eCrime Researchers Summit, Dallas, TX, USA.Google Scholar
- B. Genge, C. Siaterlis, I. Nai Fovino, and M. Masera. 2012. A Cyber-physical Experimentation Environment for the Security Analysis of Networked Industrial Control Systems. Computers & Electrical Engineering, Vol. 38, No. 5, (September 2012), pp. 1146--1161. DOI:https://doi.org/10.1016/j.compeleceng.2012.06.015.Google ScholarDigital Library
- N. Goldenberg and A. Wool. 2013. Accurate Modeling of Modbus/TCP for Intrusion Detection in SCADA Systems. International Journal of Critical Infrastructure Protection, Vol. 6, No. 2, (June 2013), pp. 63--75. DOI: https://doi.org/10.1016/j.ijcip.2013.05.001.Google ScholarCross Ref
- I. Guyon, B. Boser, and V. Vapnik. 1993. Automatic Capacity Tuning of Very Large VC-Dimension Classifiers. Advances in Neural Information Processing Systems 5, (November 1993), pp. 147--155.Google Scholar
- Modbus IDA. 2006. Modbus Application Protocol Specification v1.1b.Google Scholar
- J. Jimenez. 2011. Using SNORT for Intrusion Detection in Modbus TCP/IP Communications. InfoSec Reading Room, SANS Institute. Retrieved from http://www.sans.org/reading-room/whitepapers/detection/ snort-intrusion-detection-modbus-tcp-ip-communications-33844Google Scholar
- R. Lee, M. Assante, and T. Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid Defense Use Case. (March 2016), 2--11.Google Scholar
- A. Lemay and J. Fernandez. 2016. Providing SCADA Network Data Sets for Intrusion Detection Research. 9th USENIX Workshop on Cyber Security Experimentation and Test (CSET 2016), Austin, TX, USA.Google Scholar
- J. MacQueen. 1965. Some Methods of Classification and Analysis of Multivariate Observations. In Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability, pp. 282--297, Berkeley, CA, USA.Google Scholar
- K. Mahapatra and S. Magesh. 2015. Analysis of Vulnerabilities in the Protocols used in SCADA Systems. International Journal of Advanced Research in Computer Engineering & Technology (IJARCET 2015), Vol. 4, No. 3, (March 2015), pp 1014-1019.Google Scholar
- E. Matthes. 2019. Python Crash Course: A Hands-On, Project-Based Introduction to Programming, 2nd edition, No Starch Press.Google Scholar
- T. Morris, R. Vaughn, and Y. Dandass. 2011. A Testbed for SCADA Control System Cybersecurity Research and Pedagogy. In Proceedings of the 7th Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW 2011), October 2011, Oak Ridge, TN, USA.Google Scholar
- D. Olson and D. Delen. 2008. Performance Evaluation for Predictive Modeling. In Advanced Data Mining Techniques. Springer, pp. 137--147. Retrieved from https://doi.org/10.1007/978-3-540-76917-0Google Scholar
- J. Quinlan. 1986. Induction of Decision Trees. Machine Learning, Vol. 1, No. 1, (March 1986), pp. 81--106. DOI:https://doi.org/10.1007/ BF00116251.Google ScholarCross Ref
- M. Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In 13th USENIX Conference on System Administration (LISA 1999), pp. 226--238, Seattle, WA, USA.Google Scholar
- C. Siaterlis, B. Genge, and M. Hohenadel. 2013. EPIC: A Testbed for Scientifically Rigorous Cyber-physical Security Experimentation. IEEE Transaction on Emerging Topics in Computing, Vol. 1, No. 2, (December 2013), pp. 319--330. DOI:https://doi.org/10.1109/TETC.2013.2287188.Google ScholarCross Ref
- R. Sommer and V. Paxson. 2010. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. In Proceedings of the 31st IEEE Symposium on Security and Privacy (S&P 2010), pp. 305--316, Berkeley, CA, USA. DOI:https://doi.org/10.1109/SP.2010.25.Google ScholarDigital Library
- Mississippi State University. Critical Infrastructure Protection Center. http://www.security.cse.msstate.edu/cipc.Google Scholar
- The University of Utah. Emulab Total Network Testbed. http://www.emulab.net.Google Scholar
- G. Varoquaux, L. Buitinck, G. Louppe, O. Grisel, F. Pedregosa, and A. Mueller. 2015. Scikit-learn: Machine Learning without Learning the Machinery. GetMobile: Mobile Computing and Communications. Vol. 19, No. 1, (January 2015), pp. 29--33. DOI:https://doi.org/10.1145/2786984.2786995.Google ScholarDigital Library
- D. Yang, A. Usynin, and J. Hines. 2006. Anomaly-based Intrusion Detection for SCADA Systems. In Proceedings of the 5th International Topical Meeting on Nuclear Plant Instrumentation Controls and Human Machine Interface Technologies, pp. 12--16, Albuquerque, NM, USA.Google Scholar
- N. Ye, K. Chai, W. Lee, and H. Chieu. 2012. Optimizing F-measures: A Tale of Two Approaches. In Proceedings of the 29th International Conference on Machine Learning (ICML 2012), pp. 289--296, Edinburgh, UK.Google Scholar
- F. Aurenhammer. 1991. Voronoi Diagrams - A Survey of a Fundamental Data Structure. ACM Computing Surveys, Vol. 23, No. 3, pp. 345--405.Google ScholarDigital Library
- E. Byres and J. Lowe. 2004. The Myths and Facts behind Cyber Security Risks for Industrial Control Systems. In Proceedings of VDE Congress, Berlin, Germany.Google Scholar
Index Terms
- An Evaluation of Machine Learning-based Anomaly Detection in a SCADA System Using the Modbus Protocol
Recommendations
Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/TCP Data Set
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityIn the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established ...
SCADA Networks Anomaly-based Intrusion Detection System
SIN '18: Proceedings of the 11th International Conference on Security of Information and NetworksIntentional attacks1 that cause country wide blackouts, gas and water systems malfunction are actions that can be carried out by a nation to impact on another nation in a mean of war. Supervisory control and data acquisition (SCADA) networks that allow ...
A hybrid behavior- and Bayesian network-based framework for cyber–physical anomaly detection
AbstractIn recent years, the increasing Internet connectivity and heterogeneity of industrial protocols have been raising the number and nature of cyber-attacks against Industrial Control Systems (ICS). Such cyber-attacks may lead to cyber anomalies and ...
Highlights- Hybrid behavior- and Bayesian network-based cyber–physical anomaly detection.
- Hybrid anomaly detection framework based on both cyber and physical data from ICS.
- Identification of cyber, physical and cyber–physical anomalies in ICS.
Comments