ABSTRACT
Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is highly periodic. However, it is sometimes multiplexed, due to multi-threaded scheduling.
In previous work we introduced a Statechart model which includes multiple Deterministic Finite Automata (DFA), one per cyclic pattern. We demonstrated that Statechart-based anomaly detection is highly effective on multiplexed cyclic traffic when the individual cyclic patterns are known. The challenge is to construct the Statechart, by unsupervised learning, from a captured trace of the multiplexed traffic, especially when the same symbols (ICS messages) can appear in multiple cycles, or multiple times in a cycle. Previously we suggested a combinatorial approach for the Statechart construction, based on Euler cycles in the Discrete Time Markov Chain (DTMC) graph of the trace. This combinatorial approach worked well in simple scenarios, but produced a false-alarm rate that was excessive on more complex multiplexed traffic.
In this paper we suggest a new Statechart construction method, based on spectral analysis. We use the Fourier transform to identify the dominant periods in the trace. Our algorithm then associates a set of symbols with each dominant period, identifies the order of the symbols within each period, and creates the cyclic DFAs and the Statechart.
We evaluated our solution on long traces from two production ICS: one using the Siemens S7-0x72 protocol and the other using Modbus. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulate multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The resulting Statecharts model the traces with an overall median false-alarm rate as low as 0.16% on the synthetic datasets, and with zero false-alarms on production S7-0x72 traffic. Moreover, the spectral analysis Statecharts consistently out-performed the previous combinatorial Statecharts, exhibiting significantly lower false alarm rates and more compact model sizes.
- Afcon Technologies. Pulse HMI software, 2015. {Online; accessed 24-Nov-2015}.Google Scholar
- C. Alcaraz, L. Cazorla, and G. Fernandez. Context-awareness using anomaly-based detectors for smart grid domains. In 9th International Conference on Risks and Security of Internet and Systems, volume 8924, pages 17--34, Trento, 04/2015 2015. Springer International Publishing, Springer International Publishing.Google ScholarCross Ref
- A. Atassi, I. H. Elhajj, A. Chehab, and A. Kayssi. The State of the Art in Intrusion Prevention and Detection, Auerbach Publications, chapter 9: Intrusion Detection for SCADA Systems, pages 211--230. Auerbach Publications, January 2014.Google Scholar
- R. Barbosa, R. Sadre, and A. Pras. A first look into SCADA network traffic. In IEEE Network Operations and Management Symposium (NOMS), pages 518--521, April 2012.Google ScholarCross Ref
- R. Barbosa, R. Sadre, and A. Pras. Towards periodicity based anomaly detection in scada networks. In 17th IEEE Emerging Technologies Factory Automation (ETFA), pages 1--4, Sept 2012.Google ScholarCross Ref
- L. Briesemeister, S. Cheung, U. Lindqvist, and A. Valdes. Detection, correlation, and visualization of attacks against critical infrastructure systems. In 8th International Conference on Privacy Security and Trust (PST), pages 17--19, 2010.Google ScholarCross Ref
- E. J. Byres, M. Franz, and D. Miller. The use of attack trees in assessing vulnerabilities in SCADA systems. In Proceedings of the International Infrastructure Survivability Workshop, 2004.Google Scholar
- M. Caselli, E. Zambon, and F. Kargl. Sequence-aware intrusion detection in industrial control systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, pages 13--24, New York, NY, USA, 2015. Google ScholarDigital Library
- C.-M. Chen, H.-W. Hsiao, P.-Y. Yang, and Y.-H. Ou. Defending malicious attacks in cyber physical systems. In IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA), 2013, pages 13--18, Aug 2013.Google ScholarCross Ref
- S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, and A. Valdes. Using model-based intrusion detection for SCADA networks. In Proceedings of the SCADA Security Scientific Symposium, pages 127--134, 2007.Google Scholar
- D. Dolev and A. C. Yao. On the security of public key protocols. Technical report, Stanford, CA, USA, 1981. Google ScholarDigital Library
- N. Erez and A. Wool. Control variable classification, modeling and anomaly detection in modbus/tcp scada systems. International Journal of Critical Infrastructure Protection, 10(C):59--70, Sept. 2015. Google ScholarDigital Library
- N. Falliere, L. Murchu, and E. Chien. W32. stuxnet dossier. White paper, Symantec Corp., Security Response, 2011.Google Scholar
- I. Fovino, A. Carcano, T. De Lacheze Murel, A. Trombetta, and M. Masera. Modbus/DNP3 state-based intrusion detection system. In 24th IEEE International Conference on Advanced Information Networking and Applications (AINA), pages 729--736. Ieee, 2010. Google ScholarDigital Library
- N. Goldenberg and A. Wool. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. International Journal of Critical Infrastructure Protection, 6(2):63--75, 2013.Google ScholarCross Ref
- D. Hadziosmanovic, D. Bolzoni, P. H. Hartel, and S. Etalle. MELISSA: Towards automated detection of undesirable user actions in critical infrastructures. In Proceedings of the European Conference on Computer Network Defense, EC2ND 2011, Gothenburg, Sweden, pages 41--48, USA, September 2011. IEEE Computer Society. Google ScholarDigital Library
- D. Harel. Statecharts: A visual formalism for complex systems. Sci. Comput. Program., 8(3):231--274, June 1987. Google ScholarDigital Library
- A. Kleinmann and A. Wool. Accurate modeling of the siemens S7 SCADA protocol for intrusion detection and digital forensic. JDFSL, 9(2):37--50, 2014.Google Scholar
- A. Kleinmann and A. Wool. A statechart-based anomaly detection model for multi-threaded SCADA systems. In 10th Critical Information Infrastructures Security (CRITIS), pages 132--144, Berlin, Germany, Oct. 2015. Springer.Google Scholar
- A. Kleinmann and A. Wool. Automatic construction of statechart-based anomaly detection models for multi-threaded industrial control systems. arXiv preprint cs.CR/1607.07489, 2016.Google Scholar
- J. Klick, S. Lau, D. Marzin, J.-O. Malchow, and V. Roth. Internet-facing PLCs-a new back orifice. In Blackhat USA 2015, Las Vegas, USA, 2015.Google Scholar
- R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49--51, 2011. Google ScholarDigital Library
- T. D. Maiziere. Die lage der it-sicherheit in deutschland 2014. Technical report, Bundesamt fur Sicherheit in der Informationstechnik, 2014.Google Scholar
- R. T. Marsh. Critical foundations: Protecting america's infrastructures - the report of the president's commission on critical infrastructure protection. Technical report, October 1997.Google Scholar
- B. Mukherjee, L. T. Heberlein, and K. N. Levitt. Network intrusion detection. Network, IEEE, 8(3):26--41, 1994. Google ScholarDigital Library
- P. A. Porras and P. G. Neumann. EMERALD: event monitoring enabling responses to anomalous live disturbances. In 1997 National Information Systems Security Conference, Oct. 1997.Google Scholar
- M. Roesch. Snort - lightweight intrusion detection for networks. In Proceedings of the 13th USENIX Conference on System Administration, LISA '99, pages 229--238, Berkeley, CA, USA, 1999. USENIX Association. Google ScholarDigital Library
- R. Sommer and V. Paxson. Outside the closed world: On using machine learning for network intrusion detection. In IEEE Security and Privacy (SP), pages 305--316, May 2010. Google ScholarDigital Library
- R. Spenneberg, M. Brüggemann, and H. Schwartke. PLC-blaster: A worm living solely in the PLC. In Black Hat Asia, Marina Bay Sands, Singapore, 2016.Google Scholar
- K. A. Stouffer, J. A. Falco, and K. A. Scarfone. Guide to industrial control systems (ICS) security. Technical Report 800-82, National Institute of Standards and Technology (NIST), Gaithersburg, MD, May 2013.Google Scholar
- A. Valdes and S. Cheung. Communication pattern anomaly detection in process control systems. In IEEE Conference on Technologies for Homeland Security (HST), pages 22--29. IEEE, 2009.Google ScholarCross Ref
- M. Vlachos, C. Meek, Z. Vagena, and D. Gunopulos. Identifying similarities, periodicities and bursts for online search queries. In Proceedings of the 2004 ACM SIGMOD international conference on Management of data, pages 131--142. ACM, 2004. Google ScholarDigital Library
- T. Wiens. S7comm wireshark dissector plugin, January 2014. Available at: http://sourceforge.net/projects/s7commwireshark.Google Scholar
- D. Yang, A. Usynin, and J. Hines. Anomaly-based intrusion detection for SCADA systems. In 5th Intl. Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies, pages 12--16, 2006.Google Scholar
- N. Ye, Y. Zhang, and C. Borror. Robustness of the markov-chain model for cyber-attack detection. IEEE Transactions on Reliability, 53(1):116--123, 2004.Google ScholarCross Ref
Index Terms
- Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded SCADA via Spectral Analysis
Recommendations
Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems
Special Issue: Cyber Security and Regular PapersTraffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network ...
A New Burst-DFA model for SCADA Anomaly Detection
CPS '17: Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCyIn Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Past work showed that in many cases, it is possible to model the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server by a ...
Formalization of UML statechart models using Concurrent Regular Expressions
ACSC '04: Proceedings of the 27th Australasian conference on Computer science - Volume 26The Unified Modeling Language (UML) is widely used in the software development process for specification of system based on the object-oriented paradigm. Thought the current version of UML is semi-formal, it is difficult to determine whether the model is ...
Comments