Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems
作者: Amit Kleinmann , Avishai Wool
DOI: 10.1145/3011018
关键词:
摘要: Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and Programmable Logic Controller (PLC) is known to be highly periodic. However, it sometimes multiplexed, due asynchronous scheduling. Modeling network traffic patterns multiplexed ICS streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA high false-alarm rate. In this article, we introduce new modeling approach that addresses gap. Our Statechart includes multiple DFAs, one per cyclic pattern, together with DFA-selector de-multiplexes incoming into sub-channels sends them their respective DFAs. We demonstrate how automatically construct statechart from captured stream. unsupervised learning algorithms first build Discrete-Time Markov Chain (DTMC) Next, split symbols sets, cycle, based on symbol frequencies node degrees in DTMC graph. Then, create sub-graph each cycle extract Euler cycles sub-graph. The final comprised cycle. allow non-unique symbols, which appear more than also once cycle.We evaluated our solution traces production Siemens S7-0x72 protocol. stress-tested collection synthetically-generated simulated varying levels uniqueness time overlap. were able sets 99.6% accuracy. resulting modeled median rate as low 0.483%. all but most extreme scenarios, model drastically reduced both learned size comparison naive single-DFA model.
acm.org
harvard.edu
arxiv.org
sci-hub.se 参考文章(25)
Bruno Dutertre, Steven Cheung, Martin Fong, Alfonso Valdes, Ulf Lindqvist, Keith Skinner, Using Model-based Intrusion Detection for SCADA Networks ,(2006)
Noam Erez, Avishai Wool, Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems International Journal of Critical Infrastructure Protection. ,vol. 10, pp. 59- 70 ,(2015) , 10.1016/J.IJCIP.2015.05.001
Cristina Alcaraz, Lorena Cazorla, Gerardo Fernandez, Context-Awareness Using Anomaly-Based Detectors for Smart Grid Domains Lecture Notes in Computer Science. ,vol. 8924, pp. 17- 34 ,(2015) , 10.1007/978-3-319-17127-2_2
Dina Hadiosmanovic, Damiano Bolzoni, Pieter Hartel, Sandro Etalle, MELISSA: Towards Automated Detection of Undesirable User Actions in Critical Infrastructures EC2ND '11 Proceedings of the 2011 Seventh European Conference on Computer Network Defense. pp. 41- 48 ,(2011) , 10.1109/EC2ND.2011.10
Amit Kleinmann, Avishai Wool, ACCURATE MODELING OF THE SIEMENS S7 SCADA PROTOCOL FOR INTRUSION DETECTION AND DIGITAL FORENSICS The Journal of Digital Forensics, Security and Law. ,vol. 9, pp. 37- 50 ,(2014) , 10.15394/JDFSL.2014.1169
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
Carl Hierholzer, Chr Wiener, Ueber die Möglichkeit, einen Linienzug ohne Wiederholung und ohne Unterbrechung zu umfahren Mathematische Annalen. ,vol. 6, pp. 30- 32 ,(1873) , 10.1007/BF01442866
Igor Nai Fovino, Andrea Carcano, Thibault De Lacheze Murel, Alberto Trombetta, Marcelo Masera, Modbus/DNP3 State-Based Intrusion Detection System advanced information networking and applications. pp. 729- 736 ,(2010) , 10.1109/AINA.2010.86
Robin Sommer, Vern Paxson, Outside the Closed World: On Using Machine Learning for Network Intrusion Detection ieee symposium on security and privacy. pp. 305- 316 ,(2010) , 10.1109/SP.2010.25
Chia-Mei Chen, Han-Wei Hsiao, Peng-Yu Yang, Ya-Hui Ou, Defending malicious attacks in Cyber Physical Systems international conference on cyber physical systems. pp. 13- 18 ,(2013) , 10.1109/CPSNA.2013.6614240