A new burst-DFA model for SCADA anomaly detection

Chen Markman, Avishai Wool, Alvaro A. Cardenas

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Past work showed that in many cases, it is possible to model the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server by a cyclic Deterministic Finite Automaton (DFA), and to use the model to detect anomalies in the traffic. However, a recent analysis of network traffic in a water facility in the U.S, showed that cyclic-DFA models have limitations. In our research, we examine the same data corpus; our study shows that the communication on all of the channels in the network is done in bursts of packets, and that the bursts have semantic meaning-the order within a burst depends on the messages. Using these observations, we suggest a new burst- DFA model that .ts the data much be.er than previous work. Our model treats the traffic on each channel as a series of bursts, and matches each burst to the DFA, taking the burst's beginning and end into account. Our burst-DFA model successfully explains between 95% and 99% of the packets in the data-corpus, and goes a long way toward the construction of a practical anomaly detection system.

Original languageEnglish
Title of host publicationCPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017
Pages1-12
Number of pages12
ISBN (Electronic)9781450353946
DOIs
StatePublished - 3 Nov 2017
Event3rd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2017 - Dallas, United States
Duration: 3 Nov 2017 → …

Publication series

NameCPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017

Conference

Conference3rd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2017
Country/TerritoryUnited States
CityDallas
Period3/11/17 → …

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'A new burst-DFA model for SCADA anomaly detection'. Together they form a unique fingerprint.

Cite this