A new burst-DFA model for SCADA anomaly detection

Chen Markman; Avishai Wool; Alvaro A. Cardenas

doi:10.1145/3140241.3140245

A new burst-DFA model for SCADA anomaly detection

Chen Markman, Avishai Wool, Alvaro A. Cardenas

School of Electrical Engineering

Tel Aviv University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Past work showed that in many cases, it is possible to model the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server by a cyclic Deterministic Finite Automaton (DFA), and to use the model to detect anomalies in the traffic. However, a recent analysis of network traffic in a water facility in the U.S, showed that cyclic-DFA models have limitations. In our research, we examine the same data corpus; our study shows that the communication on all of the channels in the network is done in bursts of packets, and that the bursts have semantic meaning-the order within a burst depends on the messages. Using these observations, we suggest a new burst- DFA model that .ts the data much be.er than previous work. Our model treats the traffic on each channel as a series of bursts, and matches each burst to the DFA, taking the burst's beginning and end into account. Our burst-DFA model successfully explains between 95% and 99% of the packets in the data-corpus, and goes a long way toward the construction of a practical anomaly detection system.

Original language	English
Title of host publication	CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017
Pages	1-12
Number of pages	12
ISBN (Electronic)	9781450353946
DOIs	https://doi.org/10.1145/3140241.3140245
State	Published - 3 Nov 2017
Event	3rd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2017 - Dallas, United States Duration: 3 Nov 2017 → …

Publication series

Name	CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017

Conference

Conference	3rd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2017
Country/Territory	United States
City	Dallas
Period	3/11/17 → …

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 9 Industry, Innovation, and Infrastructure

All Science Journal Classification (ASJC) codes

Computer Science Applications
Software
Computer Networks and Communications

Access to Document

10.1145/3140241.3140245

Cite this

Markman, C., Wool, A., & Cardenas, A. A. (2017). A new burst-DFA model for SCADA anomaly detection. In CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017 (pp. 1-12). (CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017). https://doi.org/10.1145/3140241.3140245

@inproceedings{29cdd41520604788a237fb17444e1bfc,

title = "A new burst-DFA model for SCADA anomaly detection",

abstract = "In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Past work showed that in many cases, it is possible to model the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server by a cyclic Deterministic Finite Automaton (DFA), and to use the model to detect anomalies in the traffic. However, a recent analysis of network traffic in a water facility in the U.S, showed that cyclic-DFA models have limitations. In our research, we examine the same data corpus; our study shows that the communication on all of the channels in the network is done in bursts of packets, and that the bursts have semantic meaning-the order within a burst depends on the messages. Using these observations, we suggest a new burst- DFA model that .ts the data much be.er than previous work. Our model treats the traffic on each channel as a series of bursts, and matches each burst to the DFA, taking the burst's beginning and end into account. Our burst-DFA model successfully explains between 95\% and 99\% of the packets in the data-corpus, and goes a long way toward the construction of a practical anomaly detection system.",

author = "Chen Markman and Avishai Wool and Cardenas, \{Alvaro A.\}",

note = "Publisher Copyright: {\textcopyright} 2017 ACM.; 3rd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2017 ; Conference date: 03-11-2017",

year = "2017",

month = nov,

day = "3",

doi = "10.1145/3140241.3140245",

language = "الإنجليزيّة",

series = "CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017",

pages = "1--12",

booktitle = "CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017",

}

Markman, C, Wool, A & Cardenas, AA 2017, A new burst-DFA model for SCADA anomaly detection. in CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017. CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017, pp. 1-12, 3rd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2017, Dallas, United States, 3/11/17. https://doi.org/10.1145/3140241.3140245

A new burst-DFA model for SCADA anomaly detection. / Markman, Chen; Wool, Avishai; Cardenas, Alvaro A.
CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017. 2017. p. 1-12 (CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A new burst-DFA model for SCADA anomaly detection

AU - Markman, Chen

AU - Wool, Avishai

AU - Cardenas, Alvaro A.

PY - 2017/11/3

Y1 - 2017/11/3

N2 - In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Past work showed that in many cases, it is possible to model the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server by a cyclic Deterministic Finite Automaton (DFA), and to use the model to detect anomalies in the traffic. However, a recent analysis of network traffic in a water facility in the U.S, showed that cyclic-DFA models have limitations. In our research, we examine the same data corpus; our study shows that the communication on all of the channels in the network is done in bursts of packets, and that the bursts have semantic meaning-the order within a burst depends on the messages. Using these observations, we suggest a new burst- DFA model that .ts the data much be.er than previous work. Our model treats the traffic on each channel as a series of bursts, and matches each burst to the DFA, taking the burst's beginning and end into account. Our burst-DFA model successfully explains between 95% and 99% of the packets in the data-corpus, and goes a long way toward the construction of a practical anomaly detection system.

AB - In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Past work showed that in many cases, it is possible to model the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server by a cyclic Deterministic Finite Automaton (DFA), and to use the model to detect anomalies in the traffic. However, a recent analysis of network traffic in a water facility in the U.S, showed that cyclic-DFA models have limitations. In our research, we examine the same data corpus; our study shows that the communication on all of the channels in the network is done in bursts of packets, and that the bursts have semantic meaning-the order within a burst depends on the messages. Using these observations, we suggest a new burst- DFA model that .ts the data much be.er than previous work. Our model treats the traffic on each channel as a series of bursts, and matches each burst to the DFA, taking the burst's beginning and end into account. Our burst-DFA model successfully explains between 95% and 99% of the packets in the data-corpus, and goes a long way toward the construction of a practical anomaly detection system.

UR - http://www.scopus.com/inward/record.url?scp=85037147693&partnerID=8YFLogxK

U2 - 10.1145/3140241.3140245

DO - 10.1145/3140241.3140245

M3 - منشور من مؤتمر

T3 - CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017

SP - 1

EP - 12

BT - CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017

T2 - 3rd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2017

Y2 - 3 November 2017

ER -

Markman C, Wool A, Cardenas AA. A new burst-DFA model for SCADA anomaly detection. In CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017. 2017. p. 1-12. (CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017). doi: 10.1145/3140241.3140245

A new burst-DFA model for SCADA anomaly detection

Abstract

Publication series

Conference

UN SDGs

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this