Automatic construction of Statechart-based anomaly detection models for multi-threaded SCADA via spectral analysis

Amit Kleinmann, Avishai Wool

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is highly periodic. However, it is sometimes multiplexed, due to multi-threaded scheduling. In previous work we introduced a Statechart model which includes multiple Deterministic Finite Automata (DFA), one per cyclic pattern. We demonstrated that Statechart-based anomaly detection is highly effective on multiplexed cyclic traffic when the individual cyclic patterns are known. The challenge is to construct the Statechart, by unsupervised learning, from a captured trace of the multiplexed traffic, especially when the same symbols (ICS messages) can appear in multiple cycles, or multiple times in a cycle. Previously we suggested a combinatorial approach for the Statechart construction, based on Euler cycles in the Discrete Time Markov Chain (DTMC) graph of the trace. This combinatorial approach worked well in simple scenarios, but produced a false-alarm rate that was excessive on more complex multiplexed traffic. In this paper we suggest a new Statechart construction method, based on spectral analysis. We use the Fourier transform to identify the dominant periods in the trace. Our algorithm then associates a set of symbols with each dominant period, identifies the order of the symbols within each period, and creates the cyclic DFAs and the Statechart. We evaluated our solution on long traces from two production ICS: one using the Siemens S7-0x72 protocol and the other using Modbus. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulate multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The resulting Statecharts model the traces with an overall median false-alarm rate as low as 0.16% on the synthetic datasets, and with zero false-alarms on production S7-0x72 traffic. Moreover, the spectral analysis Statecharts consistently out-performed the previous combinatorial Statecharts, exhibiting significantly lower false alarm rates and more compact model sizes.

Original languageEnglish
Title of host publicationCPS-SPC 2016 - Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2016
Pages1-12
Number of pages12
ISBN (Electronic)9781450345682
DOIs
StatePublished - 28 Oct 2016
Event2nd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2016 - Vienna, Austria
Duration: 28 Oct 2016 → …

Publication series

NameCPS-SPC 2016 - Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2016

Conference

Conference2nd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2016
Country/TerritoryAustria
CityVienna
Period28/10/16 → …

Keywords

  • ICS
  • Modbus
  • Network-intrusion-detection-system
  • S7
  • SCADA
  • Siemens
  • Statechart

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Automatic construction of Statechart-based anomaly detection models for multi-threaded SCADA via spectral analysis'. Together they form a unique fingerprint.

Cite this