Abstract
This paper describes a novel domain-aware anomaly detection system that detects irregular changes in Modbus/TCP SCADA control register values. The research discovered the presence of three classes of registers: (i) sensor registers; (ii) counter registers; and (iii) constant registers. An automatic classifier was developed to identify these classes. Additionally, parameterized behavior models were created for each class. During its learning phase, the anomaly detection system used the classifier to identify the different types of registers and instantiated the model for each register based on its type. During the enforcement phase, the system detected deviations from the model. The anomaly detection system was evaluated using 131. h of traffic from a production SCADA system. The classifier had a true positive classification rate of 93%. During the enforcement phase, a 0.86% false alarm rate was obtained for the correctly-classified registers.
Original language | English |
---|---|
Pages (from-to) | 59-70 |
Number of pages | 12 |
Journal | International Journal of Critical Infrastructure Protection |
Volume | 10 |
DOIs | |
State | Published - 1 Sep 2015 |
Keywords
- Anomaly Detection
- Modbus/TCP Protocol
- SCADA Systems
- Security
All Science Journal Classification (ASJC) codes
- Information Systems and Management
- Safety, Risk, Reliability and Quality
- Computer Science Applications
- Modelling and Simulation