Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems

Noam Erez, Avishai Wool

Research output: Contribution to journalArticlepeer-review

Abstract

This paper describes a novel domain-aware anomaly detection system that detects irregular changes in Modbus/TCP SCADA control register values. The research discovered the presence of three classes of registers: (i) sensor registers; (ii) counter registers; and (iii) constant registers. An automatic classifier was developed to identify these classes. Additionally, parameterized behavior models were created for each class. During its learning phase, the anomaly detection system used the classifier to identify the different types of registers and instantiated the model for each register based on its type. During the enforcement phase, the system detected deviations from the model. The anomaly detection system was evaluated using 131. h of traffic from a production SCADA system. The classifier had a true positive classification rate of 93%. During the enforcement phase, a 0.86% false alarm rate was obtained for the correctly-classified registers.

Original languageEnglish
Pages (from-to)59-70
Number of pages12
JournalInternational Journal of Critical Infrastructure Protection
Volume10
DOIs
StatePublished - 1 Sep 2015

Keywords

  • Anomaly Detection
  • Modbus/TCP Protocol
  • SCADA Systems
  • Security

All Science Journal Classification (ASJC) codes

  • Information Systems and Management
  • Safety, Risk, Reliability and Quality
  • Computer Science Applications
  • Modelling and Simulation

Fingerprint

Dive into the research topics of 'Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems'. Together they form a unique fingerprint.

Cite this