Modeling Modbus TCP for intrusion detection

Mustafa Faisal, Alvaro A. Cardenas, Avishai Wool

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

DFAs (Deterministic Finite Automata) and DTMCs (Discrete Time Markov Chain) have been proposed for modeling Modbus/TCP for intrusion detection in SCADA (Supervisory Control and Data Acquisition) systems. While these models can be used to learn the behavior of the system, they require the designer to know the appropriate amount of training data for building the model, to retrain models when configuration changes, and to generate understandable alert messages. In this paper, we propose to complement these learned models with the specification approaches. To build a robust model, we need to consider configuration-level specifications in addition to protocol specification. As Modbus/TCP is a simple protocol with handful function code(s) or commands for each communication channel, designing a specification-based approach is suitable for monitoring this communication. We do a comparison of DFA and DTMC approaches in two datasets and illustrate how to use our inferred specification to complement these models.

Original languageEnglish
Title of host publication2016 IEEE Conference on Communications and Network Security, CNS 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages386-390
Number of pages5
ISBN (Electronic)9781509030651
DOIs
StatePublished - 21 Feb 2017
Event2016 IEEE Conference on Communications and Network Security, CNS 2016 - Philadelphia, United States
Duration: 17 Oct 201619 Oct 2016

Publication series

Name2016 IEEE Conference on Communications and Network Security, CNS 2016

Conference

Conference2016 IEEE Conference on Communications and Network Security, CNS 2016
Country/TerritoryUnited States
CityPhiladelphia
Period17/10/1619/10/16

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Modeling Modbus TCP for intrusion detection'. Together they form a unique fingerprint.

Cite this