@inproceedings{b69d1252c1be45b6932e6b04bed53268,
title = "Modeling Modbus TCP for intrusion detection",
abstract = "DFAs (Deterministic Finite Automata) and DTMCs (Discrete Time Markov Chain) have been proposed for modeling Modbus/TCP for intrusion detection in SCADA (Supervisory Control and Data Acquisition) systems. While these models can be used to learn the behavior of the system, they require the designer to know the appropriate amount of training data for building the model, to retrain models when configuration changes, and to generate understandable alert messages. In this paper, we propose to complement these learned models with the specification approaches. To build a robust model, we need to consider configuration-level specifications in addition to protocol specification. As Modbus/TCP is a simple protocol with handful function code(s) or commands for each communication channel, designing a specification-based approach is suitable for monitoring this communication. We do a comparison of DFA and DTMC approaches in two datasets and illustrate how to use our inferred specification to complement these models.",
author = "Mustafa Faisal and Cardenas, {Alvaro A.} and Avishai Wool",
note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 2016 IEEE Conference on Communications and Network Security, CNS 2016 ; Conference date: 17-10-2016 Through 19-10-2016",
year = "2017",
month = feb,
day = "21",
doi = "https://doi.org/10.1109/CNS.2016.7860524",
language = "الإنجليزيّة",
series = "2016 IEEE Conference on Communications and Network Security, CNS 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "386--390",
booktitle = "2016 IEEE Conference on Communications and Network Security, CNS 2016",
address = "الولايات المتّحدة",
}