Exploiting traffic periodicity in industrial control networks

Industrial control systems play a major role in the operation of critical infrastructure assets. Due to the polling mechanisms typically used to retrieve data from field devices, industrial control network traffic exhibits strong periodic patterns. This paper presents a novel approach that uses message repetition and timing information to automatically learn traffic models that capture the periodic patterns. The feasibility of the approach is demonstrated using three traffic traces collected from real-world industrial networks. Two practical applications for the learned models are presented. The first is their use in intrusion detection systems; the learned models represent whitelists of valid commands and the frequencies at which they are sent; thus, the models may be used to detect data injection and denial-of-service attacks. The second application is to generate synthetic traffic traces, which can be used to test intrusion detection systems and evaluate the performance of industrial control devices.

[1]  Aiko Pras,et al.  A first look into SCADA network traffic , 2012, 2012 IEEE Network Operations and Management Symposium.

[2]  Adriano Valenzano,et al.  Review of Security Issues in Industrial Networks , 2013, IEEE Transactions on Industrial Informatics.

[3]  David Bailey,et al.  Practical SCADA for industry , 2003 .

[4]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[5]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  Sally Floyd,et al.  Difficulties in simulating the internet , 2001, TNET.

[7]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[8]  Aiko Pras,et al.  Towards periodicity based anomaly detection in SCADA networks , 2012, Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012).

[9]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[10]  Jian Zhang,et al.  Traffic Trace Artifacts due to Monitoring Via Port Mirroring , 2007, 2007 Workshop on End-to-End Monitoring Techniques and Services.

[11]  Göran N Ericsson,et al.  Cyber Security and Power System Communication—Essential Parts of a Smart Grid Infrastructure , 2010, IEEE Transactions on Power Delivery.

[12]  Frank Kargl,et al.  Sequence-aware Intrusion Detection in Industrial Control Systems , 2015, CPSS@ASIACSS.

[13]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[14]  Ragnar Schierholz,et al.  Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration , 2009, 2009 IEEE Conference on Emerging Technologies & Factory Automation.

[15]  Jiawei Han,et al.  Efficient mining of partial periodic patterns in time series database , 1999, Proceedings 15th International Conference on Data Engineering (Cat. No.99CB36337).

[16]  Yuval Shavitt,et al.  Inferring the periodicity in large-scale Internet measurements , 2013, 2013 Proceedings IEEE INFOCOM.

[17]  P. S. Sastry,et al.  A survey of temporal data mining , 2006 .

[18]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[19]  Evi Nemeth,et al.  Spectroscopy of private DNS update sources , 2003, Proceedings the Third IEEE Workshop on Internet Applications. WIAPP 2003.

[20]  Aiko Pras,et al.  Difficulties in Modeling SCADA Traffic: A Comparative Analysis , 2012, PAM.