Anomaly detection for industrial control systems using process mining

Abstract Industrial control systems (ICS) are moving from dedicated communications to switched and routed corporate networks, exposing them to the Internet and placing them at risk of cyber-attacks. Existing methods of detecting cyber-attacks, such as intrusion detection systems (IDSs), are commonly implemented in ICS and SCADA networks. However, these devices do not detect more complex threats that manifest themselves gradually over a period of time through a combination of unusual sequencing of activities, such as process-related attacks. During the normal operation of ICSs, ICS devices record device logs, capturing their industrial processes over time. These logs are a rich source of information that should be analysed in order to detect such process-related attacks. In this paper, we present a novel process mining anomaly detection method for identifying anomalous behaviour and cyber-attacks using ICS data logs and the conformance checking analysis technique from the process mining discipline. A conformance checking analysis uses logs captured from production systems with a process model (which captures the expected behaviours of a system) to determine the extent to which real behaviours (captured in the logs) matches the expected behaviours (captured in the process model). The contributions of this paper include an experimentally derived recommendation for logging practices on ICS devices, for the purpose of process mining-based analysis; a formalised approach for pre-processing and transforming device logs from ICS systems into event logs suitable for process mining analysis; guidance on how to create a process model for ICSs and how to apply the created process model through a conformance checking analysis to identify anomalous behaviours. Our anomaly detection method has been successfully applied in detecting ICS cyber-attacks, which the widely used IDS Snort does not detect, using logs derived from industry standard ICS devices.

[1]  Boudewijn F. van Dongen,et al.  Process Mining: Overview and Outlook of Petri Net Discovery Algorithms , 2009, Trans. Petri Nets Other Model. Concurr..

[2]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[3]  Tadao Murata,et al.  Petri nets: Properties, analysis and applications , 1989, Proc. IEEE.

[4]  Wil M. P. van der Aalst,et al.  Process Mining and Security: Detecting Anomalous Process Executions and Checking Process Conformance , 2005, WISP@ICATPN.

[5]  Hoang Nguyen,et al.  Mining Business Process Deviance: A Quest for Accuracy , 2014, OTM Conferences.

[6]  Wil M. P. van der Aalst,et al.  Workflow mining: discovering process models from event logs , 2004, IEEE Transactions on Knowledge and Data Engineering.

[7]  Günter Müller,et al.  On the exploitation of process mining for security audits: the process discovery case , 2013, SAC '13.

[8]  Moe Thandar Wynn,et al.  Measuring Patient Flow Variations: A Cross-Organisational Process Mining Approach , 2014, AP-BPM.

[9]  Thomas Schmidt,et al.  Process Control Cyber-Attacks and Labelled Datasets on S7Comm Critical Infrastructure , 2017, ACISP.

[10]  Ronald M. van der Knijff,et al.  Control systems/SCADA forensics, what's the difference? , 2014, Digit. Investig..

[11]  Wil M. P. van der Aalst,et al.  Analyzing Resource Behavior Using Process Mining , 2009, Business Process Management Workshops.

[12]  Pieter H. Hartel,et al.  A log mining approach for process monitoring in SCADA , 2010, International Journal of Information Security.

[13]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[14]  Jianmin Wang,et al.  Mining process models with non-free-choice constructs , 2007, Data Mining and Knowledge Discovery.

[15]  Ricardo Seguel,et al.  Process Mining Manifesto , 2011, Business Process Management Workshops.

[16]  Dale C. Rowe,et al.  A survey SCADA of and critical infrastructure incidents , 2012, RIIT '12.

[17]  van der Wmp Wil Aalst,et al.  Process Mining , 2005, Process-Aware Information Systems.

[18]  Simin Nadjm-Tehrani,et al.  Exploiting Bro for Intrusion Detection in a SCADA System , 2016, CPSS@AsiaCCS.

[19]  A. Daneels,et al.  Современные SCADA-системы , 2017 .

[20]  Rafael Accorsi,et al.  On the exploitation of process mining for security audits: the conformance checking case , 2012, SAC '12.

[21]  Mauricio Papa,et al.  A SCADA Intrusion Detection Framework that Incorporates Process Semantics , 2016, CISRC.

[22]  Dayou Liu,et al.  Process Mining: Extending alpha -Algorithm to Mine Duplicate Tasks in Process Logs , 2007, APWeb/WAIM Workshops.

[23]  Frank Kargl,et al.  Specification Mining for Intrusion Detection in Networked Control Systems , 2016, USENIX Security Symposium.

[24]  Jianmin Wang,et al.  Mining Invisible Tasks from Event Logs , 2007, APWeb/WAIM.

[25]  Wil M. P. van der Aalst,et al.  Event interval analysis: Why do processes take time? , 2015, Decis. Support Syst..

[26]  Jörg Desel,et al.  Analyzing a TCP/IP-Protocol with Process Mining Techniques , 2014, Business Process Management Workshops.

[27]  Ernest Foo,et al.  Process Discovery for Industrial Control System Cyber Attack Detection , 2017, SEC.

[28]  Dirk Fahland,et al.  Linking data and process perspectives for conformance analysis , 2018, Comput. Secur..

[29]  A. J. M. M. Weijters,et al.  Flexible Heuristics Miner (FHM) , 2011, 2011 IEEE Symposium on Computational Intelligence and Data Mining (CIDM).

[30]  Boudewijn F. van Dongen,et al.  ProM: The Process Mining Toolkit , 2009, BPM.

[31]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[32]  Wil M. P. van der Aalst,et al.  Genetic process mining: an experimental evaluation , 2007, Data Mining and Knowledge Discovery.

[33]  Moe Thandar Wynn,et al.  Process Mining for Clinical Processes , 2015, ACM Trans. Manag. Inf. Syst..