DIDEROT: an intrusion detection and prevention system for DNP3-based SCADA systems

In this paper, an Intrusion Detection and Prevention System (IDPS) for the Distributed Network Protocol 3 (DNP3) Supervisory Control and Data Acquisition (SCADA) systems is presented. The proposed IDPS is called DIDEROT (Dnp3 Intrusion DetEction pReventiOn sysTem) and relies on both supervised Machine Learning (ML) and unsupervised/outlier ML detection models capable of discriminating whether a DNP3 network flow is related to a particular DNP3 cyberattack or anomaly. First, the supervised ML detection model is applied, trying to identify whether a DNP3 network flow is related to a specific DNP3 cyberattack. If the corresponding network flow is detected as normal, then the unsupervised/outlier ML anomaly detection model is activated, seeking to recognise the presence of a possible anomaly. Based on the DIDEROT detection results, the Software Defined Networking (SDN) technology is adopted in order to mitigate timely the corresponding DNP3 cyberattacks and anomalies. The performance of DIDEROT is demonstrated using real data originating from a substation environment.

[1]  Julie Greensmith,et al.  Theoretical Formulation and Analysis of the Deterministic Dendritic Cell Algorithm , 2013, Biosyst..

[2]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[3]  Taha Selim Ustun,et al.  A Review of IEC 62351 Security Mechanisms for IEC 61850 Message Exchanges , 2020, IEEE Transactions on Industrial Informatics.

[4]  Syed Ali Hassan,et al.  Machine Learning in IoT Security: Current Solutions and Future Challenges , 2019, IEEE Communications Surveys & Tutorials.

[5]  Tarek N. Saadawi,et al.  Deterministic Dendritic Cell Algorithm Application to Smart Grid Cyber-Attack Detection , 2017, 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud).

[6]  Erhan Guven,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2016, IEEE Communications Surveys & Tutorials.

[7]  Taeshik Shon,et al.  IEEE 1815.1-Based Power System Security With Bidirectional RNN-Based Network Anomalous Attack Detection for Cyber-Physical System , 2020, IEEE Access.

[8]  Sungho Kim,et al.  LARGen: Automatic Signature Generation for Malwares Using Latent Dirichlet Allocation , 2018, IEEE Transactions on Dependable and Secure Computing.

[9]  Ernest Foo,et al.  Framework for SCADA cyber-attack dataset creation , 2017, ACSW.

[10]  Ali A. Ghorbani,et al.  Characterization of Encrypted and VPN Traffic using Time-related Features , 2016, ICISSP.

[11]  C. Ongkowijoyo,et al.  Hybrid decision-making method for assessing interdependency and priority of critical infrastructure , 2019, International Journal of Disaster Risk Reduction.

[12]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2011, TSEC.

[13]  Jill Slay,et al.  The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set , 2016, Inf. Secur. J. A Glob. Perspect..

[14]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[15]  Inadyuti Dutt,et al.  Immune System Based Intrusion Detection System (IS-IDS): A Proposed , 2020, IEEE Access.

[16]  Yang Xiao,et al.  A survey of intrusion detection systems in smart grid , 2017, Int. J. Sens. Networks.

[17]  Carlos Serrão,et al.  SDN-Based Intrusion Detection System for Early Detection and Mitigation of DDoS Attacks , 2019, Inf..

[18]  Xia Feng,et al.  Latent Dirichlet allocation (LDA) and topic modeling: models, applications, a survey , 2017, Multimedia Tools and Applications.

[19]  Kuldip K. Paliwal,et al.  Bidirectional recurrent neural networks , 1997, IEEE Trans. Signal Process..

[20]  Hong Li,et al.  A survey of intrusion detection on industrial control systems , 2018, Int. J. Distributed Sens. Networks.

[21]  Song Tan,et al.  Survey of Security Advances in Smart Grid: A Data Driven Approach , 2017, IEEE Communications Surveys & Tutorials.

[22]  Xiaojiang Du,et al.  A Survey of Machine and Deep Learning Methods for Internet of Things (IoT) Security , 2018, IEEE Communications Surveys & Tutorials.

[23]  Panagiotis G. Sarigiannidis,et al.  Securing the Smart Grid: A Comprehensive Compilation of Intrusion Detection and Prevention Systems , 2019, IEEE Access.

[24]  Jasna D. Marković-Petrović,et al.  A Review of Research Work on Network-Based SCADA Intrusion Detection Systems , 2020, IEEE Access.

[25]  Peter Maynard,et al.  Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid , 2016, ICS-CSR.

[26]  Sujeet Shenoi,et al.  A Taxonomy of Attacks on the DNP3 Protocol , 2009, Critical Infrastructure Protection.

[27]  Panagiotis G. Sarigiannidis,et al.  Securing the Internet of Things: Challenges, threats and solutions , 2019, Internet Things.

[28]  Ali A. Ghorbani,et al.  Characterization of Tor Traffic using Time based Features , 2017, ICISSP.

[29]  Thomas Lagkas,et al.  A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics , 2020, IEEE Communications Surveys & Tutorials.

[30]  Brendan Jennings,et al.  Software Defined Networks-Based Smart Grid Communication: A Comprehensive Survey , 2018, IEEE Communications Surveys & Tutorials.

[31]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[32]  Anil Kumar Gupta,et al.  Comparative study of various traffic generator tools , 2014, 2014 Recent Advances in Engineering and Computational Sciences (RAECS).

[33]  Zhao Yang Dong,et al.  The 2015 Ukraine Blackout: Implications for False Data Injection Attacks , 2017, IEEE Transactions on Power Systems.