A log mining approach for process monitoring in SCADA

SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.

[1]  C. Bellettini,et al.  Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[2]  Felix Salfner,et al.  Error Log Processing for Accurate Failure Prediction , 2008, WASL.

[3]  John A. Clark,et al.  Effective Security Requirements Analysis: HAZOP and Use Cases , 2004, ISC.

[4]  Johannes Gehrke,et al.  MAFIA: a maximal frequent itemset algorithm , 2005, IEEE Transactions on Knowledge and Data Engineering.

[5]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[6]  Aunshul Rege‐Patwardhan Cybercrimes against critical infrastructures: a study of online criminal organization and techniques , 2009 .

[7]  Miroslaw Malek,et al.  Comprehensive logfiles for autonomic systems , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[8]  N. Hari Narayanan,et al.  A Methodology for Knowledge Acquisition and Reasoning in Failure Analysis of Systems , 1987, IEEE Transactions on Systems, Man, and Cybernetics.

[9]  Giordano Vicoli,et al.  Novelty detection and management to safeguard information-intensive critical infrastructures , 2007 .

[10]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[11]  William Shaw,et al.  Cybersecurity for SCADA Systems , 2006 .

[12]  K. Vanhoof,et al.  Profiling of High-Frequency Accident Locations by Use of Association Rules , 2003 .

[13]  Mark Burgess,et al.  Principle Components and Importance Ranking of Distributed Anomalies , 2005, Machine Learning.

[14]  Ning Lu,et al.  Safeguarding SCADA Systems with Anomaly Detection , 2003, MMM-ACNS.

[15]  Bart Goethals,et al.  FIMI '03, Frequent Itemset Mining Implementations, Proceedings of the ICDM 2003 Workshop on Frequent Itemset Mining Implementations, 19 December 2003, Melbourne, Florida, USA , 2003, FIMI.

[16]  Jian Guan,et al.  An Ontology for Identifying Cyber Intrusion Induced Faults in Process Control Systems , 2009, Critical Infrastructure Protection.

[17]  John P. Rouillard Real-time Log File Analysis Using the Simple Event Correlator (SEC) , 2004, LISA.

[18]  Tom Brijs,et al.  Profiling high frequency accident locations using associations rules , 2002 .

[19]  Joseph L. Hellerstein,et al.  Towards discovery of event correlation rules , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[20]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[21]  H. Pasman Loss prevention in the process industries , 2002 .

[22]  Joseph L. Hellerstein,et al.  Discovering actionable patterns in event data , 2002, IBM Syst. J..

[23]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[24]  M. Naedele,et al.  Human-Assisted Intrusion Detection for Process Control Systems , 2004 .

[25]  Stefanos Manganaris,et al.  A Data Mining Analysis of RTID Alarms , 2000, Recent Advances in Intrusion Detection.

[26]  R. Vaarandi Tools and Techniques for Event Log Analysis , 2005 .

[27]  Navjot Singh,et al.  A log mining approach to failure analysis of enterprise telephony systems , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[28]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[29]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[30]  Ling Huang,et al.  Mining Console Logs for Large-Scale System Problem Detection , 2008, SysML.

[31]  Gösta Grahne,et al.  Fast algorithms for frequent itemset mining using FP-trees , 2005, IEEE Transactions on Knowledge and Data Engineering.

[32]  Jon Stearley,et al.  What Supercomputers Say: A Study of Five System Logs , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[33]  Rune Winther,et al.  Security Assessments of Safety Critical Systems Using HAZOPs , 2001, SAFECOMP.

[34]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.