Burst-based Anomaly Detection on the DNP3 Protocol ⁄

The potential eectiveness of cyber-attacks against SCADA systems could be increased because they are connected to the Internet for several purposes. The Distributed Network Protocol Version 3 (DNP3) protocol is widely used in SCADA systems as a means of communicating observed sensor state information back to a control center. Previous DNP3 security researches are based on such specifications as attack signatures and protocol-based authorization. The provision of an exact and detailed specification is a good security criterion, but the drafting of proper specifications tends to be a time-consuming and error-prone process. In general, utilities that use the DNP3 protocol repeat their own limited operations, so a whitelist-based approach is clearly suitable for network intrusion detection. A burst is a group of consecutive packets with shorter inter-arriving time than packets arriving before or after the burst of packets. When utilities communicate on the DNP3 protocol, one transaction at the application-level is mapped to one burst. We collected and analyzed the DNP3 network trac of a real-world SCADA system and, based on the results obtained from the analysis, produced a burst-based whitelist model for utilities using the DNP3 protocol. The proposed model can be used for intrusion detection and abnormal behaviors in the SCADA system.

[1]  Farhad Nabhani,et al.  Power system DNP3 data object security using data sets , 2010, Comput. Secur..

[2]  A. Daneels,et al.  Современные SCADA-системы , 2017 .

[3]  Srinivas Shakkottai,et al.  A Study of Burstiness in TCP Flows , 2005, PAM.

[4]  David M. Nicol,et al.  An event buffer flooding attack in DNP3 controlled SCADA systems , 2011, Proceedings of the 2011 Winter Simulation Conference (WSC).

[5]  Sean Turner,et al.  Transport Layer Security , 2014, IEEE Internet Computing.

[6]  Naganand Doraswamy,et al.  Ipsec: the new security standard for the internet , 1999 .

[7]  C T Dinardo,et al.  Computers and security , 1986 .

[8]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[9]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[10]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[11]  Francesco Parisi-Presicce,et al.  DNPSec: Distributed Network Protocol Version 3 (DNP3) Security Framework , 2007 .