Towards Learning Normality for Anomaly Detection in Industrial Control Networks

Recent trends in automation technology lead to a rising exposition of industrial control systems (ICS) to new vulnerabilities. This requires the introduction of proper security approaches in this field. Prevalent in ICS is the use of access control. Especially in critical infrastructures, however, preventive security measures should be complemented by reactive ones, such as intrusion detection. Beginning from the characteristics of automation networks we outline the implications for a suitable application of intrusion detection in this field. On this basis, an approach for creation of self-learning anomaly detection for ICS protocols is presented. In contrast to other approaches, it takes all network data into account: flow information, application data, and the packet order. We discuss the challenges that have to be solved in each step of the network data analysis to identify future aspects of research towards learning normality in industrial control networks.

[1]  Marc Dacier,et al.  Research in Attacks, Intrusions and Defenses , 2014, Lecture Notes in Computer Science.

[2]  Aiko Pras,et al.  Difficulties in Modeling SCADA Traffic: A Comparative Analysis , 2012, PAM.

[3]  Igor Nai Fovino,et al.  An experimental investigation of malware attacks on SCADA systems , 2009, Int. J. Crit. Infrastructure Prot..

[4]  Hartmut König,et al.  Towards the Protection of Industrial Control Systems - Conclusions of a Vulnerability Analysis of Profinet IO , 2013, DIMVA.

[5]  Franka Schuster,et al.  A distributed intrusion detection system for industrial automation networks , 2012, Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012).

[6]  Fabio Roli,et al.  Image Analysis and Processing - ICIAP 2005, 13th International Conference, Cagliari, Italy, September 6-8, 2005, Proceedings , 2005, ICIAP.

[7]  Ron Kohavi,et al.  Supervised and Unsupervised Discretization of Continuous Features , 1995, ICML.

[8]  Mats Björkman,et al.  Exploring Security in PROFINET IO , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[9]  Martin Waldburger,et al.  Dependable Networks and Services , 2012, Lecture Notes in Computer Science.

[10]  Alexander J. Smola,et al.  Learning with Kernels: support vector machines, regularization, optimization, and beyond , 2001, Adaptive computation and machine learning series.

[11]  Pieter H. Hartel,et al.  Challenges and opportunities in securing industrial control systems , 2012, 2012 Complexity in Engineering (COMPENG). Proceedings.

[12]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[13]  Sandro Etalle,et al.  N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols , 2012, RAID.

[14]  Kyoung-Don Kang,et al.  Detecting Anomalies in Process Control Networks , 2009, Critical Infrastructure Protection.

[15]  Aiko Pras,et al.  Intrusion Detection in SCADA Networks , 2010, AIMS.

[16]  Peter Neumann,et al.  Ethernet-based real-time communications with PROFINET IO , 2005 .

[17]  Nina Taft,et al.  Passive and Active Measurement , 2012, Lecture Notes in Computer Science.

[18]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[19]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[20]  Christin Schäfer,et al.  Learning Intrusion Detection: Supervised or Unsupervised? , 2005, ICIAP.

[21]  Igor Nai Fovino,et al.  State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept , 2009, CRITIS.

[22]  David M. Nicol,et al.  An event buffer flooding attack in DNP3 controlled SCADA systems , 2011, Proceedings of the 2011 Winter Simulation Conference (WSC).

[23]  Liu Peng,et al.  Study on Comparison of Discretization Methods , 2009, 2009 International Conference on Artificial Intelligence and Computational Intelligence.

[24]  Filip De Turck,et al.  Mechanisms for Autonomous Management of Networks and Services, 4th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2010, Zurich, Switzerland, June 23-25, 2010. Proceedings , 2010, AIMS.

[25]  Aiko Pras,et al.  Real-Time and Resilient Intrusion Detection: A Flow-Based Approach , 2012, AIMS.

[26]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[27]  Huan Liu,et al.  Discretization: An Enabling Technique , 2002, Data Mining and Knowledge Discovery.

[28]  Sujeet Shenoi,et al.  Critical Infrastructure Protection III , 2009 .