SysDetect: A systematic approach to critical state determination for Industrial Intrusion Detection Systems using Apriori algorithm

Abstract In recent years, Industrial Intrusion Detection Systems (IIDSs) are employed to improve the security of CPS. Among the state-of-the-art IIDSs, state based intrusion detection is a widely used approach. In such process aware IIDSs, normal states are extracted from historical process data or directly specified by control experts when the historical data is not (or rarely) available. In the second manner, experts try to determine the critical states of the process. However, having a large number of I/O, investigating all process states for determination of critical states is not practical. In this paper, the problem is resolved by proposing SysDetect (a Systematic approach to Critical State Determination) which employs a well-established and iterative data mining algorithm, i.e. Apriori. SysDetect guarantees that all candidate critical states are generated at each iteration. In addition, by identifying the critical states at each iteration using experts’ opinions, number of generated candidates in the next iteration is significantly reduced. As a result, SysDetect in addition to provide a complete solution, guarantees that no redundant candidate is generated. Experimental results on a real settings indicate that SysDetect can be successfully applied to determine the critical states of industrial processes using experts’ opinions.

[1]  Ing-Ray Chen,et al.  Behavior-Rule Based Intrusion Detection Systems for Safety Critical Smart Grid Applications , 2013, IEEE Transactions on Smart Grid.

[2]  Aiko Pras,et al.  Intrusion Detection in SCADA Networks , 2010, AIMS.

[3]  Franka Schuster,et al.  A distributed intrusion detection system for industrial automation networks , 2012, Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012).

[4]  Peeyush Jain,et al.  SCADA security: a review and enhancement for DNP3 based systems , 2013, CSI Transactions on ICT.

[5]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[6]  Karen A. Scarfone,et al.  SP 800-82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) , 2011 .

[7]  Ramakrishnan Srikant,et al.  Fast algorithms for mining association rules , 1998, VLDB 1998.

[8]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[9]  S. Shankar Sastry,et al.  Secure Control: Towards Survivable Cyber-Physical Systems , 2008, 2008 The 28th International Conference on Distributed Computing Systems Workshops.

[10]  Ning Lu,et al.  Safeguarding SCADA Systems with Anomaly Detection , 2003, MMM-ACNS.

[11]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[12]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[13]  Igor Nai Fovino,et al.  State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept , 2009, CRITIS.

[14]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.