Anomaly detection via statistical learning in industrial communication networks

In this paper, we discuss a novel statistical learning algorithm that predicts normal flows of process data in a distributed control system, i.e., process data evolutions that characterise the normal behaviour of a cyber-physical system such as a power plant. The algorithm's prediction capability allows for determining whether the payload of a network packet that is about to be processed by a computer device in a distributed control system is normal or malicious. This classification is based on whether or not the process data evolution that a network packet under inspection has potential to cause is predicted as normal by the algorithm. In this paper, we also discuss a probabilistic validation of the algorithm. We construct stochastic activity networks with activity-marking oriented reward structures that model pertinent aspects of the normal operation of a cyber-physical system as a whole as perceived by the algorithm. The solution of these models via a tool such as Mbius indicates whether the algorithm's perception of normalcy is correct. We have implemented the algorithm in the MATLAB programming language, and thus in the paper we also discuss practical testing and evaluation of the effectiveness of the algorithm in a testbed that resembles a power plant.

[1]  William H. Sanders,et al.  The Möbius Framework and Its Implementation , 2002, IEEE Trans. Software Eng..

[2]  T. W. Anderson,et al.  Asymptotic Theory of Certain "Goodness of Fit" Criteria Based on Stochastic Processes , 1952 .

[3]  Kelvin T. Erickson Programmable Logic Controllers: An Emphasis on Design and Application, Third Edition , 2005 .

[4]  J. V. Bradley Distribution-Free Statistical Tests , 1968 .

[5]  Yehuda Vardi,et al.  A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection , 2001 .

[6]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[7]  William H. Sanders,et al.  A Unified Approach for Specifying Measures of Performance, Dependability and Performability , 1991 .

[8]  E. L. Lehmann,et al.  Theory of point estimation , 1950 .

[9]  William DuMouchel,et al.  Computer Intrusion Detection Based on Bayes Factors for Comparing Command Transition Probabilities , 1999 .

[10]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[11]  D. Kleinbaum,et al.  Applied Regression Analysis and Multivariable Methods , 1999 .

[12]  Frank D. Petruzella,et al.  Programmable Logic Controllers , 1989 .

[13]  Sujeet Shenoi,et al.  Attack taxonomies for the Modbus protocols , 2008, Int. J. Crit. Infrastructure Prot..

[14]  Michael K. Molloy,et al.  Petri net , 2003 .

[15]  Julian L. Rrushi SCADA Protocol Vulnerabilities , 2012, Critical Infrastructure Protection.

[16]  Jonas Berge Fieldbuses for Process Control: Engineering, Operation, and Maintenance , 2001 .

[17]  William H. Sanders,et al.  Stochastic Activity Networks: Formal Definitions and Concepts , 2002, European Educational Forum: School on Formal Methods and Performance Analysis.

[18]  William H. Sanders,et al.  Construction and solution of performability models based on stochastic activity networks , 1988 .

[19]  Csilla Farkas,et al.  PAID: A Probabilistic Agent-Based Intrusion Detection system , 2005, Comput. Secur..

[20]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[21]  D. Hosmer,et al.  Applied Logistic Regression , 1991 .

[22]  Sukumar Nandi,et al.  Utilizing statistical characteristics of N-grams for intrusion detection , 2003, Proceedings. 2003 International Conference on Cyberworlds.