Session Duration Based Feature Extraction for Network Intrusion Detection in Control System Networks

The use and deployment of Industrial Control Systems (ICS) have become standard across many industries, though the security of these important systems have not kept pace with their current Internet focused deployment technologies. This technology gap has exposed an exploitable vector for would be attackers as ICS protocols do not have security mechanisms in place to handle Internet connectivity. This paper focuses on a critical component of a Network Telemetry based Intrusion Detection system (IDS) that can help eliminate this exploitable vector. This component is a method for extracting features using session duration based instantiation. After integrating this feature extraction method into the telemetry based IDS, it is able to achieve 99.98% accuracy when distinguishing between an engineer and an attacker on the same network.

[1]  Igor Nai Fovino,et al.  Critical State-Based Filtering System for Securing SCADA Network Protocols , 2012, IEEE Transactions on Industrial Electronics.

[2]  John Y. Hung,et al.  Denial of service attacks on network-based control systems: impact and mitigation , 2005, IEEE Transactions on Industrial Informatics.

[3]  Bo Fu,et al.  SCADA communication and security issues , 2014, Secur. Commun. Networks.

[4]  Stanislav Ponomarev,et al.  A dimensional transformation scheme for power grid cyber event detection , 2014, CISR '14.

[5]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[6]  Matt Bishop,et al.  Attack class: address spoofing , 1997 .

[7]  Igor Nai Fovino,et al.  A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems , 2011, IEEE Transactions on Industrial Informatics.

[8]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[9]  Matti Mantere,et al.  A module for anomaly detection in ICS networks , 2014, HiCoNS.

[10]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[11]  Matti Mantere,et al.  Network Traffic Features for Anomaly Detection in Specific Industrial Control System Network , 2013, Future Internet.

[12]  Nathan Wallace,et al.  Identification of state parameters for stealthy cyber-events in the power grid using PCA , 2014, 2014 IEEE PES General Meeting | Conference & Exposition.

[13]  Sangjin Lee,et al.  Advanced Protocol to Prevent Man-in-the-middle Attack in SCADA System , 2014 .

[14]  Matti Mantere,et al.  Challenges of Machine Learning Based Monitoring for Industrial Control System Networks , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[15]  Stanislav Ponomarev,et al.  Detection of SSH host spoofing in control systems through network telemetry analysis , 2014, CISR '14.

[16]  Imad H. Elhajj,et al.  SCADA Intrusion Detection System based on temporal behavior of frequent patterns , 2014, MELECON 2014 - 2014 17th IEEE Mediterranean Electrotechnical Conference.