Efficient Modelling of ICS Communication For Anomaly Detection Using Probabilistic Automata

Result code in IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26230%2F21%3APU138882" target="_blank" >RIV/00216305:26230/21:PU138882 - isvavai.cz</a>

Result on the web

<a href="http://dl.ifip.org/db/conf/im/im2021/210993.pdf" target="_blank" >http://dl.ifip.org/db/conf/im/im2021/210993.pdf</a>

DOI - Digital Object Identifier

—

Result language

angličtina

Original language name

Efficient Modelling of ICS Communication For Anomaly Detection Using Probabilistic Automata

Original language description

Industrial Control System (ICS) communication transmits monitoring and control data between industrial processes and the control station. ICS systems cover various domains of critical infrastructure such as the power plants, water and gas distribution, or aerospace traffic control. Security of ICS systems is usually implemented on the perimeter of the network using ICS enabled firewalls or Intrusion Detection Systems (IDSs). These techniques are helpful against external attacks, however, they are not able to effectively detect internal threats originating from a compromised device with malicious software. In order to mitigate or eliminate internal threats against the ICS system, we need to monitor ICS traffic and detect suspicious data transmissions that differ from common operational communication. In our research, we obtain ICS monitoring data using standardized IPFIX flows extended with meta data extracted from ICS protocol headers. Unlike other anomaly detection approaches, we focus on modelling the semantics of ICS communication obtained from the IPFIX flows that describes typical conversational patterns. This paper presents a technique for modelling ICS conversations using frequency prefix trees and Deterministic Probabilistic Automata (DPA). As demonstrated on the attack scenarios, these models are efficient to detect common cyber attacks like the command injection, packet manipulation, network scanning, or lost connection. An important advantage of our approach is that the proposed technique can be easily integrated into common security information and event management (SIEM) systems with Netflow/IPFIX support. Our experiments are performed on IEC 60870-5-104 (aka IEC 104) control communication that is widely used for the substation control in smart grids.

Czech name

—

Czech description

—

Type

D - Article in proceedings

CEP classification

—

OECD FORD branch

20206 - Computer hardware and architecture

Project

Result was created during the realization of more than one project. More information in the Projects tab.

Continuities

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Publication year

2021

Confidentiality

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Article name in the collection

Proceedings of IFIP/IEEE International Symposium on Integrated Network Management

ISBN

978-3-903176-32-4

ISSN

—

e-ISSN

—

Number of pages

9

Pages from-to

81-89

Publisher name

International Federation for Information Processing

Place of publication

Bordeaux

Event location

Bordeaux, France

Event date

May 17, 2021

Type of event by nationality

WRD - Celosvětová akce

UT code for WoS article

000696801700010