Anomaly Detection of ICS Communication Using Statistical Models

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26230%2F21%3APU142909" target="_blank" >RIV/00216305:26230/21:PU142909 - isvavai.cz</a>

Výsledek na webu

<a href="https://ieeexplore.ieee.org/abstract/document/9615510" target="_blank" >https://ieeexplore.ieee.org/abstract/document/9615510</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.23919/CNSM52442.2021.9615510" target="_blank" >10.23919/CNSM52442.2021.9615510</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Anomaly Detection of ICS Communication Using Statistical Models

Popis výsledku v původním jazyce

Industrial Control System (ICS) transmits control and monitoring data between devices in an industrial environment that includes smart grids, water and gas distribution, or traffic control. Unlike traditional internet communication, ICS traffic is stable, periodical, and with regular communication patterns that can be described using statistical modeling. By observing selected features of ICS transmission, e.g., packet direction and inter-arrival times, we can create a statistical profile of the communication based on distribution of features learned from the normal ICS traffic. This paper demonstrates that using statistical modeling, we can detect various anomalies caused by irregular transmissions, device or link failures, and also cyber attacks like packet injection, scanning, or denial of service (DoS). The paper shows how a statistical model is automatically created from a training dataset. We present two types of statistical profiles: the master-oriented profile for one-to-many communication and the peer-to-peer profile that describes traffic between two ICS devices. The proposed approach is fast and easy to implement as a part of an intrusion detection system (IDS) or an anomaly detection (AD) module. The proof-of-concept is demonstrated on two industrial protocols: IEC 60870-5-104 (aka IEC 104) and IEC 61850 (Goose).

Název v anglickém jazyce

Anomaly Detection of ICS Communication Using Statistical Models

Popis výsledku anglicky

Industrial Control System (ICS) transmits control and monitoring data between devices in an industrial environment that includes smart grids, water and gas distribution, or traffic control. Unlike traditional internet communication, ICS traffic is stable, periodical, and with regular communication patterns that can be described using statistical modeling. By observing selected features of ICS transmission, e.g., packet direction and inter-arrival times, we can create a statistical profile of the communication based on distribution of features learned from the normal ICS traffic. This paper demonstrates that using statistical modeling, we can detect various anomalies caused by irregular transmissions, device or link failures, and also cyber attacks like packet injection, scanning, or denial of service (DoS). The paper shows how a statistical model is automatically created from a training dataset. We present two types of statistical profiles: the master-oriented profile for one-to-many communication and the peer-to-peer profile that describes traffic between two ICS devices. The proposed approach is fast and easy to implement as a part of an intrusion detection system (IDS) or an anomaly detection (AD) module. The proof-of-concept is demonstrated on two industrial protocols: IEC 60870-5-104 (aka IEC 104) and IEC 61850 (Goose).

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

20206 - Computer hardware and architecture

Projekt

<a href="/cs/project/VI20192022138" target="_blank" >VI20192022138: Bezpečnostní monitorování řídicí komunikace ICS v energetických sítích (BONNET)</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2021

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

Proceedings of the 17th International Conference on Network Service Management (CNSM 2021)

ISBN

978-3-903176-36-2

ISSN

—

e-ISSN

—

Počet stran výsledku

7

Strana od-do

166-172

Název nakladatele

Institute of Electrical and Electronics Engineers

Místo vydání

Izmir

Místo konání akce

Izmir

Datum konání akce

25. 10. 2021

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000836226700025