• PDF / 901,695 Bytes
• 15 Pages / 439.37 x 666.142 pts Page_size
• 19 Downloads / 279 Views

DOWNLOAD

REPORT

Industrial Systems Institute/RC ‘Athena’, Patras, Greece [email protected] 2 SBA Research, Vienna, Austria [email protected]

Abstract. We describe the architecture of an anomaly detection system based on the Hidden Markov Model (HMM) for intrusion detection in Industrial Control Systems (ICS) and especially in SCADA systems interconnected using TCP/IP. The proposed system exploits the unique characteristics of ICS networks and protocols to efficiently detect multiple attack vectors. We evaluate the proposed system in terms of detection accuracy using as reference datasets made available by other researchers. These datasets refer to real industrial networks and contain a variety of identified attack vectors. We benchmark our findings against a large set of machine learning algorithms and demonstrate that our proposal exhibits superior performance characteristics.

1

Introduction

The continuous interconnection of Industrial Control Systems (ICS) to public and corporate networks exposes them to the common Information Technology (IT) vulnerabilities and attacks. The security mechanisms that are traditionally used in the ICS environment cover the basic needs for authentication, authorization and (sometimes) communication confidentiality. However, they leave the Operations Technology (OT) networks open to more elaborate IT-based network attacks. The rise of security incidents involving malicious network activity in critical infrastructures drives the need for intrusion detection technologies and mechanisms to be adapted for the OT environment. Several methodologies have been proposed recently that attempt to solve the problem of designing an efficient Network Intrusion Detection System (NIDS) specifically for the integrated IT–OT environment [21]. There are many approaches proposed in the literature, especially using anomaly detection techniques. These approaches use a combination of the known machine learning algorithms in order to determine the normal behavior of the network and detect any abnormal network traffic. The unique characteristics of network traffic in OT environments, including stable connectivity, periodicity in c IFIP International Federation for Information Processing 2016  Published by Springer International Publishing Switzerland 2016. All Rights Reserved S. Foresti and J. Lopez (Eds.): WISTP 2016, LNCS 9895, pp. 85–99, 2016. DOI: 10.1007/978-3-319-45931-8 6

86

K. Stefanidis and A.G. Voyiatzis

traffic patterns, use of standard application level protocols, are discussed in [5]. These characteristics render network-based anomaly detection a useful approach. The main issue discussed in the literature for NIDS is the need to correlate a high enough amount of traffic (i.e., network packets) so as to decide on the abnormality of the sampled traffic. To support real-time detection of abnormal traffic, it is interesting to explore the efficiency of an approach that relies only on individual packets. Towards this direction, the use of Hidden Markov Model (HMM) approaches is limited within the literature. This despi

Recommend Documents

Anomaly Detection for IoT Systems

370 73 49MB

History-Based Anomaly Detector: An Adversarial Approach to Anomaly Detection

232 18 110MB

Anomaly-Detection and Health-Analysis Techniques for Core Router Systems

207 60 11MB

Anomaly Detection

305 93 239KB

An Interactive Approach of Rule Mining and Anomaly Detection for Internal Risks

171 93 15MB

A Novel Web Anomaly Detection Approach Based on Semantic Structure

206 4 48MB

Spatial Anomaly Detection

311 83 239KB

Anomaly Detection on Streams

388 69 5MB

Supervised Hyperparameter Estimation for Anomaly Detection

231 30 65MB

Generative Adversarial-Synergetic Networks for Anomaly Detection

218 96 113MB

Traffic Anomaly Detection for Data Communication Networks

218 83 78MB

Anomaly Detection for Vision-Based Railway Inspection

196 96 25MB