Affiliation:
1. Tel Aviv University, Ramat-Aviv Tel-Aviv, Israel
Abstract
Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed ICS streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA and a high false-alarm rate. In this article, we introduce a new modeling approach that addresses this gap. Our
Statechart DFA
modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We demonstrate how to automatically construct the statechart from a captured traffic stream. Our unsupervised learning algorithms first build a Discrete-Time Markov Chain (DTMC) from the stream. Next, we split the symbols into sets, one per multiplexed cycle, based on symbol frequencies and node degrees in the DTMC graph. Then, we create a sub-graph for each cycle and extract Euler cycles for each sub-graph. The final statechart is comprised of one DFA per Euler cycle. The algorithms allow for non-unique symbols, which appear in more than one cycle, and also for symbols that appear more than once in a cycle.
We evaluated our solution on traces from a production ICS using the Siemens S7-0x72 protocol. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulated multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The algorithms were able to split the symbols into sets with 99.6% accuracy. The resulting statechart modeled the traces with a median false-alarm rate of as low as 0.483%. In all but the most extreme scenarios, the
Statechart
model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.
Funder
10th International Conference on Critical Information Infrastructures Security
Interdisciplinary Cyber Research Center at TAU
Israeli Ministry of Science and Technology
Publisher
Association for Computing Machinery (ACM)
Subject
Artificial Intelligence,Theoretical Computer Science
Reference33 articles.
1. Distributed Detection of Single-Stage Multipoint Cyber Attacks in a Water Treatment Plant
2. Afcon Technologies. 2015. PULSE HMI Software. Retrieved from http://www.afcon.co.il/product/pulse. Afcon Technologies. 2015. PULSE HMI Software. Retrieved from http://www.afcon.co.il/product/pulse.
3. Context-Awareness Using Anomaly-Based Detectors for Smart Grid Domains
4. A. Atassi I. H. Elhajj A. Chehab and A. Kayssi. 2014. The State of the Art in Intrusion Prevention and Detection Auerbach Publications. Auerbach Publications Chapter 9: Intrusion Detection for SCADA Systems 211--230. 10.1201/b16390-12 A. Atassi I. H. Elhajj A. Chehab and A. Kayssi. 2014. The State of the Art in Intrusion Prevention and Detection Auerbach Publications. Auerbach Publications Chapter 9: Intrusion Detection for SCADA Systems 211--230. 10.1201/b16390-12
5. Detection, correlation, and visualization of attacks against critical infrastructure systems
Cited by
26 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献