Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 Protocol

Abstract

An Intrusion Detection System (IDS) is a tool used primarily for security monitoring, which is one of the security strategies for Supervisory Control and Data Acquisition (SCADA) systems. Distributed Network Protocol version 3 (DNP3) is the predominant SCADA protocol in the energy sector. In this paper, we have developed an effective and flexible IDS for DNP3 networks, observing that most critical operations in DNP3 systems are utilized based on the function codes in DNP3 application messages, and that exploitation of those function codes enables attackers to manipulate the system operation. Our proposed anomaly-detection method deals with possible attacks that can bypass any rule-based deep packet inspection once attackers take over servers in the system. First, we generated datasets that reflected DNP3 traffic characteristics observed in real-world power grid substations for a reasonably long time. Next, we extracted input features that consisted of the occurrences of function codes per TCP connection, along with TCP characteristics. We then used an unsupervised deep learning model (Autoencoder) to learn the normal behavior of DNP3 traffic based on function code patterns. We called our approach FC-AE-IDS (Function Code Autoencoder IDS). The evaluation of the proposed method was carried out on three different datasets, to prove its accuracy and effectiveness. To evaluate the effectiveness of our proposed method, we performed various experiments that resulted in more than 95% detection accuracy for all considered attack scenarios that are mentioned in this study. We compared our approach to an IDS that is based on traditional features, to show the effectiveness of our approach.