POSTER: Expanding a Programmable CPS Testbed for Network Attack Analysis

Choi, Seungoh; Yun, Jeong-Han; Min, Byung-Gil; Kim, HyoungChun

doi:10.1145/3320269.3405447

Cited by 7 publications

(6 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The dataset comes from the HAI testbed [27], which implements real control systems used for critical infrastructure. The testbed includes a physical attack tool, network attack tool, and network aggregator to collect events [28,29]. As shown in Figure 5, the testbed contains three systems: a boiler process, a turbine process, and a water treatment process.…”

Section: Datasetmentioning

confidence: 99%

Frequency-Based Representation of Massive Alerts and Combination of Indicators by Heterogeneous Intrusion Detection Systems for Anomaly Detection

Park

Choi

2022

Sensors

View full text Add to dashboard Cite

Although the application of a wide range of sensors has been generalized through the development of technology, the processing of massive alerts generated through data analysis and monitoring remains a challenge. This problem is also found in cyber security because the intrusion detection system (IDS) produces a tremendous number of alerts. Massive alerts not only significantly increase resources for analysis, but also make it difficult to analyze the overall situation of the system. In order to handle massive alerts, we propose using an indicator as a frequency-based representation. The proposed indicator is generated from categorical parameters of alerts that occur within a unit time utilizing frequency and is used for situational awareness with machine learning to detect whether there is a threat or not. The advantage of using indicators is that they can determine the situation for a period without analyzing individual alerts, which helps security experts to recognize the situation in the system and focus on targets that require in-depth analysis. In addition, the conversion from the categorical parameters which is highly related to analysis to numeric parameter allows for applying machine learning. For performance evaluation, we collect data from an HAI testbed similar to real critical infrastructure and conduct experiments using indicators and XGBoost, a classification machine learning algorithm against five famous vulnerability attacks. Consequently, we show that the proposed method can detect attacks with more than 90 percent accuracy, and the performance is enhanced using heterogeneous intrusion detection systems.

show abstract

Section: Datasetmentioning

confidence: 99%

Frequency-Based Representation of Massive Alerts and Combination of Indicators by Heterogeneous Intrusion Detection Systems for Anomaly Detection

Park

Choi

2022

Sensors

View full text Add to dashboard Cite

show abstract

“…Paper E differentiates itself in its sole focus on increasing the realism of virtual testbeds with the deployment of BOTs that mimic the behaviour of human operators and attackers. The most relevant study is HAI testbed by Shin et al [130] and the following works [37,129] that propose a programmable testbed. The programmable testbed automates the HMI tasks and attacks, and generates several datasets with attacks.…”

Section: Traffic Generationmentioning

confidence: 99%

Network-based Anomaly Detection for SCADA Systems : Traffic Generation and Modeling

Lin

2022

Linköping Studies in Science and Technology. Dissertations

View full text Add to dashboard Cite

Supervisory Control and Data Acquisition (SCADA) systems control and monitor critical infrastructure in society, such as electricity transmission and distribution systems. Modern SCADA systems are increasingly adopting open standards and being connected to the Internet to enable remote control. A boost in sophisticated attacks against SCADA systems makes SCADA security a pressing issue. An Intrusion Detection System (IDS) is a security countermeasure that monitors a network and tracks unauthenticated activities inside the network. Most commercial IDSs used in general IT systems are signature-based, by which an IDS compares the system behaviors with known attack patterns. Unfortunately, recent attacks against SCADA systems exploit zero-day vulnerabilities which are undetectable by signature-based IDSs.This thesis aims to enhance SCADA system monitoring by network-based anomaly detection that models normal behaviors and finds deviations from the model. With network-based anomaly detection, zero-day attacks are possible to detect. There are two main challenges for network-based anomaly detection. The first challenge is the potentially large number of false positives coming from benign traffic that just deviates from the trained model due to the noises. To address this challenge, this thesis proposes several traffic modeling approaches based on statistics and machine learning techniques for the regular communication patterns in SCADA traffic. The second challenge is the lack of open datasets to evaluate the proposed approaches. Consequently, this thesis proposes a traffic generation framework.Thanks to Jonas Almroth, Erik Westring, and Peter Andersson in FOI and other industrial partners for helping with data collection and providing another point of view. Thanks the Swedish Civil Contingencies Agency (MSB) for financing the studies in this thesis within the Resilient Control and Information Systems (www.rics.se) project. I'm also grateful to all the PhD students, external experts, and professors that I have met within RICS project and SWITS association for the inspiring discussions and comments.Special thanks to all the administrative personnel. Thanks to Anne Moe for her compassionate support and assistance from onboarding to completion of thesis defense. I would also like to express my gratitude to former and current administrative members in the division, Eva Pelayo Danils, Åsa Kärrman, Lene Rosell, for their contributions to an efficient working environment for all of us in RTSLab and IDA.I would like to thank all the former and current members of RTSLab for contributing to an enjoyable and inspiring working environment. I appreciate their valuable input to my research and presentations during the RTS meetings or fikas. Thanks to my lunch companions for providing relaxing breaks that are full of fun and useful life experiences.Finally, I would like to express special thanks to my family and friends for encouragement and support in the past years. I would not have been able to get through the tough times without ...

show abstract

“…HAI Tesbted (HIL-based Augmented ICS) [91], [138] is an extensive and expensive interconnection of three independent real ICSs coordinated by a real-time Hardware-in-The-Loop (HIL) developed at The Affiliated Institute of ETRI, Republic of Korea. Emerson's boiler control system, GE's turbine control system, and FESTO's water treatment control system are built-in small-sized by employing components used in industrial environments.…”

Section: Physical Testbedmentioning

confidence: 99%

“…In [91] the authors present various physical attacks targeting the pump and the pressure of the boiler system. An expansion of the testbed [138] was built to make it possible to launch also network attacks using tools like Nessus or Acunetix.…”

Section: Physical Testbedmentioning

confidence: 99%

“…HAI Dataset (HIL-based Augmented ICS) [138], [139], [222] is a collection of physical data from three physical control systems (a GE's turbine, Emerson's boiler, and a FESTO's water treatment systems) combined through the dSPACE HIL simulator [91]. Data were sampled every second in 59 points representing the variables measured or controlled by the control system.…”

Section: Evaluation Metricsmentioning

confidence: 99%

See 1 more Smart Citation

A Survey on Industrial Control System Testbeds and Datasets for Security Research

Conti,

Donadel,

Turrin

2021

Preprint

View full text Add to dashboard Cite

The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-bydesign concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community.In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs.

show abstract

POSTER: Expanding a Programmable CPS Testbed for Network Attack Analysis

Cited by 7 publications

References 3 publications

Frequency-Based Representation of Massive Alerts and Combination of Indicators by Heterogeneous Intrusion Detection Systems for Anomaly Detection

Frequency-Based Representation of Massive Alerts and Combination of Indicators by Heterogeneous Intrusion Detection Systems for Anomaly Detection

Network-based Anomaly Detection for SCADA Systems : Traffic Generation and Modeling

A Survey on Industrial Control System Testbeds and Datasets for Security Research

Contact Info

Product

Resources

About