Sequence-aware Intrusion Detection in Industrial Control Systems

Caselli, Marco; Zambon, Emmanuele; Kargl, Frank

doi:10.1145/2732198.2732200

Cited by 132 publications

(102 citation statements)

References 18 publications

Supporting

Mentioning

102

Contrasting

Order By: Relevance

“…A summary of the related work is listed in Table 1. There are reviews addressing the chal- Scientific Work Reviews [19,27] Graph-based methods [2,12,13,36,37,41,42] Graph-based and time-sensitive methods [1,45] Machine learning-based [6,14,32] Statistical processes [33,44,48,50] Wavelet analysis [25,31,35] Industrial Intrusion Detection [3,15,18,20,23,28,34,38,39,46] lenge of anomaly detection for intrusion detection. García-Teodoro et al address the challenges of this field of work while presenting techniques and systems [19].…”

Section: Related Workmentioning

confidence: 99%

“…Legacy systems without inherent security mechanisms have to be addressed [15,18,34], critical states that can have severe effects on the physical world need to be prevented [28] and deterministic behaviour of processes can be leveraged to detect anomalies [23]. Sequences are relatively unifom in industrial applications, this characteristic can be incorporated into an IDS [3]. Tsang and Kwong present an industrial IDS based on the ant colony clustering approach [46].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Using Temporal and Topological Features for Intrusion Detection in Operational Networks

Antón¹,

Fraunholz²,

Schotten³

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Until two decades ago, industrial networks were deemed secure due to physical separation from public networks. An abundance of successful attacks proved that assumption wrong. Intrusion detection solutions for industrial application need to meet certain requirements that differ from home-and office-environments, such as working without feedback to the process and compatibility with legacy systems. Industrial systems are commonly used for several decades, updates are often difficult and expensive. Furthermore, most industrial protocols do not have inherent authentication or encryption mechanisms, allowing for easy lateral movement of an intruder once the perimeter is breached. In this work, an algorithm for motif discovery in time series, Matrix Profiles, is used to detect outliers in the timing behaviour of an industrial process. This process was monitored in an experimental environment, containing ground truth labels after attacks were performed. Furthermore, the graph representations of a different industrial data set that has been emulated are used to detect malicious activities. These activities can be derived from anomalous communication patterns, represented as edges in the graph. Finally, an integration concept for both methods is proposed.• Security and privacy → Intrusion detection systems; Network security; • Theory of computation → Design and analysis of algorithms; • Applied computing → Enterprise architectures.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Using Temporal and Topological Features for Intrusion Detection in Operational Networks

Antón¹,

Fraunholz²,

Schotten³

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…Alg. 1 l. [1][2][3][4][5][6][7][8][9][10][11][12][13][14], processing its events. S2 extracts the attributes of an event and stores them in variable 'State DT M C ' (c.f.…”

Section: Representing Traffic Sequences As Dtmcsmentioning

confidence: 99%

“…We use the same algorithm and thresholds as explained in [12]. The thresholds for both a state violation and transition violation equal 0.1.…”

Section: Detectionmentioning

confidence: 99%

Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models

Ferling

Chromik

Caselli

et al. 2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Securing control networks (e.g. for power and gas distribution) requires dedicated approaches. Sequence-aware intrusion detection models the network traffic under normal operation to identify malicious behavior. Unfortunately, such models are often large and difficult to handle. This paper proposes a method that generates smaller traffic models and discusses the accuracy of those reduced models in the context of a real control infrastructure employing the IEC 60870-5-104 protocol.

show abstract

“…This approach has been tested against three real critical infrastructure facilities over two weeks of normal operations. Part of this chapter has appeared in a refereed conference publication [3] and in a refereed workshop publication [2].…”

Section: Thesis Overview and Contributionsmentioning

confidence: 99%

Intrusion detection in networked control systems : from system knowledge to network security

Caselli¹

Self Cite

View full text Add to dashboard Cite

Sequence-aware Intrusion Detection in Industrial Control Systems

Cited by 132 publications

References 18 publications

Using Temporal and Topological Features for Intrusion Detection in Operational Networks

Using Temporal and Topological Features for Intrusion Detection in Operational Networks

Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models

Intrusion detection in networked control systems : from system knowledge to network security

Contact Info

Product

Resources

About