Structured whitelist generation in SCADA network using PrefixSpan algorithm

Jung, Wanyeong; Yun, Jeong-Han; Kim, Sinkyu; Shim, Kyuseok; Kim, Myung-Sup

doi:10.1109/apnoms.2017.8094163

Cited by 4 publications

(5 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Due to the increasing number of external threats, firewalls have recently tended to adopt the allowlist type of rule descriptions, in which only the allow actions are listed and the default is denied. Therefore, in the real-world packet filtering, more emphasis is being placed on reordering methods for allowlist ROROs [10], [11]. In this paper, we show that the computational complexity of RORO for allowlist is NP-hard by reducing from EXACT COVER BY 3-SETS which is known as NP-hard.…”

Section: Introductionmentioning

confidence: 93%

Computational Complexity of Allow Rule Ordering and Its Greedy Algorithm

Fuchino

Harada

TANAKA

et al. 2023

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

Packet classification is used to determine the behavior of incoming packets in network devices according to defined rules. As it is achieved using a linear search on a classification rule list, a large number of rules will lead to longer communication latency. To solve this, the problem of finding the order of rules minimizing the latency has been studied. Misherghi et al. and Harada et al. have proposed a problem that relaxes to policy-based constraints. In this paper, we show that the Relaxed Optimal Rule Ordering(RORO) for the allowlist is NP-hard, and by reducing from this we show that RORO for the general rule list is NP-hard. We also propose a heuristic algorithm based on the greedy method for an allowlist. Furthermore, we demonstrate the effectiveness of our method using ClassBench, which is a benchmark for packet classification algorithms.

show abstract

Section: Introductionmentioning

confidence: 93%

Computational Complexity of Allow Rule Ordering and Its Greedy Algorithm

Fuchino

Harada

TANAKA

et al. 2023

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

show abstract

“…The related studies were organized based on the header field feature and the payload field feature. Anomaly detection methods based on static-rule-based [14][15][16][17][18] and modeling-based [19][20][21][22][23][24] learning of header field features have been proposed in various studies. The staticrule-based studies are similar to firewall rule generation studies in the IT network environment.…”

Section: Related Workmentioning

confidence: 99%

“…Wong [15] proposed a signature-based IDS for the EtherNet/IP protocol and integrated it into Suricata, an open-source IDS tool. Yun [16] proposed a whitelist generation method for traffic patterns based on the header information of a packet using each command. Nivethan [17] and Li [18] focused on detailed protocol fields for firewall rule generation.…”

Section: Related Workmentioning

confidence: 99%

Unknown Payload Anomaly Detection Based on Format and Field Semantics Inference in Cyber-Physical Infrastructure Systems

Kim

et al. 2021

IEEE Access

View full text Add to dashboard Cite

A cyber-physical infrastructure system (CPIS) is a system that controls and manages critical infrastructure such as smart manufacturing, water treatment facilities, power generation, and distribution facilities. Although these CPISs focus on the security of air-gapped network environments, strict isolation from the outside network is difficult to achieve, leading to various attacks. CPISs also comprise various devices and proprietary communication protocols that are used exclusively for each domain and site. Therefore, experts have to adopt a customized strategy to enhance security in CPIS networks after analyzing each domain, device, and protocol in advance. These methods require a significant amount of time, cost, and manpower; consequently, they are difficult to apply existing security methods in the real field. As a solution, a method is proposed herein that includes the following: 1) inferencing the CPIS protocol format and field semantics based on the characteristics of CPIS networks and protocols; 2) multilevel anomaly detection based on the meaning and values of each inferred field. The proposed method does not require knowledge of each site and protocol. In addition, the inference method can be used to analyze the payload field, including the state and measurement value, as well as the header field. Finally, we validate the proposed technique using an open-source CPIS network dataset including response injection, command injection, denial-of-service, and reconnaissance attacks. In addition, in the aspect of detection efficiency, the proposed technique exhibits comparable performance to that of existing knowledge-based anomaly detection methods.

show abstract

“…Jung et al [41] proposed whitelist for SCADA traffic using repetitive communication characteristics of the SCADA system. Kang et al [42] developed techniques for preparation of whitelist for firewall of SCADA traffic.…”

Section: Existing Related Workmentioning

confidence: 99%

Detection and Blocking of Replay, False Command, and False Access Injection Commands in SCADA Systems with Modbus Protocol

Rajesh

Satyanarayana

2021

Security and Communication Networks

View full text Add to dashboard Cite

Industrial control systems (ICS) are being used for surveillance and controlling numerous industrial process plants in national critical infrastructures. Supervisory control and data acquisition (SCADA) system is a core component in ICS systems for continuous monitoring and controlling these process plants. Legacy SCADA systems are working in isolated networks and using proprietary communication protocols which made them less exposed to cyber threats. In recent times, these ICS systems have been connected to Internet and corporate networks for data sharing and remote monitoring. They are also using open protocols and operating systems. This leads to vulnerabilities of the system to cyberattacks. Cybersecurity threats are more prevalent than ever in ICS systems. These attacks may be external or internal. Modbus is a widely deployed communication protocol for SCADA communications. There is no security in design of Modbus protocol, and it is vulnerable to numerous cyberattacks. In this paper, we worked for False Command Injection attack, False Access Injection attack, and replay attacks on Modbus protocol. Initially, a real-time SCADA testbed was set up, and we envisaged the impact of these attacks on Modbus protocol data using the testbed. In this work, we used local area network (LAN) environment only for simulating the attacks. We assumed that the attacks penetrated the LAN network. We proposed and developed (a) a method to detect replay attacks by incorporating time stamp and sequence number in Modbus communications and (b) a frame filtering module which will block unauthorized attacks like False Command Injection and False Access Injection attacks to reach programmable logic controller (PLC). Numbers of attacks were simulated and the performance of the method was measured using attack block rate (ABR). It blocked 97% of malicious Modbus transactions or attacks to reach the PLC. It protects SCADA systems from attackers, which is a core component of industrial control systems. The solution enhanced the security of SCADA systems with Modbus protocol.

show abstract

Structured whitelist generation in SCADA network using PrefixSpan algorithm

Cited by 4 publications

References 9 publications

Computational Complexity of Allow Rule Ordering and Its Greedy Algorithm

Computational Complexity of Allow Rule Ordering and Its Greedy Algorithm

Unknown Payload Anomaly Detection Based on Format and Field Semantics Inference in Cyber-Physical Infrastructure Systems

Detection and Blocking of Replay, False Command, and False Access Injection Commands in SCADA Systems with Modbus Protocol

Contact Info

Product

Resources

About