A statechart-based anomaly detection model for multi-threaded SCADA systems

Amit Kleinmann*, Avishai Wool

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

20 Scopus citations

Abstract

SCADA traffic between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed SCADA streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA, and a high false-alarm rate. In this paper we introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We evaluated our solution on traces from a production SCADA system using the Siemens S7-0x72 protocol. We also stress-tested our solution on a collection of synthetically-generated traces. In all but the most extreme scenarios the Statechart model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.

Original languageEnglish
Title of host publicationCritical Information Infrastructures Security - 10th International Conference, CRITIS 2015, Revised Selected Papers
EditorsStephen D. Wolthusen, Stephen D. Wolthusen, Marianthi Theocharidou, Erich Rome
PublisherSpringer Verlag
Pages132-144
Number of pages13
ISBN (Print)9783319333304
DOIs
StatePublished - 2016
Event10th International Conference on Critical Information Infrastructures Security, CRITIS 2015 - Berlin, Germany
Duration: 5 Oct 20157 Oct 2015

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9578
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference10th International Conference on Critical Information Infrastructures Security, CRITIS 2015
Country/TerritoryGermany
CityBerlin
Period5/10/157/10/15

Funding

FundersFunder number
Ministry of Science and Technology, Israel

    Fingerprint

    Dive into the research topics of 'A statechart-based anomaly detection model for multi-threaded SCADA systems'. Together they form a unique fingerprint.

    Cite this