TY - GEN
T1 - A statechart-based anomaly detection model for multi-threaded SCADA systems
AU - Kleinmann, Amit
AU - Wool, Avishai
N1 - Publisher Copyright:
© Springer International Publishing Switzerland 2016.
PY - 2016
Y1 - 2016
N2 - SCADA traffic between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed SCADA streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA, and a high false-alarm rate. In this paper we introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We evaluated our solution on traces from a production SCADA system using the Siemens S7-0x72 protocol. We also stress-tested our solution on a collection of synthetically-generated traces. In all but the most extreme scenarios the Statechart model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.
AB - SCADA traffic between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed SCADA streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA, and a high false-alarm rate. In this paper we introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We evaluated our solution on traces from a production SCADA system using the Siemens S7-0x72 protocol. We also stress-tested our solution on a collection of synthetically-generated traces. In all but the most extreme scenarios the Statechart model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.
UR - http://www.scopus.com/inward/record.url?scp=84978699035&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-33331-1_11
DO - 10.1007/978-3-319-33331-1_11
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84978699035
SN - 9783319333304
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 132
EP - 144
BT - Critical Information Infrastructures Security - 10th International Conference, CRITIS 2015, Revised Selected Papers
A2 - Wolthusen, Stephen D.
A2 - Wolthusen, Stephen D.
A2 - Theocharidou, Marianthi
A2 - Rome, Erich
PB - Springer Verlag
T2 - 10th International Conference on Critical Information Infrastructures Security, CRITIS 2015
Y2 - 5 October 2015 through 7 October 2015
ER -