TY - GEN
T1 - Temporal phase shits in SCADA networks
AU - Markman, Chen
AU - Wool, Avishai
AU - Cardenas, Alvaro A.
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/10/15
Y1 - 2018/10/15
N2 - In Industrial Control Systems (ICS/SCADA), machine to machine data traic is highly periodic. Previous work showed that in many cases, it is possible to create an automata-based model of the traic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traic. When testing the validity of previous models, we noticed that overall, the models have diiculty in dealing with communication patterns that change over time. In this paper we show that in many cases the traic exhibits phases in time, where each phase has a unique pattern, and the transition between the diferent phases is rather sharp. We suggest a method to automatically detect traic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general Deterministic Finite Automata (DFA) model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traic phases.
AB - In Industrial Control Systems (ICS/SCADA), machine to machine data traic is highly periodic. Previous work showed that in many cases, it is possible to create an automata-based model of the traic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traic. When testing the validity of previous models, we noticed that overall, the models have diiculty in dealing with communication patterns that change over time. In this paper we show that in many cases the traic exhibits phases in time, where each phase has a unique pattern, and the transition between the diferent phases is rather sharp. We suggest a method to automatically detect traic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general Deterministic Finite Automata (DFA) model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traic phases.
UR - http://www.scopus.com/inward/record.url?scp=85056700212&partnerID=8YFLogxK
U2 - 10.1145/3264888.3264898
DO - 10.1145/3264888.3264898
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85056700212
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 84
EP - 89
BT - CPS-SPC 2018 - Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2018
PB - Association for Computing Machinery
T2 - 4th ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2018, in conjunction with the 25th ACM Conference on Computer and Communications Security, CCS 2018
Y2 - 19 October 2018
ER -