Visible to the public Biblio

Filters: Keyword is industrial control systems  [Clear All Filters]
2019-07-01
Urias, V. E., Stout, M. S. William, Leeuwen, B. V..  2018.  On the Feasibility of Generating Deception Environments for Industrial Control Systems. 2018 IEEE International Symposium on Technologies for Homeland Security (HST). :1–6.

The cyber threat landscape is a constantly morphing surface; the need for cyber defenders to develop and create proactive threat intelligence is on the rise, especially on critical infrastructure environments. It is commonly voiced that Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) are vulnerable to the same classes of threats as other networked computer systems. However, cyber defense in operational ICS is difficult, often introducing unacceptable risks of disruption to critical physical processes. This is exacerbated by the notion that hardware used in ICS is often expensive, making full-scale mock-up systems for testing and/or cyber defense impractical. New paradigms in cyber security have focused heavily on using deception to not only protect assets, but also gather insight into adversary motives and tools. Much of the work that we see in today's literature is focused on creating deception environments for traditional IT enterprise networks; however, leveraging our prior work in the domain, we explore the opportunities, challenges and feasibility of doing deception in ICS networks.

2019-06-24
Gonzalez, D., Alhenaki, F., Mirakhorli, M..  2019.  Architectural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities. 2019 IEEE International Conference on Software Architecture (ICSA). :31–40.

Industrial control systems (ICS) are systems used in critical infrastructures for supervisory control, data acquisition, and industrial automation. ICS systems have complex, component-based architectures with many different hardware, software, and human factors interacting in real time. Despite the importance of security concerns in industrial control systems, there has not been a comprehensive study that examined common security architectural weaknesses in this domain. Therefore, this paper presents the first in-depth analysis of 988 vulnerability advisory reports for Industrial Control Systems developed by 277 vendors. We performed a detailed analysis of the vulnerability reports to measure which components of ICS have been affected the most by known vulnerabilities, which security tactics were affected most often in ICS and what are the common architectural security weaknesses in these systems. Our key findings were: (1) Human-Machine Interfaces, SCADA configurations, and PLCs were the most affected components, (2) 62.86% of vulnerability disclosures in ICS had an architectural root cause, (3) the most common architectural weaknesses were “Improper Input Validation”, followed by “Im-proper Neutralization of Input During Web Page Generation” and “Improper Authentication”, and (4) most tactic-related vulnerabilities were related to the tactics “Validate Inputs”, “Authenticate Actors” and “Authorize Actors”.

2019-05-09
Kravchik, Moshe, Shabtai, Asaf.  2018.  Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks. Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy. :72-83.

This paper presents a study on detecting cyber attacks on industrial control systems (ICS) using convolutional neural networks. The study was performed on a Secure Water Treatment testbed (SWaT) dataset, which represents a scaled-down version of a real-world industrial water treatment plant. We suggest a method for anomaly detection based on measuring the statistical deviation of the predicted value from the observed value. We applied the proposed method by using a variety of deep neural network architectures including different variants of convolutional and recurrent networks. The test dataset included 36 different cyber attacks. The proposed method successfully detected 31 attacks with three false positives thus improving on previous research based on this dataset. The results of the study show that 1D convolutional networks can be successfully used for anomaly detection in industrial control systems and outperform recurrent networks in this setting. The findings also suggest that 1D convolutional networks are effective at time series prediction tasks which are traditionally considered to be best solved using recurrent neural networks. This observation is a promising one, as 1D convolutional neural networks are simpler, smaller, and faster than the recurrent neural networks.

Sokolov, A. N., Barinov, A. E., Antyasov, I. S., Skurlaev, S. V., Ufimtcev, M. S., Luzhnov, V. S..  2018.  Hardware-Based Memory Acquisition Procedure for Digital Investigations of Security Incidents in Industrial Control Systems. 2018 Global Smart Industry Conference (GloSIC). :1-7.

The safety of industrial control systems (ICS) depends not only on comprehensive solutions for protecting information, but also on the timing and closure of vulnerabilities in the software of the ICS. The investigation of security incidents in the ICS is often greatly complicated by the fact that malicious software functions only within the computer's volatile memory. Obtaining the contents of the volatile memory of an attacked computer is difficult to perform with a guaranteed reliability, since the data collection procedure must be based on a reliable code (the operating system or applications running in its environment). The paper proposes a new instrumental method for obtaining the contents of volatile memory, general rules for implementing the means of collecting information stored in memory. Unlike software methods, the proposed method has two advantages: firstly, there is no problem in terms of reading the parts of memory, blocked by the operating system, and secondly, the resulting contents are not compromised by such malicious software. The proposed method is relevant for investigating security incidents of ICS and can be used in continuous monitoring systems for the security of ICS.

Zhang, Z., Chang, C., Lv, Z., Han, P., Wang, Y..  2018.  A Control Flow Anomaly Detection Algorithm for Industrial Control Systems. 2018 1st International Conference on Data Intelligence and Security (ICDIS). :286-293.

Industrial control systems are the fundamental infrastructures of a country. Since the intrusion attack methods for industrial control systems have become complex and concealed, the traditional protection methods, such as vulnerability database, virus database and rule matching cannot cope with the attacks hidden inside the terminals of industrial control systems. In this work, we propose a control flow anomaly detection algorithm based on the control flow of the business programs. First, a basic group partition method based on key paths is proposed to reduce the performance burden caused by tabbed-assert control flow analysis method through expanding basic research units. Second, the algorithm phases of standard path set acquisition and path matching are introduced. By judging whether the current control flow path is deviating from the standard set or not, the abnormal operating conditions of industrial control can be detected. Finally, the effectiveness of a control flow anomaly detection (checking) algorithm based on Path Matching (CFCPM) is demonstrated by anomaly detection ability analysis and experiments.

Ivanov, A. V., Sklyarov, V. A..  2018.  The Urgency of the Threats of Attacks on Interfaces and Field-Layer Protocols in Industrial Control Systems. 2018 XIV International Scientific-Technical Conference on Actual Problems of Electronics Instrument Engineering (APEIE). :162-165.

The paper is devoted to analysis of condition of executing devices and sensors of Industrial Control Systems information security. The work contains structures of industrial control systems divided into groups depending on system's layer. The article contains the analysis of analog interfaces work and work features of data transmission protocols in industrial control system field layer. Questions about relevance of industrial control systems information security, both from the point of view of the information security occurring incidents, and from the point of view of regulators' reaction in the form of normative legal acts, are described. During the analysis of the information security systems of industrial control systems a possibility of leakage through technical channels of information leakage at the field layer was found. Potential vectors of the attacks on devices of field layer and data transmission network of an industrial control system are outlined in the article. The relevance analysis of the threats connected with the attacks at the field layer of an industrial control system is carried out, feature of this layer and attractiveness of this kind of attacks is observed.

Hata, K., Sasaki, T., Mochizuki, A., Sawada, K., Shin, S., Hosokawa, S..  2018.  Collaborative Model-Based Fallback Control for Secured Networked Control Systems. IECON 2018 - 44th Annual Conference of the IEEE Industrial Electronics Society. :5963-5970.

The authors have proposed the Fallback Control System (FCS) as a countermeasure after cyber-attacks happen in Industrial Control Systems (ICSs). For increased robustness against cyber-attacks, introducing multiple countermeasures is desirable. Then, an appropriate collaboration is essential. This paper introduces two FCSs in ICS: field network signal is driven FCS and analog signal driven FCS. This paper also implements a collaborative FCS by a collaboration function of the two FCSs. The collaboration function is that the analog signal driven FCS estimates the state of the other FCS. The collaborative FCS decides the countermeasure based on the result of the estimation after cyber-attacks happen. Finally, we show practical experiment results to analyze the effectiveness of the proposed method.

Li, Y., Liu, X., Tian, H., Luo, C..  2018.  Research of Industrial Control System Device Firmware Vulnerability Mining Technology Based on Taint Analysis. 2018 IEEE 9th International Conference on Software Engineering and Service Science (ICSESS). :607-610.

Aiming at the problem that there is little research on firmware vulnerability mining and the traditional method of vulnerability mining based on fuzzing test is inefficient, this paper proposed a new method of mining vulnerabilities in industrial control system firmware. Based on taint analysis technology, this method can construct test cases specifically for the variables that may trigger vulnerabilities, thus reducing the number of invalid test cases and improving the test efficiency. Experiment result shows that this method can reduce about 23 % of test cases and can effectively improve test efficiency.

Shrestha, Roshan, Mehrpouyan, Hoda, Xu, Dianxiang.  2018.  Model Checking of Security Properties in Industrial Control Systems (ICS). Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. :164-166.

With the increasing inter-connection of operation technology to the IT network, the security threat to the Industrial Control System (ICS) is increasing daily. Therefore, it is critical to utilize formal verification technique such as model checking to mathematically prove the correctness of security and safety requirements in the controller logic before it is deployed on the field. However, model checking requires considerable effort for regular ICS users and control technician to verify properties. This paper, provides a simpler approach to the model checking of temperature process control system by first starting with the control module design without formal verification. Second, identifying possible vulnerabilities in such design. Third, verifying the safety and security properties with a formal method. 

Gordon, Kiel, Davis, Matthew, Birnbaum, Zachary, Dolgikh, Andrey.  2018.  ACE: Advanced CIP Evaluator. Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy. :90-101.

Industrial control systems (ICS) are key enabling systems that drive the productivity and efficiency of omnipresent industries such as power, gas, water treatment, transportation, and manufacturing. These systems consist of interconnected components that communicate over industrial networks using industrial protocols such as the Common Industrial Protocol (CIP). CIP is one of the most commonly used network-based process control protocols, and utilizes an object-oriented communication structure for device to device interaction. Due to this object-oriented structure, CIP communication reveals detailed information about the devices, the communication patterns, and the system, providing an in-depth view of the system. The details from this in-depth system perspective can be utilized as part of a system cybersecurity or discovery approach. However, due to the variety of commands, corresponding parameters, and variable layer structure of the CIP network layer, processing this layer is a challenging task. This paper presents a tool, Advanced CIP Evaluator (ACE), which passively processes the CIP communication layer and automatically extracts device, communication, and system information from observed network traffic. ACE was tested and verified using a representative ICS power generation testbed. Since ACE operates passively, without generating any network traffic of its own, system operations are not disturbed. This novel tool provides ICS information, such as networked devices, communication patterns, and system operation, at a depth and breadth that is unique compared with other known tools.

Nguyen, Thuy D., Irvine, Cynthia E..  2018.  Development of Industrial Network Forensics Lessons. Proceedings of the Fifth Cybersecurity Symposium. :7:1-7:5.

Most forensic investigators are trained to recognize abusive network behavior in conventional information systems, but they may not know how to detect anomalous traffic patterns in industrial control systems (ICS) that manage critical infrastructure services. We have developed and laboratory-tested hands-on teaching material to introduce students to forensics investigation of intrusions on an industrial network. Rather than using prototypes of ICS components, our approach utilizes commercial industrial products to provide students a more realistic simulation of an ICS network. The lessons cover four different types of attacks and the corresponding post-incident network data analysis.

Lu, G., Feng, D..  2018.  Network Security Situation Awareness for Industrial Control System Under Integrity Attacks. 2018 21st International Conference on Information Fusion (FUSION). :1808-1815.

Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Eckhart, Matthias, Ekelhart, Andreas.  2018.  Towards Security-Aware Virtual Environments for Digital Twins. Proceedings of the 4th ACM Workshop on Cyber-Physical System Security. :61-72.

Digital twins open up new possibilities in terms of monitoring, simulating, optimizing and predicting the state of cyber-physical systems (CPSs). Furthermore, we argue that a fully functional, virtual replica of a CPS can also play an important role in securing the system. In this work, we present a framework that allows users to create and execute digital twins, closely matching their physical counterparts. We focus on a novel approach to automatically generate the virtual environment from specification, taking advantage of engineering data exchange formats. From a security perspective, an identical (in terms of the system's specification), simulated environment can be freely explored and tested by security professionals, without risking negative impacts on live systems. Going a step further, security modules on top of the framework support security analysts in monitoring the current state of CPSs. We demonstrate the viability of the framework in a proof of concept, including the automated generation of digital twins and the monitoring of security and safety rules.

2019-05-01
Barrere, M., Hankin, C., Barboni, A., Zizzo, G., Boem, F., Maffeis, S., Parisini, T..  2018.  CPS-MT: A Real-Time Cyber-Physical System Monitoring Tool for Security Research. 2018 IEEE 24th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA). :240–241.

Monitoring systems are essential to understand and control the behaviour of systems and networks. Cyber-physical systems (CPS) are particularly delicate under that perspective since they involve real-time constraints and physical phenomena that are not usually considered in common IT solutions. Therefore, there is a need for publicly available monitoring tools able to contemplate these aspects. In this poster/demo, we present our initiative, called CPS-MT, towards a versatile, real-time CPS monitoring tool, with a particular focus on security research. We first present its architecture and main components, followed by a MiniCPS-based case study. We also describe a performance analysis and preliminary results. During the demo, we will discuss CPS-MT's capabilities and limitations for security applications.

2019-03-06
Kawanishi, Y., Nishihara, H., Souma, D., Yoshida, H., Hata, Y..  2018.  A Study on Quantitative Risk Assessment Methods in Security Design for Industrial Control Systems. 2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, 16th Intl Conf on Pervasive Intelligence and Computing, 4th Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech). :62-69.

In recent years, there has been progress in applying information technology to industrial control systems (ICS), which is expected to make the development cost of control devices and systems lower. On the other hand, the security threats are becoming important problems. In 2017, a command injection issue on a data logger was reported. In this paper, we focus on the risk assessment in security design for data loggers used in industrial control systems. Our aim is to provide a risk assessment method optimized for control devices and systems in such a way that one can prioritize threats more preciously, that would lead work resource (time and budget) can be assigned for more important threats than others. We discuss problems with application of the automotive-security guideline of JASO TP15002 to ICS risk assessment. Consequently, we propose a three-phase risk assessment method with a novel Risk Scoring Systems (RSS) for quantitative risk assessment, RSS-CWSS. The idea behind this method is to apply CWSS scoring systems to RSS by fixing values for some of CWSS metrics, considering what the designers can evaluate during the concept phase. Our case study with ICS employing a data logger clarifies that RSS-CWSS can offer an interesting property that it has better risk-score dispersion than the TP15002-specified RSS.

2019-02-13
Irmak, E., Erkek, İ.  2018.  An overview of cyber-attack vectors on SCADA systems. 2018 6th International Symposium on Digital Forensic and Security (ISDFS). :1–5.

Most of the countries evaluate their energy networks in terms of national security and define as critical infrastructure. Monitoring and controlling of these systems are generally provided by Industrial Control Systems (ICSs) and/or Supervisory Control and Data Acquisition (SCADA) systems. Therefore, this study focuses on the cyber-attack vectors on SCADA systems to research the threats and risks targeting them. For this purpose, TCP/IP based protocols used in SCADA systems have been determined and analyzed at first. Then, the most common cyber-attacks are handled systematically considering hardware-side threats, software-side ones and the threats for communication infrastructures. Finally, some suggestions are given.

2019-02-08
Zou, Z., Wang, D., Yang, H., Hou, Y., Yang, Y., Xu, W..  2018.  Research on Risk Assessment Technology of Industrial Control System Based on Attack Graph. 2018 IEEE 3rd Advanced Information Technology, Electronic and Automation Control Conference (IAEAC). :2420-2423.

In order to evaluate the network security risks and implement effective defenses in industrial control system, a risk assessment method for industrial control systems based on attack graphs is proposed. Use the concept of network security elements to translate network attacks into network state migration problems and build an industrial control network attack graph model. In view of the current subjective evaluation of expert experience, the atomic attack probability assignment method and the CVSS evaluation system were introduced to evaluate the security status of the industrial control system. Finally, taking the centralized control system of the thermal power plant as the experimental background, the case analysis is performed. The experimental results show that the method can comprehensively analyze the potential safety hazards in the industrial control system and provide basis for the safety management personnel to take effective defense measures.

2019-01-21
Nicolaou, N., Eliades, D. G., Panayiotou, C., Polycarpou, M. M..  2018.  Reducing Vulnerability to Cyber-Physical Attacks in Water Distribution Networks. 2018 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater). :16–19.

Cyber-Physical Systems (CPS), such as Water Distribution Networks (WDNs), deploy digital devices to monitor and control the behavior of physical processes. These digital devices, however, are susceptible to cyber and physical attacks, that may alter their functionality, and therefore the integrity of their measurements/actions. In practice, industrial control systems utilize simple control laws, which rely on various sensor measurements and algorithms which are expected to operate normally. To reduce the impact of a potential failure, operators may deploy redundant components; this however may not be useful, e.g., when a cyber attack at a PLC component occurs. In this work, we address the problem of reducing vulnerability to cyber-physical attacks in water distribution networks. This is achieved by augmenting the graph which describes the information flow from sensors to actuators, by adding new connections and algorithms, to increase the number of redundant cyber components. These, in turn, increase the \textitcyber-physical security level, which is defined in the present paper as the number of malicious attacks a CPS may sustain before becoming unable to satisfy the control requirements. A proof-of-concept of the approach is demonstrated over a simple WDN, with intuition on how this can be used to increase the cyber-physical security level of the system.

Murillo, Andrés Felipe, Cómbita, Luis Francisco, Gonzalez, Andrea Calderón, Rueda, Sandra, Cardenas, Alvaro A., Quijano, Nicanor.  2018.  A Virtual Environment for Industrial Control Systems: A Nonlinear Use-Case in Attack Detection, Identification, and Response. Proceedings of the 4th Annual Industrial Control System Security Workshop. :25–32.
The integration of modern information technologies with industrial control systems has created an enormous interest in the security of industrial control, however, given the cost, variety, and industry practices, it is hard for researchers to test and deploy security solutions in real-world systems. Industrial control testbeds can be used as tools to test security solutions before they are deployed, and in this paper we extend our previous work to develop open-source virtual industrial control testbeds where computing and networking components are emulated and virtualized, and the physical system is simulated through differential equations. In particular, we implement a nonlinear control system emulating a three-water tank with the associated sensors, PLCs, and actuators that communicate through an emulated network. In addition, we design unknown input observers (UIO) to not only detect that an attack is occurring, but also to identify the source of the malicious false data injections and mitigate its impact. Our system is available through Github to the academic community.
2018-09-28
Brandauer, C., Dorfinger, P., Paiva, P. Y. A..  2017.  Towards scalable and adaptable security monitoring. 2017 IEEE 36th International Performance Computing and Communications Conference (IPCCC). :1–6.

A long time ago Industrial Control Systems were in a safe place due to the use of proprietary technology and physical isolation. This situation has changed dramatically and the systems are nowadays often prone to severe attacks executed from remote locations. In many cases, intrusions remain undetected for a long time and this allows the adversary to meticulously prepare an attack and maximize its destructiveness. The ability to detect an attack in its early stages thus has a high potential to significantly reduce its impact. To this end, we propose a holistic, multi-layered, security monitoring and mitigation framework spanning the physical- and cyber domain. The comprehensiveness of the approach demands for scalability measures built-in by design. In this paper we present how scalability is addressed by an architecture that enforces geographically decentralized data reduction approaches that can be dynamically adjusted to the currently perceived context. A specific focus is put on a robust and resilient solution to orchestrate dynamic configuration updates. Experimental results based on a prototype implementation show the feasibility of the approach.

2018-09-12
Jillepalli, A. A., Sheldon, F. T., Leon, D. C. de, Haney, M., Abercrombie, R. K..  2017.  Security management of cyber physical control systems using NIST SP 800-82r2. 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC). :1864–1870.

Cyber-attacks and intrusions in cyber-physical control systems are, currently, difficult to reliably prevent. Knowing a system's vulnerabilities and implementing static mitigations is not enough, since threats are advancing faster than the pace at which static cyber solutions can counteract. Accordingly, the practice of cybersecurity needs to ensure that intrusion and compromise do not result in system or environment damage or loss. In a previous paper [2], we described the Cyberspace Security Econometrics System (CSES), which is a stakeholder-aware and economics-based risk assessment method for cybersecurity. CSES allows an analyst to assess a system in terms of estimated loss resulting from security breakdowns. In this paper, we describe two new related contributions: 1) We map the Cyberspace Security Econometrics System (CSES) method to the evaluation and mitigation steps described by the NIST Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82r2. Hence, presenting an economics-based and stakeholder-aware risk evaluation method for the implementation of the NIST-SP-800-82 guide; and 2) We describe the application of this tailored method through the use of a fictitious example of a critical infrastructure system of an electric and gas utility.

2018-07-18
Vávra, J., Hromada, M..  2017.  Anomaly Detection System Based on Classifier Fusion in ICS Environment. 2017 International Conference on Soft Computing, Intelligent System and Information Technology (ICSIIT). :32–38.

The detection of cyber-attacks has become a crucial task for highly sophisticated systems like industrial control systems (ICS). These systems are an essential part of critical information infrastructure. Therefore, we can highlight their vital role in contemporary society. The effective and reliable ICS cyber defense is a significant challenge for the cyber security community. Thus, intrusion detection is one of the demanding tasks for the cyber security researchers. In this article, we examine classification problem. The proposed detection system is based on supervised anomaly detection techniques. Moreover, we utilized classifiers algorithms in order to increase intrusion detection capabilities. The fusion of the classifiers is the way how to achieve the predefined goal.

Yusheng, W., Kefeng, F., Yingxu, L., Zenghui, L., Ruikang, Z., Xiangzhen, Y., Lin, L..  2017.  Intrusion Detection of Industrial Control System Based on Modbus TCP Protocol. 2017 IEEE 13th International Symposium on Autonomous Decentralized System (ISADS). :156–162.

Modbus over TCP/IP is one of the most popular industrial network protocol that are widely used in critical infrastructures. However, vulnerability of Modbus TCP protocol has attracted widely concern in the public. The traditional intrusion detection methods can identify some intrusion behaviors, but there are still some problems. In this paper, we present an innovative approach, SD-IDS (Stereo Depth IDS), which is designed for perform real-time deep inspection for Modbus TCP traffic. SD-IDS algorithm is composed of two parts: rule extraction and deep inspection. The rule extraction module not only analyzes the characteristics of industrial traffic, but also explores the semantic relationship among the key field in the Modbus TCP protocol. The deep inspection module is based on rule-based anomaly intrusion detection. Furthermore, we use the online test to evaluate the performance of our SD-IDS system. Our approach get a low rate of false positive and false negative.

Feng, C., Li, T., Chana, D..  2017.  Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks. 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). :261–272.

We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) network-based softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current state-of-the-art techniques.

Fauri, Davide, dos Santos, Daniel Ricardo, Costante, Elisa, den Hartog, Jerry, Etalle, Sandro, Tonetta, Stefano.  2017.  From System Specification to Anomaly Detection (and Back). Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy. :13–24.

Industrial control systems have stringent safety and security demands. High safety assurance can be obtained by specifying the system with possible faults and monitoring it to ensure these faults are properly addressed. Addressing security requires considering unpredictable attacker behavior. Anomaly detection, with its data driven approach, can detect simple unusual behavior and system-based attacks like the propagation of malware; on the other hand, anomaly detection is less suitable to detect more complex \textbackslashtextbackslashemph\process-based\ attacks and it provides little actionability in presence of an alert. The alternative to anomaly detection is to use specification-based intrusion detection, which is more suitable to detect process-based attacks, but is typically expensive to set up and less scalable. We propose to combine a lightweight formal system specification with anomaly detection, providing data-driven monitoring. The combination is based on mapping elements of the specification to elements of the network traffic. This allows extracting locations to monitor and relevant context information from the formal specification, thus semantically enriching the raised alerts and making them actionable. On the other hand, it also allows under-specification of data-based properties in the formal model; some predicates can be left uninterpreted and the monitoring can be used to learn a model for them. We demonstrate our methodology on a smart manufacturing use case.