Exploiting traffic periodicity in industrial control networks

R.R.R. Barbosa, R. Sadre, Aiko Pras

Research output: Contribution to journalArticle

  • 3 Citations

Abstract

Industrial control systems play a major role in the operation of critical infrastructure assets. Due to the polling mechanisms typically used to retrieve data from field devices, industrial control network traffic exhibits strong periodic patterns. This paper presents a novel approach that uses message repetition and timing information to automatically learn traffic models that capture the periodic patterns. The feasibility of the approach is demonstrated using three traffic traces collected from real-world industrial networks. Two practical applications for the learned models are presented. The first is their use in intrusion detection systems; the learned models represent whitelists of valid commands and the frequencies at which they are sent; thus, the models may be used to detect data injection and denial-of-service attacks. The second application is to generate synthetic traffic traces, which can be used to test intrusion detection systems and evaluate the performance of industrial control devices.
LanguageUndefined
Pages52-62
Number of pages14
JournalInternational journal of critical infrastructure protection
Volume13
DOIs
StatePublished - Jun 2016

Keywords

  • EWI-26932
  • METIS-316884
  • IR-100183

Cite this

@article{da8aa71644034eb6ab6712981a309673,
title = "Exploiting traffic periodicity in industrial control networks",
abstract = "Industrial control systems play a major role in the operation of critical infrastructure assets. Due to the polling mechanisms typically used to retrieve data from field devices, industrial control network traffic exhibits strong periodic patterns. This paper presents a novel approach that uses message repetition and timing information to automatically learn traffic models that capture the periodic patterns. The feasibility of the approach is demonstrated using three traffic traces collected from real-world industrial networks. Two practical applications for the learned models are presented. The first is their use in intrusion detection systems; the learned models represent whitelists of valid commands and the frequencies at which they are sent; thus, the models may be used to detect data injection and denial-of-service attacks. The second application is to generate synthetic traffic traces, which can be used to test intrusion detection systems and evaluate the performance of industrial control devices.",
keywords = "EWI-26932, METIS-316884, IR-100183",
author = "R.R.R. Barbosa and R. Sadre and Aiko Pras",
note = "eemcs-eprint-26932",
year = "2016",
month = "6",
doi = "10.1016/j.ijcip.2016.02.004",
language = "Undefined",
volume = "13",
pages = "52--62",
journal = "International journal of critical infrastructure protection",
issn = "1874-5482",
publisher = "Elsevier",

}

Exploiting traffic periodicity in industrial control networks. / Barbosa, R.R.R.; Sadre, R.; Pras, Aiko.

In: International journal of critical infrastructure protection, Vol. 13, 06.2016, p. 52-62.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Exploiting traffic periodicity in industrial control networks

AU - Barbosa,R.R.R.

AU - Sadre,R.

AU - Pras,Aiko

N1 - eemcs-eprint-26932

PY - 2016/6

Y1 - 2016/6

N2 - Industrial control systems play a major role in the operation of critical infrastructure assets. Due to the polling mechanisms typically used to retrieve data from field devices, industrial control network traffic exhibits strong periodic patterns. This paper presents a novel approach that uses message repetition and timing information to automatically learn traffic models that capture the periodic patterns. The feasibility of the approach is demonstrated using three traffic traces collected from real-world industrial networks. Two practical applications for the learned models are presented. The first is their use in intrusion detection systems; the learned models represent whitelists of valid commands and the frequencies at which they are sent; thus, the models may be used to detect data injection and denial-of-service attacks. The second application is to generate synthetic traffic traces, which can be used to test intrusion detection systems and evaluate the performance of industrial control devices.

AB - Industrial control systems play a major role in the operation of critical infrastructure assets. Due to the polling mechanisms typically used to retrieve data from field devices, industrial control network traffic exhibits strong periodic patterns. This paper presents a novel approach that uses message repetition and timing information to automatically learn traffic models that capture the periodic patterns. The feasibility of the approach is demonstrated using three traffic traces collected from real-world industrial networks. Two practical applications for the learned models are presented. The first is their use in intrusion detection systems; the learned models represent whitelists of valid commands and the frequencies at which they are sent; thus, the models may be used to detect data injection and denial-of-service attacks. The second application is to generate synthetic traffic traces, which can be used to test intrusion detection systems and evaluate the performance of industrial control devices.

KW - EWI-26932

KW - METIS-316884

KW - IR-100183

U2 - 10.1016/j.ijcip.2016.02.004

DO - 10.1016/j.ijcip.2016.02.004

M3 - Article

VL - 13

SP - 52

EP - 62

JO - International journal of critical infrastructure protection

T2 - International journal of critical infrastructure protection

JF - International journal of critical infrastructure protection

SN - 1874-5482

ER -