Modeling message sequences for intrusion detection in industrial control systems

Marco Caselli; Emmanuele Zambon; Jonathan Petit; Frank Kargl

doi:10.1007/978-3-319-26567-4

Modeling message sequences for intrusion detection in industrial control systems

Marco Caselli, Emmanuele Zambon, Jonathan Petit, Frank Kargl

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

30 Citations (Scopus)

3 Downloads (Pure)

Abstract

Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing “sequence-aware‿ intrusion detection systems.

Original language	English
Title of host publication	Critical Infrastructure Protection IX
Subtitle of host publication	9th IFIP 11.10 International Conference, ICCIP 2015, Arlington, VA, USA, March 16-18, 2015, Revised Selected Papers
Editors	Mason Rice, Sujeet Shenoi
Place of Publication	London
Publisher	Springer
Pages	49-71
Number of pages	23
ISBN (Print)	978-3-319-26566-7
DOIs	https://doi.org/10.1007/978-3-319-26567-4
Publication status	Published - Mar 2015
Event	9th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2015 - Arlington, United States Duration: 16 Mar 2015 → 18 Mar 2015 Conference number: 9

Publication series

Name	Critical Infrastructure Protection IX
Publisher	Springer Verlag
Volume	466
ISSN (Print)	1868-4238

Workshop

Workshop	9th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2015
Abbreviated title	ICCIP
Country/Territory	United States
City	Arlington
Period	16/03/15 → 18/03/15

Keywords

SCS-Cybersecurity
sequence attacks
EWI-26537
METIS-315080
IR-98661
Industrial control systems
Intrusion Detection
EC Grant Agreement nr.: FP7-SEC-285477-CRISALIS

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1007/978-3-319-26567-4

Cite this

Caselli, M., Zambon, E., Petit, J., & Kargl, F. (2015). Modeling message sequences for intrusion detection in industrial control systems. In M. Rice, & S. Shenoi (Eds.), Critical Infrastructure Protection IX: 9th IFIP 11.10 International Conference, ICCIP 2015, Arlington, VA, USA, March 16-18, 2015, Revised Selected Papers (pp. 49-71). (Critical Infrastructure Protection IX; Vol. 466). Springer. https://doi.org/10.1007/978-3-319-26567-4

Caselli, Marco ; Zambon, Emmanuele ; Petit, Jonathan et al. / Modeling message sequences for intrusion detection in industrial control systems. Critical Infrastructure Protection IX: 9th IFIP 11.10 International Conference, ICCIP 2015, Arlington, VA, USA, March 16-18, 2015, Revised Selected Papers. editor / Mason Rice ; Sujeet Shenoi. London : Springer, 2015. pp. 49-71 (Critical Infrastructure Protection IX).

@inproceedings{d290c010c0194ebcb1bc6bc8a5380f58,

title = "Modeling message sequences for intrusion detection in industrial control systems",

abstract = "Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing “sequence-aware‿ intrusion detection systems.",

keywords = "SCS-Cybersecurity, sequence attacks, EWI-26537, METIS-315080, IR-98661, Industrial control systems, Intrusion Detection, EC Grant Agreement nr.: FP7-SEC-285477-CRISALIS",

author = "Marco Caselli and Emmanuele Zambon and Jonathan Petit and Frank Kargl",

note = "eemcs-eprint-26537 ; 9th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2015, ICCIP ; Conference date: 16-03-2015 Through 18-03-2015",

year = "2015",

month = mar,

doi = "10.1007/978-3-319-26567-4",

language = "English",

isbn = "978-3-319-26566-7",

series = "Critical Infrastructure Protection IX",

publisher = "Springer",

pages = "49--71",

editor = "Mason Rice and Sujeet Shenoi",

booktitle = "Critical Infrastructure Protection IX",

address = "Germany",

}

Caselli, M, Zambon, E, Petit, J & Kargl, F 2015, Modeling message sequences for intrusion detection in industrial control systems. in M Rice & S Shenoi (eds), Critical Infrastructure Protection IX: 9th IFIP 11.10 International Conference, ICCIP 2015, Arlington, VA, USA, March 16-18, 2015, Revised Selected Papers. Critical Infrastructure Protection IX, vol. 466, Springer, London, pp. 49-71, 9th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2015, Arlington, Virginia, United States, 16/03/15. https://doi.org/10.1007/978-3-319-26567-4

Modeling message sequences for intrusion detection in industrial control systems. / Caselli, Marco; Zambon, Emmanuele; Petit, Jonathan et al.
Critical Infrastructure Protection IX: 9th IFIP 11.10 International Conference, ICCIP 2015, Arlington, VA, USA, March 16-18, 2015, Revised Selected Papers. ed. / Mason Rice; Sujeet Shenoi. London: Springer, 2015. p. 49-71 (Critical Infrastructure Protection IX; Vol. 466).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Modeling message sequences for intrusion detection in industrial control systems

AU - Caselli, Marco

AU - Zambon, Emmanuele

AU - Petit, Jonathan

AU - Kargl, Frank

N1 - Conference code: 9

PY - 2015/3

Y1 - 2015/3

N2 - Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing “sequence-aware‿ intrusion detection systems.

AB - Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing “sequence-aware‿ intrusion detection systems.

KW - SCS-Cybersecurity

KW - sequence attacks

KW - EWI-26537

KW - METIS-315080

KW - IR-98661

KW - Industrial control systems

KW - Intrusion Detection

KW - EC Grant Agreement nr.: FP7-SEC-285477-CRISALIS

U2 - 10.1007/978-3-319-26567-4

DO - 10.1007/978-3-319-26567-4

M3 - Conference contribution

SN - 978-3-319-26566-7

T3 - Critical Infrastructure Protection IX

SP - 49

EP - 71

BT - Critical Infrastructure Protection IX

A2 - Rice, Mason

A2 - Shenoi, Sujeet

PB - Springer

CY - London

T2 - 9th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2015

Y2 - 16 March 2015 through 18 March 2015

ER -

Caselli M, Zambon E, Petit J, Kargl F. Modeling message sequences for intrusion detection in industrial control systems. In Rice M, Shenoi S, editors, Critical Infrastructure Protection IX: 9th IFIP 11.10 International Conference, ICCIP 2015, Arlington, VA, USA, March 16-18, 2015, Revised Selected Papers. London: Springer. 2015. p. 49-71. (Critical Infrastructure Protection IX). doi: 10.1007/978-3-319-26567-4

Modeling message sequences for intrusion detection in industrial control systems

Abstract

Publication series

Workshop

Keywords

UN SDGs

Access to Document

Fingerprint

Cite this