Modeling message sequences for intrusion detection in industrial control systems

Marco Caselli, Emmanuele Zambon, Jonathan Petit, Frank Kargl

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    11 Citations (Scopus)

    Abstract

    Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing “sequence-aware‿ intrusion detection systems.
    Original languageEnglish
    Title of host publicationCritical Infrastructure Protection IX
    Subtitle of host publication9th IFIP 11.10 International Conference, ICCIP 2015, Arlington, VA, USA, March 16-18, 2015, Revised Selected Papers
    EditorsMason Rice, Sujeet Shenoi
    Place of PublicationLondon
    PublisherSpringer
    Pages49-71
    Number of pages23
    ISBN (Print)978-3-319-26566-7
    DOIs
    Publication statusPublished - Mar 2015
    Event9th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2015 - Arlington, United States
    Duration: 16 Mar 201518 Mar 2015
    Conference number: 9

    Publication series

    NameCritical Infrastructure Protection IX
    PublisherSpringer Verlag
    Volume466
    ISSN (Print)1868-4238

    Workshop

    Workshop9th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2015
    Abbreviated titleICCIP
    CountryUnited States
    CityArlington
    Period16/03/1518/03/15

    Keywords

    • SCS-Cybersecurity
    • sequence attacks
    • EWI-26537
    • METIS-315080
    • IR-98661
    • Industrial control systems
    • Intrusion Detection
    • EC Grant Agreement nr.: FP7-SEC-285477-CRISALIS

    Fingerprint

    Dive into the research topics of 'Modeling message sequences for intrusion detection in industrial control systems'. Together they form a unique fingerprint.

    Cite this