Reading between the fields: practical, effective intrusion detection for industrial control systems

Ömer Yüksel; Jeremy den Hartog; Sandro Etalle

doi:10.1145/2851613.2851799

Reading between the fields: practical, effective intrusion detection for industrial control systems

Ömer Yüksel, Jeremy den Hartog, Sandro Etalle

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

21 Citations (Scopus)

272 Downloads (Pure)

Abstract

Detection of previously unknown attacks and malicious messages is a challenging problem faced by modern network intrusion detection systems. Anomaly-based solutions, despite being able to detect unknown attacks, have not been used often in practice due to their high false positive rate, and because they provide little actionable information to the security officer in case of an alert. In this paper we focus on intrusion detection in industrial control systems networks and we propose an innovative, practical and semantics-aware framework for anomaly detection. The network communication model and alerts generated by our framework are userunderstandable, making them much easier to manage. At the same time the framework exhibits an excellent tradeoff between detection rate and false positive rate, which we show by comparing it with two existing payload-based anomaly detection methods on several ICS datasets.

Original language	Undefined
Title of host publication	SAC '16 Proceedings of the 31st Annual ACM Symposium on Applied Computing
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	2063-2070
Number of pages	8
ISBN (Print)	978-1-4503-3739-7
DOIs	https://doi.org/10.1145/2851613.2851799
Publication status	Published - 4 Apr 2016
Event	31st Annual ACM Symposium on Applied Computing, SAC 2016 - Pisa, Italy Duration: 4 Apr 2016 → 8 Apr 2016 Conference number: 31 https://www.sigapp.org/sac/sac2016/

Publication series

Name
Publisher	ACM
Volume	1

Conference

Conference	31st Annual ACM Symposium on Applied Computing, SAC 2016
Abbreviated title	SAC
Country/Territory	Italy
City	Pisa
Period	4/04/16 → 8/04/16
Internet address	https://www.sigapp.org/sac/sac2016/

Keywords

SCS-Cybersecurity
EWI-27112
METIS-318477
Anomaly Detection
Industrial control systems
IR-100902

Access to Document

10.1145/2851613.2851799

p2063-yuksel

Cite this

@inproceedings{81b3bbbb61f04caeb5597932bc0cf851,

title = "Reading between the fields: practical, effective intrusion detection for industrial control systems",

abstract = "Detection of previously unknown attacks and malicious messages is a challenging problem faced by modern network intrusion detection systems. Anomaly-based solutions, despite being able to detect unknown attacks, have not been used often in practice due to their high false positive rate, and because they provide little actionable information to the security officer in case of an alert. In this paper we focus on intrusion detection in industrial control systems networks and we propose an innovative, practical and semantics-aware framework for anomaly detection. The network communication model and alerts generated by our framework are userunderstandable, making them much easier to manage. At the same time the framework exhibits an excellent tradeoff between detection rate and false positive rate, which we show by comparing it with two existing payload-based anomaly detection methods on several ICS datasets.",

keywords = "SCS-Cybersecurity, EWI-27112, METIS-318477, Anomaly Detection, Industrial control systems, IR-100902",

author = "{\"O}mer Y{\"u}ksel and {den Hartog}, Jeremy and Sandro Etalle",

note = "eemcs-eprint-27112 ; null ; Conference date: 04-04-2016 Through 08-04-2016",

year = "2016",

month = apr,

day = "4",

doi = "10.1145/2851613.2851799",

language = "Undefined",

isbn = "978-1-4503-3739-7",

publisher = "Association for Computing Machinery (ACM)",

pages = "2063--2070",

booktitle = "SAC '16 Proceedings of the 31st Annual ACM Symposium on Applied Computing",

address = "United States",

url = "https://www.sigapp.org/sac/sac2016/",

}

Yüksel, Ö, den Hartog, J & Etalle, S 2016, Reading between the fields: practical, effective intrusion detection for industrial control systems. in SAC '16 Proceedings of the 31st Annual ACM Symposium on Applied Computing. Association for Computing Machinery (ACM), New York, pp. 2063-2070, 31st Annual ACM Symposium on Applied Computing, SAC 2016, Pisa, Italy, 4/04/16. https://doi.org/10.1145/2851613.2851799

Reading between the fields: practical, effective intrusion detection for industrial control systems. / Yüksel, Ömer; den Hartog, Jeremy; Etalle, Sandro.

SAC '16 Proceedings of the 31st Annual ACM Symposium on Applied Computing. New York : Association for Computing Machinery (ACM), 2016. p. 2063-2070.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Reading between the fields: practical, effective intrusion detection for industrial control systems

AU - Yüksel, Ömer

AU - den Hartog, Jeremy

AU - Etalle, Sandro

N1 - Conference code: 31

PY - 2016/4/4

Y1 - 2016/4/4

N2 - Detection of previously unknown attacks and malicious messages is a challenging problem faced by modern network intrusion detection systems. Anomaly-based solutions, despite being able to detect unknown attacks, have not been used often in practice due to their high false positive rate, and because they provide little actionable information to the security officer in case of an alert. In this paper we focus on intrusion detection in industrial control systems networks and we propose an innovative, practical and semantics-aware framework for anomaly detection. The network communication model and alerts generated by our framework are userunderstandable, making them much easier to manage. At the same time the framework exhibits an excellent tradeoff between detection rate and false positive rate, which we show by comparing it with two existing payload-based anomaly detection methods on several ICS datasets.

AB - Detection of previously unknown attacks and malicious messages is a challenging problem faced by modern network intrusion detection systems. Anomaly-based solutions, despite being able to detect unknown attacks, have not been used often in practice due to their high false positive rate, and because they provide little actionable information to the security officer in case of an alert. In this paper we focus on intrusion detection in industrial control systems networks and we propose an innovative, practical and semantics-aware framework for anomaly detection. The network communication model and alerts generated by our framework are userunderstandable, making them much easier to manage. At the same time the framework exhibits an excellent tradeoff between detection rate and false positive rate, which we show by comparing it with two existing payload-based anomaly detection methods on several ICS datasets.

KW - SCS-Cybersecurity

KW - EWI-27112

KW - METIS-318477

KW - Anomaly Detection

KW - Industrial control systems

KW - IR-100902

U2 - 10.1145/2851613.2851799

DO - 10.1145/2851613.2851799

M3 - Conference contribution

SN - 978-1-4503-3739-7

SP - 2063

EP - 2070

BT - SAC '16 Proceedings of the 31st Annual ACM Symposium on Applied Computing

PB - Association for Computing Machinery (ACM)

CY - New York

Y2 - 4 April 2016 through 8 April 2016

ER -