Reading between the fields: practical, effective intrusion detection for industrial control systems

Ömer Yüksel, Jeremy den Hartog, Sandro Etalle

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    15 Citations (Scopus)
    210 Downloads (Pure)

    Abstract

    Detection of previously unknown attacks and malicious messages is a challenging problem faced by modern network intrusion detection systems. Anomaly-based solutions, despite being able to detect unknown attacks, have not been used often in practice due to their high false positive rate, and because they provide little actionable information to the security officer in case of an alert. In this paper we focus on intrusion detection in industrial control systems networks and we propose an innovative, practical and semantics-aware framework for anomaly detection. The network communication model and alerts generated by our framework are userunderstandable, making them much easier to manage. At the same time the framework exhibits an excellent tradeoff between detection rate and false positive rate, which we show by comparing it with two existing payload-based anomaly detection methods on several ICS datasets.
    Original languageUndefined
    Title of host publicationSAC '16 Proceedings of the 31st Annual ACM Symposium on Applied Computing
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Pages2063-2070
    Number of pages8
    ISBN (Print)978-1-4503-3739-7
    DOIs
    Publication statusPublished - 4 Apr 2016
    Event31st Annual ACM Symposium on Applied Computing, SAC 2016 - Pisa, Italy
    Duration: 4 Apr 20168 Apr 2016
    Conference number: 31
    https://www.sigapp.org/sac/sac2016/

    Publication series

    Name
    PublisherACM
    Volume1

    Conference

    Conference31st Annual ACM Symposium on Applied Computing, SAC 2016
    Abbreviated titleSAC
    CountryItaly
    CityPisa
    Period4/04/168/04/16
    Internet address

    Keywords

    • SCS-Cybersecurity
    • EWI-27112
    • METIS-318477
    • Anomaly Detection
    • Industrial control systems
    • IR-100902

    Cite this