Sequence-aware intrusion detection in industrial control systems

M. Caselli, Emmanuele Zambon, Frank Kargl

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    112 Citations (Scopus)


    Nowadays, several threats endanger cyber-physical systems. Among these systems, industrial control systems (ICS) operating on critical infrastructures have been proven to be an attractive target for attackers. The case of Stuxnet has not only showed that ICSs are vulnerable to cyber-attacks, but also that some of these attacks rely on understanding the processes beyond the employed systems and using such knowledge to maximize the damage. This concept is commonly known as "semantic attack". Our paper discusses a specific type of semantic attack involving "sequences of events". Common network intrusion detection systems (NIDS) generally search for single, unusual or "not permitted" operations. In our case, rather than a malicious event, we show how a specific series of "permitted" operations can elude standard intrusion detection systems and still damage an infrastructure. Moreover, we present a possible approach to the development of a sequence-aware intrusion detection system (S-IDS). We propose a S-IDS reference architecture and we discuss all the steps through its implementations. Finally, we test the S-IDS on real ICS traffic samples captured from a water treatment and purification facility.
    Original languageUndefined
    Title of host publicationProceedings of the 1st ACM Workshop on Cyber-Physical System Security
    EditorsJianying Zhou, D. Jones
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Number of pages12
    ISBN (Print)978-1-4503-3448-8
    Publication statusPublished - Apr 2015
    Event1st ACM Workshop on Cyber-Physical System Security - Singapore
    Duration: 14 Apr 201517 Apr 2015

    Publication series

    NameCPSS Workshop - AsiaCCS'15


    Workshop1st ACM Workshop on Cyber-Physical System Security
    Other14-17 April 2015


    • SCS-Cybersecurity
    • EC Grant Agreement nr.: FP7-SEC-285477-CRISALIS
    • EWI-26538
    • Semantic attack
    • IR-98662
    • Cyber-physical system
    • Intrusion detection system
    • METIS-315081
    • Sequence attack

    Cite this