Specification Mining for Intrusion Detection in Networked Control Systems

M. Caselli; Emmanuele Zambon; Johanna Amann; Robin Sommer; Frank Kargl

Specification Mining for Intrusion Detection in Networked Control Systems

M. Caselli, Emmanuele Zambon, Johanna Amann, Robin Sommer, Frank Kargl

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

14 Citations (Scopus)

26 Downloads (Pure)

Abstract

This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules. We observe that networked control systems often include comprehensive documentation used by operators to manage their infrastructures. Our approach leverages the same documentation to automatically derive the specification rules and continuously monitor network traffic. In this paper, we implement this approach for BACnet-based building automation systems and test its effectiveness against two real infrastructures deployed at the University of Twente and the Lawrence Berkeley National Laboratory (LBNL). Our implementation successfully identifies process control mistakes and potentially dangerous misconfigurations. This confirms the need for an improved monitoring of networked control system infrastructures.

Original language	English
Title of host publication	Proceedings of the 25th USENIX Security Symposium
Publisher	USENIX Association
Pages	791-806
Number of pages	16
ISBN (Print)	978-1-931971-32-4
Publication status	Published - 2016
Event	25th USENIX Security Symposium 2016 - Austin, United States Duration: 10 Aug 2016 → 12 Aug 2016 Conference number: 25

Conference

Conference	25th USENIX Security Symposium 2016
Abbreviated title	USENIX Security
Country	United States
City	Austin
Period	10/08/16 → 12/08/16

Keywords

SCS-Cybersecurity
EC Grant Agreement nr.: FP7/607093
IR-102119
METIS-319471
EWI-27407

Access to Document

sm-ids
open

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_caselli.pdf

Fingerprint Dive into the research topics of 'Specification Mining for Intrusion Detection in Networked Control Systems'. Together they form a unique fingerprint.

Cite this

Caselli, M., Zambon, E., Amann, J., Sommer, R., & Kargl, F. (2016). Specification Mining for Intrusion Detection in Networked Control Systems. In Proceedings of the 25th USENIX Security Symposium (pp. 791-806). USENIX Association.

@inproceedings{3db7e4b80b884fe8b084dd0a56a8810b,

title = "Specification Mining for Intrusion Detection in Networked Control Systems",

abstract = "This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules. We observe that networked control systems often include comprehensive documentation used by operators to manage their infrastructures. Our approach leverages the same documentation to automatically derive the specification rules and continuously monitor network traffic. In this paper, we implement this approach for BACnet-based building automation systems and test its effectiveness against two real infrastructures deployed at the University of Twente and the Lawrence Berkeley National Laboratory (LBNL). Our implementation successfully identifies process control mistakes and potentially dangerous misconfigurations. This confirms the need for an improved monitoring of networked control system infrastructures.",

keywords = "SCS-Cybersecurity, EC Grant Agreement nr.: FP7/607093, IR-102119, METIS-319471, EWI-27407",

author = "M. Caselli and Emmanuele Zambon and Johanna Amann and Robin Sommer and Frank Kargl",

year = "2016",

language = "English",

isbn = "978-1-931971-32-4",

pages = "791--806",

booktitle = "Proceedings of the 25th USENIX Security Symposium",

publisher = "USENIX Association",

}

TY - GEN

T1 - Specification Mining for Intrusion Detection in Networked Control Systems

AU - Caselli, M.

AU - Zambon, Emmanuele

AU - Amann, Johanna

AU - Sommer, Robin

AU - Kargl, Frank

PY - 2016

Y1 - 2016

N2 - This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules. We observe that networked control systems often include comprehensive documentation used by operators to manage their infrastructures. Our approach leverages the same documentation to automatically derive the specification rules and continuously monitor network traffic. In this paper, we implement this approach for BACnet-based building automation systems and test its effectiveness against two real infrastructures deployed at the University of Twente and the Lawrence Berkeley National Laboratory (LBNL). Our implementation successfully identifies process control mistakes and potentially dangerous misconfigurations. This confirms the need for an improved monitoring of networked control system infrastructures.

AB - This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules. We observe that networked control systems often include comprehensive documentation used by operators to manage their infrastructures. Our approach leverages the same documentation to automatically derive the specification rules and continuously monitor network traffic. In this paper, we implement this approach for BACnet-based building automation systems and test its effectiveness against two real infrastructures deployed at the University of Twente and the Lawrence Berkeley National Laboratory (LBNL). Our implementation successfully identifies process control mistakes and potentially dangerous misconfigurations. This confirms the need for an improved monitoring of networked control system infrastructures.

KW - SCS-Cybersecurity

KW - EC Grant Agreement nr.: FP7/607093

KW - IR-102119

KW - METIS-319471

KW - EWI-27407

M3 - Conference contribution

SN - 978-1-931971-32-4

SP - 791

EP - 806

BT - Proceedings of the 25th USENIX Security Symposium

PB - USENIX Association

ER -