研究生: |
馬永發 Saranachon Iammongkol |
---|---|
論文名稱: |
透過封包間隔時間的密度估計實現SCADA系統的網路入侵檢測 Network intrusion detection for SCADA systems using density estimation of packet inter-arrival time |
指導教授: |
李漢銘
Hahn-Ming Lee 鄭欣明 Shin-Ming Cheng |
口試委員: |
黃俊穎
蕭旭君 毛敬豪 |
學位類別: |
碩士 Master |
系所名稱: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
論文出版年: | 2021 |
畢業學年度: | 109 |
語文別: | 英文 |
論文頁數: | 59 |
中文關鍵詞: | Cyber Security 、SCADA systems 、Industrial Control Systems 、Network Intrusion Detection |
外文關鍵詞: | Cyber Security, SCADA systems, Industrial Control Systems, Network Intrusion Detection |
相關次數: | 點閱:210 下載:2 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
Critical infrastructure and manufacturing use distributed systems for processing data collectedfrom sensors networks and control physical actuators which usually known as SCADA
Systems. System malfunction can be devastating which cost time, money, or even human
life. Our paper aim to overcome two challenges in SCADA systems security: (1.) The
systems require to satisfy hard timing constraint and low resource is provided by robust
industrial equipments. (2.) Most of the time, the data available from SCADA systems
are unbalanced. To achieve our target, we focused on the SCADA system’s unique cyclic
communication characteristic. We found that it can be explained using theory of PLCautomata. We then analyze the timing constraints in HMI and PLC communication which
show that the interarrival time of packets between devices contains the footprint of system
state transitions. We propose a networkbased anomaly detection algorithm for SCADA
system using benign interarrival time only. Experimental evaluation on public MODBUS
dataset from IEEE Dataport.
Critical infrastructure and manufacturing use distributed systems for processing data collectedfrom sensors networks and control physical actuators which usually known as SCADA
Systems. System malfunction can be devastating which cost time, money, or even human
life. Our paper aim to overcome two challenges in SCADA systems security: (1.) The
systems require to satisfy hard timing constraint and low resource is provided by robust
industrial equipments. (2.) Most of the time, the data available from SCADA systems
are unbalanced. To achieve our target, we focused on the SCADA system’s unique cyclic
communication characteristic. We found that it can be explained using theory of PLCautomata. We then analyze the timing constraints in HMI and PLC communication which
show that the interarrival time of packets between devices contains the footprint of system
state transitions. We propose a networkbased anomaly detection algorithm for SCADA
system using benign interarrival time only. Experimental evaluation on public MODBUS
dataset from IEEE Dataport.
[1] M. Tiegelkamp and K.H. John, IEC 611313: Programming industrial automation systems. Springer, 2010.
[2] I. F. P. A. T. C. H. A. P. Simões, “Cybersecurity modbus ics dataset,” 2019.
[3] K. E. Hemsley, E. Fisher, et al., “History of industrial control system cyber incidents,” tech. rep., Idaho National Lab.
(INL), Idaho Falls, ID (United States), 2018.
[4] E.R. Olderog and H. Dierks, Realtime systems: formal specification and automatic verification. Cambridge University
Press, 2008.
[5] S. V. B. Rakas, M. D. Stojanović, and J. D. MarkovićPetrović, “A review of research work on networkbased scada
intrusion detection systems,” IEEE Access, vol. 8, pp. 93083–93108, 2020.
[6] A. Shlomo, M. Kalech, and R. Moskovitch, “Temporal patternbased malicious activity detection in scada systems,”
Computers & Security, vol. 102, p. 102153, 2021.
[7] C. Sheng, Y. Yao, Q. Fu, and W. Yang, “A cyberphysical model for scada system and its intrusion detection,” Computer
Networks, vol. 185, p. 107677, 2021.
[8] H. Dierks, “Plcautomata: a new class of implementable realtime automata,” Theoretical Computer Science, vol. 253,
no. 1, pp. 61–93, 2001.
[9] L. H. Yoong, P. S. Roop, Z. E. Bhatti, and M. M. Kuo, Modeldriven design using IEC 61499: a synchronous approach
for embedded and automation systems. Springer, 2014.
[10] F. Pukelsheim, “The three sigma rule,” The American Statistician, vol. 48, no. 2, pp. 88–91, 1994.
[11] I. Frazão, P. H. Abreu, T. Cruz, H. Araújo, and P. Simões, “Denial of service attacks: Detecting the frailties of machine
learning algorithms in the classification process,” in Critical Information Infrastructures Security (E. Luiijf, I. Žutautaitė,
and B. M. Hämmerli, eds.), (Cham), pp. 230–235, Springer International Publishing, 2019.
[12] Z. Chaochen, C. A. R. Hoare, and A. P. Ravn, “A calculus of durations,” Information processing letters, vol. 40, no. 5,
pp. 269–276, 1991.
[13] N. Erez and A. Wool, “Control variable classification, modeling and anomaly detection in modbus/tcp scada systems,”
International Journal of Critical Infrastructure Protection, vol. 10, pp. 59–70, 2015.
[14] A. Al Balushi, K. McLaughlin, and S. Sezer, “Oscids: An ontology based scada intrusion detection framework.,” in
SECRYPT, pp. 327–335, 2016.
[15] A. Almalawi, A. Fahad, Z. Tari, A. Alamri, R. AlGhamdi, and A. Y. Zomaya, “An efficient datadriven clustering technique to detect attacks in scada systems,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 5,
pp. 893–906, 2015.
[16] T. Cruz, L. Rosa, J. Proença, L. Maglaras, M. Aubigny, L. Lev, J. Jiang, and P. Simoes, “A cybersecurity detection
framework for supervisory control and data acquisition systems,” IEEE Transactions on Industrial Informatics, vol. 12,
no. 6, pp. 2236–2246, 2016.
[17] E. G. da Silva, A. S. da Silva, J. A. Wickboldt, P. Smith, L. Z. Granville, and A. SchaefferFilho, “A oneclass nids for
sdnbased scada systems,” in 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC),
vol. 1, pp. 303–312, IEEE, 2016.
[18] J. Zhang, S. Gan, X. Liu, and P. Zhu, “Intrusion detection in scada systems by traffic periodicity and telemetry analysis,”
in 2016 IEEE Symposium on Computers and Communication (ISCC), pp. 318–325, IEEE, 2016.
[19] C. Feng, T. Li, and D. Chana, “Multilevel anomaly detection in industrial control systems via package signatures and
lstm networks,” in 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN),
pp. 261–272, IEEE, 2017.
41[20] M. Wan, W. Shang, and P. Zeng, “Double behavior characteristics for oneclass classification anomaly detection in networked control systems,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 12, pp. 3011–3023,
2017.
[21] A. Hijazi, A. El Safadi, and J.M. Flaus, “A deep learning approach for intrusion detection system in industry network.,”
in BDCSIntell, pp. 55–62, 2018.
[22] I. A. Khan, D. Pi, Z. U. Khan, Y. Hussain, and A. Nawaz, “Hmlids: A hybridmultilevel anomaly prediction approach
for intrusion detection in scada systems,” IEEE Access, vol. 7, pp. 89507–89521, 2019.
[23] K. Kuchar, R. Fujdiak, P. Blazek, Z. Martinasek, and E. Holasova, “Simplified method for fast and efficient incident
detection in industrial networks,” in 2020 4th Cyber Security in Networking Conference (CSNet), pp. 1–3, IEEE, 2020.
[24] G. Ravikumar, A. Singh, J. R. Babu, M. Govindarasu, et al., “Dids for cyberphysical der modbus systemarchitecture,
modeling, testbedbased evaluation,” in 2020 Resilience Week (RWS), pp. 153–159, IEEE, 2020.
[25] P. RadoglouGrammatikis, I. Siniosoglou, T. Liatifis, A. Kourouniadis, K. Rompolos, and P. Sarigiannidis, “Implementation and detection of modbus cyberattacks,” in 2020 9th International Conference on Modern Circuits and Systems
Technologies (MOCAST), pp. 1–4, IEEE, 2020.
[26] W. Wang, J. Guo, Z. Wang, H. Wang, J. Cheng, C. Wang, M. Yuan, J. Kurths, X. Luo, and Y. Gao, “Abnormal flow
detection in industrial control network based on deep reinforcement learning,” Applied Mathematics and Computation,
vol. 409, p. 126379, 2021.
[27] N. Goldenberg and A. Wool, “Accurate modeling of modbus/tcp for intrusion detection in scada systems,” International
Journal of Critical Infrastructure Protection, vol. 6, no. 2, pp. 63–75, 2013.
[28] J. Goh, S. Adepu, K. N. Junejo, and A. Mathur, “A dataset to support research in the design of secure water treatment
systems,” in International conference on critical information infrastructures security, pp. 88–99, Springer, 2016.
[29] T. Morris and W. Gao, “Industrial control system traffic data sets for intrusion detection research,” in International
Conference on Critical Infrastructure Protection, pp. 65–78, Springer, 2014.
[30] A. Lemay and J. M. Fernandez, “Providing SCADA network data sets for intrusion detection research,” in 9th Workshop
on Cyber Security Experimentation and Test (CSET 16), (Austin, TX), USENIX Association, Aug. 2016.
[31] N. Rodofile, T. Schmidt, S. Sherry, C. Djamaludin, K. Radke, and E. Foo, “Process control cyberattacks and labelled
datasets on s7comm critical infrastructure,” in Information Security and Privacy: 22nd Australasian Conference, ACISP
2017, Proceedings, Part II (Lecture Notes in Computer Science, Volume 10343) (S. Suriadi and J. Pieprzyk, eds.), pp. 452–
459, Switzerland: Springer, 2017.
[32] C. Jin, N. Vyas, and R. Williams, “Fast lowspace algorithms for subset sum,” in Proceedings of the 2021 ACMSIAM
Symposium on Discrete Algorithms (SODA), pp. 1757–1776, SIAM, 2021.