Timing-Based Anomaly Detection in SCADA Networks

• Published in: Critical Information Infrastructures Security Vol. 10707; pp. 48 - 59
• Main Authors: Lin, Chih-Yuan, Nadjm-Tehrani, Simin, Asplund, Mikael
• Format: Book Chapter Conference Proceeding
• Language: English
• Published: Switzerland Springer International Publishing AG 2018; Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Anomaly detection; Industrial Control System (ICS); SCADA; Traffic periodicity
• ISBN: 3319998420; 9783319998428; 9783319998435; 3319998439
• ISSN: 0302-9743; 1611-3349; 1611-3349
• DOI: 10.1007/978-3-319-99843-5_5

Supervisory Control and Data Acquisition (SCADA) systems that operate our critical infrastructures are subject to increased cyber attacks. Due to the use of request-response communication in polling, SCADA traffic exhibits stable and predictable communication patterns. This paper provides a timing-based anomaly detection system that uses the statistical attributes of the communication patterns. This system is validated with three datasets, one generated from real devices and two from emulated networks, and is shown to have a False Positive Rate (FPR) under 1.4%. The tests are performed in the context of three different attack scenarios, which involve valid messages so they cannot be detected by whitelisting mechanisms. The detection accuracy and timing performance are adequate for all the attack scenarios in request-response communications. With other interaction patterns (i.e. spontaneous communications), we found instead that 2 out of 3 attacks are detected.