Temporal pattern-based malicious activity detection in SCADA systems. Issue 102 (March 2021)
- Record Type:
- Journal Article
- Title:
- Temporal pattern-based malicious activity detection in SCADA systems. Issue 102 (March 2021)
- Main Title:
- Temporal pattern-based malicious activity detection in SCADA systems
- Authors:
- Shlomo, Amit
Kalech, Meir
Moskovitch, Robert - Abstract:
- Abstract: Critical infrastructures which are crucial to our modern life such as electricity grids and water pumps are controlled by Supervisory Control and Data Acquisition (SCADA) systems. Over the last two decades connecting these critical infrastructures to the internet has become essential. This made SCADA security an increasingly important research topic. This paper copes with two challenges: (1) SCADA systems tend to repeat themselves within a well-defined time period; then a malicious attacker can change the duration time in which the system holds a certain value without changing the order of the activities, i.e., the order in which the values appear. (2) The malicious activity may affect the data payload of the communicated SCADA packets rather than the explicit defined function codes (W/R). To face these challenges we propose two machine learning algorithms. The first algorithm is supervised. It finds first frequent temporal patterns, then these patterns are recognized in the data payload of the SCADA communication protocols, and used as features for a classification algorithm. The second algorithm is unsupervised. It learns an automaton that represents the temporal behavior of the system. Then at runtime, unknown states or events are declared as malicious. Experimental evaluation on real MODUBS-SCADA dataset from Ben-Gurion University shows that the first supervised algorithm, that uses frequent temporal patterns as features, performs better than a baselineAbstract: Critical infrastructures which are crucial to our modern life such as electricity grids and water pumps are controlled by Supervisory Control and Data Acquisition (SCADA) systems. Over the last two decades connecting these critical infrastructures to the internet has become essential. This made SCADA security an increasingly important research topic. This paper copes with two challenges: (1) SCADA systems tend to repeat themselves within a well-defined time period; then a malicious attacker can change the duration time in which the system holds a certain value without changing the order of the activities, i.e., the order in which the values appear. (2) The malicious activity may affect the data payload of the communicated SCADA packets rather than the explicit defined function codes (W/R). To face these challenges we propose two machine learning algorithms. The first algorithm is supervised. It finds first frequent temporal patterns, then these patterns are recognized in the data payload of the SCADA communication protocols, and used as features for a classification algorithm. The second algorithm is unsupervised. It learns an automaton that represents the temporal behavior of the system. Then at runtime, unknown states or events are declared as malicious. Experimental evaluation on real MODUBS-SCADA dataset from Ben-Gurion University shows that the first supervised algorithm, that uses frequent temporal patterns as features, performs better than a baseline algorithm that considers the mean and standard deviation as features. The second unsupervised algorithm performs even better than the first one. … (more)
- Is Part Of:
- Computers & security. Issue 102(2021)
- Journal:
- Computers & security
- Issue:
- Issue 102(2021)
- Issue Display:
- Volume 102, Issue 102 (2021)
- Year:
- 2021
- Volume:
- 102
- Issue:
- 102
- Issue Sort Value:
- 2021-0102-0102-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-03
- Subjects:
- Cyber-attack attack detection -- SCADA systems -- Pattern recognition -- Cyber-physical security -- Data-driven
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2020.102153 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 15487.xml