Modbus/TCP Communication Anomaly Detection Based on PSO-SVM

Industrial firewall and intrusion detection system based on Modbus TCP protocol analysis and whitelist policy cannot effectively identify attacks on Modbus controller which exactly take advantage of the configured rules. An Industrial control systems simulation environment is established and a data preprocessing method for Modbus TCP traffic captured is designed to meet the need of anomaly detection module. Furthermore a Modbus function code sequence anomaly detection model based on SVM optimized by PSO method is designed. And the model can effectively identify abnormal Modbus TCP traffic, according to frequency of different short mode sequences in a Modbus code sequence.

Download Full-text

A Hierarchical Intrusion Detection System for Industrial Control Networks based on EtherNet/IP

10.20944/preprints201912.0174.v1 ◽

2019 ◽

Author(s):

Wenbin Yu ◽

Yiyin Wang ◽

Lei Song

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Prediction Model ◽

Intrusion Detection System ◽

Detection System ◽

Traffic Prediction ◽

Support Vector ◽

Industrial Control ◽

Traffic Pattern ◽

Detection Model

Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Download Full-text

Measurement data intrusion detection in industrial control systems based on unsupervised learning

Applied Computing and Intelligence ◽

10.3934/aci.2021004 ◽

2021 ◽

Vol 1 (1) ◽

pp. 61-74

Author(s):

Sohrab Mokhtari ◽

◽

Kang K Yen

Keyword(s):

Intrusion Detection ◽

Unsupervised Learning ◽

Control Systems ◽

Intrusion Detection System ◽

Detection System ◽

Measurement Data ◽

Abnormal Behavior ◽

Learning Models ◽

Industrial Control ◽

Industrial Control Systems

<abstract><p>Anomaly detection strategies in industrial control systems mainly investigate the transmitting network traffic called network intrusion detection system. However, The measurement intrusion detection system inspects the sensors data integrated into the supervisory control and data acquisition center to find any abnormal behavior. An approach to detect anomalies in the measurement data is training supervised learning models that can learn to classify normal and abnormal data. But, a labeled dataset consisting of abnormal behavior, such as attacks, or malfunctions is extremely hard to achieve. Therefore, the unsupervised learning strategy that does not require labeled data for being trained can be helpful to tackle this problem. This study evaluates the performance of unsupervised learning strategies in anomaly detection using measurement data in control systems. The most accurate algorithms are selected to train unsupervised learning models, and the results show an accuracy of 98% in stealthy attack detection.</p></abstract>

Download Full-text

A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems

2012 45th Hawaii International Conference on System Sciences ◽

10.1109/hicss.2012.78 ◽

2012 ◽

Cited By ~ 37

Author(s):

Thomas Morris ◽

Rayford Vaughn ◽

Yoginder Dandass

Keyword(s):

Intrusion Detection ◽

Control Systems ◽

Intrusion Detection System ◽

Detection System ◽

Network Intrusion Detection ◽

Industrial Control ◽

Industrial Control Systems ◽

Network Intrusion ◽

Network Intrusion Detection System

Download Full-text

Two Stratum Bayesian Network Based Anomaly Detection Model for Intrusion Detection System

2008 International Symposium on Electronic Commerce and Security ◽

10.1109/isecs.2008.178 ◽

2008 ◽

Cited By ~ 4

Author(s):

Lu Huijuan ◽

Chen Jianguo ◽

Wei Wei

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Bayesian Network ◽

Intrusion Detection System ◽

Detection System ◽

Detection Model

Download Full-text

Behavior Based Anomaly Detection Model in SCADA System

MATEC Web of Conferences ◽

10.1051/matecconf/201817301011 ◽

2018 ◽

Vol 173 ◽

pp. 01011 ◽

Cited By ~ 1

Author(s):

Xiaojun Zhou ◽

Zhen Xu ◽

Liming Wang ◽

Kai Chen ◽

Cong Chen ◽

...

Keyword(s):

Anomaly Detection ◽

Control Systems ◽

Supervisory Control ◽

Industry 4.0 ◽

Industrial Control ◽

Industrial Control Systems ◽

Detection Model ◽

Scada System ◽

Behavior Based ◽

And Control

With the arrival of Industry 4.0, more and more industrial control systems are connected with the outside world, which brings tremendous convenience to industrial production and control, and also introduces many potential security hazards. After a large number of attack cases analysis, we found that attacks in SCADA systems can be divided into internal attacks and external attacks. Both types of attacks are inevitable. Traditional firewalls, IDSs and IPSs are no longer suitable for industrial control systems. Therefore, we propose behavior-based anomaly detection and build three baselines of normal behaviors. Experiments show that using our proposed detection model, we can quickly detect a variety of attacks on SCADA (Supervisory Control And Data Acquisition) systems.

Download Full-text

A Distributed IDS for Industrial Control Systems

International Journal of Cyber Warfare and Terrorism ◽

10.4018/ijcwt.2014040101 ◽

2014 ◽

Vol 4 (2) ◽

pp. 1-22 ◽

Cited By ~ 4

Author(s):

Tiago Cruz ◽

Jorge Proença ◽

Paulo Simões ◽

Matthieu Aubigny ◽

Moussa Ouedraogo ◽

...

Keyword(s):

Control Systems ◽

Supervisory Control ◽

Intrusion Detection System ◽

Detection System ◽

Threat Detection ◽

Industrial Control ◽

Industrial Control Systems ◽

Domain Specific ◽

Remote Management ◽

Distributed Intrusion Detection

Cyber-threats are one of the most significant problems faced by modern Industrial Control Systems (ICS), such as SCADA (Supervisory Control and Data Acquisition) systems, as the vulnerabilities of ICS technology become serious threats that can ultimately compromise human lives. This situation demands a domain-specific approach to cyber threat detection within ICS, which is one of the most important contributions of the CockpitCI FP7 project (http://CockpitCI.eu). Specifically, this paper will present the CockpitCI distributed Intrusion Detection System (IDS) for ICS, which provides its core cyber-detection and analysis capabilities, also including a description of its components, in terms of role, operation, integration, and remote management. Moreover, it will also introduce and describe new domain-specific solutions for ICS security such as the SCADA Honeypot and the Shadow Security Unit, which are part of the CockcpitCI IDS framework.

Download Full-text

A Two Stage Intrusion Detection System for Industrial Control Networks Based on Ethernet/IP

Electronics ◽

10.3390/electronics8121545 ◽

2019 ◽

Vol 8 (12) ◽

pp. 1545

Author(s):

Wenbin Yu ◽

Yiyin Wang ◽

Lei Song

Keyword(s):

Intrusion Detection ◽

Prediction Model ◽

Intrusion Detection System ◽

Detection System ◽

Traffic Prediction ◽

Industrial Control ◽

Two Stage ◽

Detection Model ◽

False Data Injection ◽

Injection Attacks

Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

Download Full-text

A Machine Learning Approach for Anomaly Detection in Industrial Control Systems Based on Measurement Data

Electronics ◽

10.3390/electronics10040407 ◽

2021 ◽

Vol 10 (4) ◽

pp. 407 ◽

Cited By ~ 1

Author(s):

Sohrab Mokhtari ◽

Alireza Abbaspour ◽

Kang K. Yen ◽

Arman Sargolzaei

Keyword(s):

Machine Learning ◽

Intrusion Detection ◽

Control Systems ◽

Intrusion Detection System ◽

Detection System ◽

Measurement Data ◽

Traffic Monitoring ◽

Supervised Machine Learning ◽

Industrial Control ◽

Industrial Control Systems

Attack detection problems in industrial control systems (ICSs) are commonly known as a network traffic monitoring scheme for detecting abnormal activities. However, a network-based intrusion detection system can be deceived by attackers that imitate the system’s normal activity. In this work, we proposed a novel solution to this problem based on measurement data in the supervisory control and data acquisition (SCADA) system. The proposed approach is called measurement intrusion detection system (MIDS), which enables the system to detect any abnormal activity in the system even if the attacker tries to conceal it in the system’s control layer. A supervised machine learning model is generated to classify normal and abnormal activities in an ICS to evaluate the MIDS performance. A hardware-in-the-loop (HIL) testbed is developed to simulate the power generation units and exploit the attack dataset. In the proposed approach, we applied several machine learning models on the dataset, which show remarkable performances in detecting the dataset’s anomalies, especially stealthy attacks. The results show that the random forest is performing better than other classifier algorithms in detecting anomalies based on measured data in the testbed.

Download Full-text