TY - JOUR
T1 - Temporal pattern-based malicious activity detection in SCADA systems
AU - Shlomo, Amit
AU - Kalech, Meir
AU - Moskovitch, Robert
N1 - Funding Information:
This research has been funded by the Cyber Security Research Center at Ben-Gurion university of the Negev.
Publisher Copyright:
© 2020
PY - 2021/3/1
Y1 - 2021/3/1
N2 - Critical infrastructures which are crucial to our modern life such as electricity grids and water pumps are controlled by Supervisory Control and Data Acquisition (SCADA) systems. Over the last two decades connecting these critical infrastructures to the internet has become essential. This made SCADA security an increasingly important research topic. This paper copes with two challenges: (1) SCADA systems tend to repeat themselves within a well-defined time period; then a malicious attacker can change the duration time in which the system holds a certain value without changing the order of the activities, i.e., the order in which the values appear. (2) The malicious activity may affect the data payload of the communicated SCADA packets rather than the explicit defined function codes (W/R). To face these challenges we propose two machine learning algorithms. The first algorithm is supervised. It finds first frequent temporal patterns, then these patterns are recognized in the data payload of the SCADA communication protocols, and used as features for a classification algorithm. The second algorithm is unsupervised. It learns an automaton that represents the temporal behavior of the system. Then at runtime, unknown states or events are declared as malicious. Experimental evaluation on real MODUBS-SCADA dataset from Ben-Gurion University shows that the first supervised algorithm, that uses frequent temporal patterns as features, performs better than a baseline algorithm that considers the mean and standard deviation as features. The second unsupervised algorithm performs even better than the first one.
AB - Critical infrastructures which are crucial to our modern life such as electricity grids and water pumps are controlled by Supervisory Control and Data Acquisition (SCADA) systems. Over the last two decades connecting these critical infrastructures to the internet has become essential. This made SCADA security an increasingly important research topic. This paper copes with two challenges: (1) SCADA systems tend to repeat themselves within a well-defined time period; then a malicious attacker can change the duration time in which the system holds a certain value without changing the order of the activities, i.e., the order in which the values appear. (2) The malicious activity may affect the data payload of the communicated SCADA packets rather than the explicit defined function codes (W/R). To face these challenges we propose two machine learning algorithms. The first algorithm is supervised. It finds first frequent temporal patterns, then these patterns are recognized in the data payload of the SCADA communication protocols, and used as features for a classification algorithm. The second algorithm is unsupervised. It learns an automaton that represents the temporal behavior of the system. Then at runtime, unknown states or events are declared as malicious. Experimental evaluation on real MODUBS-SCADA dataset from Ben-Gurion University shows that the first supervised algorithm, that uses frequent temporal patterns as features, performs better than a baseline algorithm that considers the mean and standard deviation as features. The second unsupervised algorithm performs even better than the first one.
KW - Cyber-attack attack detection
KW - Cyber-physical security
KW - Data-driven
KW - Pattern recognition
KW - SCADA systems
UR - http://www.scopus.com/inward/record.url?scp=85098211699&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2020.102153
DO - 10.1016/j.cose.2020.102153
M3 - Article
AN - SCOPUS:85098211699
SN - 0167-4048
VL - 102
JO - Computers and Security
JF - Computers and Security
M1 - 102153
ER -