research-article

Unknown Attack Traffic Classification in SCADA Network Using Heuristic Clustering Technique

Authors:

Ying LiuAuthors Info & Claims

IEEE Transactions on Network and Service Management, Volume 20, Issue 3

Pages 2625 - 2638

https://doi.org/10.1109/TNSM.2023.3238402

Published: 20 January 2023 Publication History

Abstract

Attack Traffic Classification (ATC) technique is an essential tool for Industrial Control System (ICS) network security, which can be widely used in active defense, situational awareness, attack source traceback and so on. At present, the state-of-the-art ATC methods are usually based on traffic statistical features and machine learning techniques, including supervised classification methods and unsupervised clustering methods. However, it is difficult for these methods to overcome the problems of lack of attack samples and high real-time requirement in ATC in Supervisory Control and Data Acquisition (SCADA) networks. In order to address the above problems, we propose a self-growing ATC model based on a new density-based heuristic clustering method, which can continuously and automatically detect and distinguish different kinds of unknown attack traffic generated by various attack tools against SCADA networks in real time. An effective representation method of SCADA network traffic is proposed to further improve the performance of ATC. In addition, a large number of experiments are conducted on a compound dataset consisting of the SCADA network dataset, the attack tool dataset and the ICS honeypot dataset, to evaluate the proposed method. The experimental results show that the proposed method outperforms existing state-of-the-art ATC methods in the crucial situation of only normal SCADA network traffic.

References

[1]

R. Alguliyev, Y. Imamverdiyev, and L. Sukhostat, “Cyber-physical systems and their security issues,” Comput. Ind., vol. 100, pp. 212–223, Sep. 2018.

[2]

Y. Yao, C. Sheng, Q. Fu, H. Liu, and D. Wang, “A propagation model with defensive measures for PLC-PC worms in industrial networks,” Appl. Math. Modell., vol. 69, pp. 696–713, May 2019.

[3]

G. Lin, S. Wen, Q.-L. Han, J. Zhang, and Y. Xiang, “Software vulnerability detection using deep neural networks: A survey,” Proc. IEEE, vol. 108, no. 10, pp. 1825–1848, Oct. 2020.

[4]

Y. Miao, C. Chen, L. Pan, Q.-L. Han, J. Zhang, and Y. Xiang, “Machine learning–based cyber attacks targeting on controlled information,” ACM Comput. Surveys, vol. 54, no. 7, pp. 1–36, 2022.

Digital Library

[5]

M. J. Assante and R. M. Lee, The Industrial Control System Cyber Kill Chain: SANS Institute InfoSec Reading Room. SANS Inst., Rockville, MD, USA, 2015.

[6]

N. Evans and W. Horsthemke, “Active defense techniques,” in Cyber Resilience of Systems and Networks. Cham, Switzerland: Springer, 2019, pp. 221–246.

[7]

G. Lu and D. Feng, “Network security situation awareness for industrial control system under integrity attacks,” in Proc. Int. Conf. Inf. Fusion, 2018, pp. 1808–1815.

[8]

S. Abe, Y. Tanaka, Y. Uchida, and S. Horata, “Tracking attack sources based on traceback honeypot for ICS network,” in Proc. 56th Annu. Conf. Soc. Instrum. Control Eng. (SICE), Kanazawa, Japan, 2017, pp. 717–723.

[9]

B. Subba, S. Biswas, and S. Karmakar, “A neural network based system for intrusion detection and attack classification,” in Proc. 22nd Nat. Conf. Commun. (NCC), 2016, pp. 1–6.

[10]

Y. Lai, J. Zhang, and Z. Liu, “Industrial anomaly detection and attack classification method based on convolutional neural network,” Security Commun. Netw., vol. 2019, Sep. 2019, Art. no.

[11]

A. Thakkar and R. Lohiya, “Attack classification using feature selection techniques: A comparative study,” J. Ambient Intell. Humanized Comput., vol. 12, pp. 1249–1266, Jun. 2020.

[12]

J. Qiu, J. Zhang, W. Luo, L. Pan, S. Nepal, and Y. Xiang, “A survey of android malware detection with deep neural models,” ACM Comput. Surveys, vol. 53, no. 6, pp. 1–36, 2021.

Digital Library

[13]

M. Aamir and S. M. A. Zaidi, “Clustering based semi-supervised machine learning for DDoS attack classification,” J. King Saud Univ. Comput. Inf. Sci., vol. 33, no. 4, pp. 436–446, 2021.

[14]

D. K. Sadhasivan and K. Balasubramanian, “A novel LWCSO-PKM-based feature optimization and classification of attack types in SCADA network,” Arab. J. Sci. Eng., vol. 42, no. 8, pp. 3435–3449, 2017.

[15]

Z. Jun, C. Chao, X. Yang, Z. Wanlei, and A. V. Vasilakos, “An effective network traffic classification method with unknown flow detection,” IEEE Trans. Netw. Service Manage., vol. 10, no. 2, pp. 133–147, Jun. 2013.

[16]

B. Dharamkar and R. R. Singh, “Cyber-attack classification using improved ensemble technique based on support vector machine and neural network,” Int. J. Comput. Appl., vol. 103, no. 11, pp. 1–7, 2014.

[17]

K. Park, Y. Song, and Y.-G. Cheong, “Classification of attack types for intrusion detection systems using a machine learning algorithm,” in Proc. IEEE 4th Int. Conf. Big Data Comput. Service Appl. (BigDataService), 2018, pp. 282–286.

[18]

C. Sheng, Y. Yao, W. Yang, Y. Liu, and Q. Fu, “How to fingerprint attack traffic against industrial control system network,” in Proc. 1st Int. Conf. Ind. Artif. Intell. (IAI), 2019, pp. 1–6.

[19]

J. Zhang, X. Chen, Y. Xiang, W. Zhou, and J. Wu, “Robust network traffic classification,” IEEE/ACM Trans. Netw., vol. 23, no. 4, pp. 1257–1270, Aug. 2015.

Digital Library

[20]

B. Wang, J. Zhang, Z. Zhang, L. Pan, Y. Xiang, and D. Xia, “Noise-resistant statistical traffic classification,” IEEE Trans. Big Data, vol. 5, no. 4, pp. 454–466, Dec. 2019.

[21]

J. Zhang, L. Pan, Q.-L. Han, C. Chen, S. Wen, and Y. Xiang, “Deep learning based attack detection for cyber-physical system cybersecurity: A survey,” IEEE/CAA J. Automatica Sinica, vol. 9, no. 3, pp. 377–391, Mar. 2022.

[22]

H. Yang, L. Cheng, and M. C. Chuah, “Deep-learning-based network intrusion detection for SCADA systems,” in Proc. IEEE Conf. Commun. Netw. Security (CNS), 2019, pp. 1–7.

[23]

H. Lan, X. Zhu, J. Sun, and S. Li, “Traffic data classification to detect man-in-the-middle attacks in industrial control system,” in Proc. 6th Int. Conf. Dependable Syst. Appl. (DSA), 2020, pp. 430–434.

[24]

M. M. N. Aboelwafa, K. G. Seddik, M. H. Eldefrawy, Y. Gadallah, and M. Gidlund, “A machine learning-based technique for false data injection attacks detection in industrial IoT,” IEEE Internet Things J., vol. 7, no. 9, pp. 8462–8471, Sep. 2020.

[25]

A. Almalawi, X. Yu, Z. Tari, A. Fahad, and I. Khalil, “An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems,” Comput. Security, vol. 46, pp. 94–110, Oct. 2014.

[26]

H. Yoo and T. Shon, “Novel approach for detecting network anomalies for substation automation based on IEC 61850,” Multimedia Tools Appl., vol. 74, no. 1, pp. 303–318, 2014.

[27]

A. Almalawi, A. Fahad, Z. Tari, A. Alamri, R. AlGhamdi, and A. Y. Zomaya, “An efficient data-driven clustering technique to detect attacks in SCADA systems,” IEEE Trans. Inf. Forensics Security, vol. 11, pp. 893–906, 2016.

Digital Library

[28]

Y. Wang, Y. Xiang, J. Zhang, W. Zhou, G. Wei, and L. T. Yang, “Internet traffic classification using constrained clustering,” IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 11, pp. 2932–2943, Nov. 2014.

[29]

A. F. Diallo and P. Patras, “Adaptive clustering-based malicious traffic classification at the network edge,” in Proc. IEEE Conf. Comput. Commun., 2021, pp. 1–10.

[30]

B. Dharamkar and R. R. Singh, “A review of cyber attack classification technique based on data mining and neural network approach,” Int. J. Comput. Trends Technol., vol. 7, no. 2, pp. 100–105, 2014.

[31]

V. Gabriel, R. S. Miani, and B. B. Zarpelao, “Flow-based intrusion detection for SCADA networks using supervised learning,” in Proc. Simpósio Brasileiro Segurança Informaç ao Sistemas Computacionais, 2017, pp. 168–181.

[32]

B. Siegel, “Industrial anomaly detection: A comparison of unsupervised neural network architectures,” IEEE Sens. Lett., vol. 4, no. 8, pp. 1–4, Aug. 2020.

[33]

C. Sheng, Y. Yao, Q. Fu, and W. Yang, “A cyber-physical model for SCADA system and its intrusion detection,” Comput. Netw., vol. 185, Feb. 2021, Art. no.

[34]

C. Sheng, Y. Yao, D. Li, H. An, and W. Yang, “Honeyeye: A network traffic collection framework for distributed ICS honeynets,” in Proc. 18th IEEE Int. Symp. Parallel Distrib. Process. Appl. (IEEE ISPA), 2020, pp. 466–473.

[35]

C. Sheng, “Attack-classification,”. 2022. [Online]. Available: https://github.com/sheng710 time/attack-classification.git

[36]

J. Zhang, C. Chen, Y. Xiang, W. Zhou, and Y. Xiang, “Internet traffic classification by aggregating correlated naive Bayes predictions,” IEEE Trans. Inf. Forensics Security, vol. 8, pp. 5–15, 2013.

Digital Library

[37]

A. Lemay and J. M. Fernandez, “Providing SCADA network data sets for intrusion detection research,” in Proc. 9th Workshop Cyber Security Exp. Test (CSET), 2016, pp. 1–8.

[38]

R. R. R. Barbosa, R. Sadre, and A. Pras, “Difficulties in modeling SCADA traffic: A comparative analysis,” in Passive and Active Measurement (Lecture Notes in Computer Science). Heidelberg, Germany: Springer, 2012, pp. 126–135.

Digital Library

[39]

A. M. Sadeghzadeh, S. Shiravi, and R. Jalili, “Adversarial network traffic: Towards evaluating the robustness of deep-learning-based network traffic classification,” IEEE Trans. Netw. Service Manage., vol. 18, no. 2, pp. 1962–1976, Jun. 2021.

[40]

A. Rodriguez and A. Laio, “Clustering by fast search and find of density peaks,” Science, vol. 344, no. 6191, pp. 1492–1496, Jun. 2014.

[41]

A. Hern, “Ukrainian blackout caused by hackers that attacked media company, researchers say,”. 2016. [Online]. Available: https://www.theguardian.com/techno-logy/2016/jan/07/ukrainian-blackout-hackers-attacked-media-company

[42]

O. Cabana, A. M. Youssef, M. Debbabi, B. Lebel, M. Kassouf, and B. L. Agba, “Detecting, fingerprinting and tracking reconnaissance campaigns targeting industrial control systems,” in Detection of Intrusions and Malware, and Vulnerability Assessment (Lecture Notes in Computer Science). Cham, Switzerland: Springer, 2019, pp. 89–108.

[43]

S. Zander, T. Nguyen, and G. Armitage, “Automated traffic classification and application identification using machine learning,” in Proc. 30th IEEE Conf. Local Comput. Netw., 2005, pp. 250–257.

Cited By

Xiang JZhang XZheng QDeng LZhao DZhou J(2024)CIDF:Combined Intrusion Detection Framework in Industrial Control Systems based on Packet Signature and Enhanced FSFDPProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3674812(417-426)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3674812
Sheng CYao YZhao LZeng PZhao J(2024)Scanner-Hunter: An Effective ICS Scanning Group Identification SystemIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335900219(3077-3092)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3359002

Index Terms

Unknown Attack Traffic Classification in SCADA Network Using Heuristic Clustering Technique
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Unsupervised learning
        Cluster analysis
2. Security and privacy

Index terms have been assigned to the content through auto-classification.

Recommendations

Real-world polymorphic attack detection using network-level emulation
CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead

As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ techniques such as code obfuscation and polymorphism to defeat these defenses. We have recently proposed network-level emulation, a heuristic ...
Framework for SCADA cyber-attack dataset creation
ACSW '17: Proceedings of the Australasian Computer Science Week Multiconference

Cyber-security research and development for SCADA is being inhibited by the lack of available SCADA attack datasets. This paper presents a modular dataset generation framework for SCADA cyber-attacks, to aid the development of attack datasets. The ...
Traffic classification using clustering algorithms
MineNet '06: Proceedings of the 2006 SIGCOMM workshop on Mining network data

Classification of network traffic using port-based or payload-based analysis is becoming increasingly difficult with many peer-to-peer (P2P) applications using dynamic port numbers, masquerading techniques, and encryption to avoid detection. An ...

Comments

Information & Contributors

Information

Published In

cover image IEEE Transactions on Network and Service Management

IEEE Transactions on Network and Service Management Volume 20, Issue 3

Sept. 2023

1837 pages

ISSN:1932-4537

Issue’s Table of Contents

1932-4537 © 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.

Publisher

IEEE Press

Publication History

Published: 20 January 2023

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xiang JZhang XZheng QDeng LZhao DZhou J(2024)CIDF:Combined Intrusion Detection Framework in Industrial Control Systems based on Packet Signature and Enhanced FSFDPProceedings of the 15th Asia-Pacific Symposium on Internetware10.1145/3671016.3674812(417-426)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1145/3671016.3674812
Sheng CYao YZhao LZeng PZhao J(2024)Scanner-Hunter: An Effective ICS Scanning Group Identification SystemIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335900219(3077-3092)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3359002

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents