research-article

Exploiting Bro for Intrusion Detection in a SCADA System

Authors:

Mikael Asplund,

Simin Nadjm-Tehrani,

Mehrdad Kazemtabrizi,

Mathias EkstedtAuthors Info & Claims

CPSS '16: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security

Pages 44 - 51

https://doi.org/10.1145/2899015.2899028

Published: 30 May 2016 Publication History

Abstract

Supervisory control and data acquisition (SCADA) systems that run our critical infrastructure are increasingly run with Internet-based protocols and devices for remote monitoring. The embedded nature of the components involved, and the legacy aspects makes adding new security mechanisms in an efficient manner far from trivial. In this paper we study an anomaly detection based approach that enables detecting zero-day malicious threats and benign malconfigurations and mishaps. The approach builds on an existing platform (Bro) that lends itself to modular addition of new protocol parsers and event handling mechanisms. As an example we have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector with mixed results. The detection accuracy and false positive rate, as well as real-time response was adequate for 3 of our 4 created attacks. We also discovered some additional work that needs to be done to an existing protocol parser to extend its reach.

References

[1]

R. R. R. Barbosa. Anomaly detection in SCADA systems: a network based approach. PhD thesis, Enschede, 2014.

[2]

R. J. Chang, R. E. Harang, and G. S. Payer. Extremely lightweight intrusion detection (elide). Technical report, Adelphi, Army Research Laboratory, 2013.

[3]

G. R. Clarke, D. Reynders, and E. Wright. Practical modern SCADA protocols: DNP3, 60870.5 and related systems. Newnes, 2004.

[4]

T. Finch. Incremental calculation of weighted mean and variance. University of Cambridge, 4, 2009.

[5]

V. Gazis, M. Gortz, M. Huber, A. Leonardi, K. Mathioudakis, A. Wiesmaier, F. Zeiger, and E. Vasilomanolakis. A survey of technologies for the internet of things. In Wireless Communications and Mobile Computing Conference (IWCMC), 2015.

[6]

T. Good and M. Benaissa. Asic hardware performance. In M. Robshaw and O. Billet, editors, New Stream Cipher Designs, volume 4986 of Lecture Notes in Computer Science, pages 267--293. Springer Berlin Heidelberg, 2008.

Digital Library

[7]

D. Hadžiosmanović, R. Sommer, E. Zambon, and P. H. Hartel. Through the eye of the plc: Semantic security monitoring for industrial processes. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC '14. ACM, 2014.

Digital Library

[8]

J. Hoyos, M. Dehus, and T. Brown. Exploiting the goose protocol: A practical attack on cyber-infrastructure. In Globecom Workshops (GC Wkshps), 2012 IEEE, 2012.

[9]

D. Lake, R. Milito, M. Morrow, and R. Vargheese. Internet of things: Architectural framework for ehealth security. Journal of ICT, 3&4, 2014.

[10]

H. Lin, A. Slagell, Z. Kalbarczyk, and R. K. Iyer. Semantic security analysis of scada networks to detect malicious control commands in power grids (poster). In Proceedings of the 7th International Conference on Security of Information and Networks, SIN '14. ACM, 2014.

Digital Library

[11]

B. Matt. The cost of protection measures in tactical networks. In Proceedings for the Army Science Conference (24th), Orlando, Florida.

[12]

P. Maynard, K. McLaughlin, and B. Haberler.\balancecolumns Towards understanding man-in-the-middle attacks on iec 60870-5-104 scada networks. In Proceedings of the 2Nd International Symposium on ICS & SCADA Cyber Security Research 2014, ICS-CSR 2014. BCS, 2014.

Digital Library

[13]

R. Mitchell and I.-R. Chen. A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv., 46(4), 2014.

Digital Library

[14]

V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23--24), 1999.

Digital Library

[15]

T. Shawly, J. Liu, N. Burow, S. Bagchi, R. Berthier, and R. Bobba. A risk assessment tool for advanced metering infrastructures. In Smart Grid Communications (SmartGridComm), 2014 IEEE International Conference on, 2014.

[16]

Y. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono, and H. Wang. Intrusion detection system for iec 60870-5-104 based scada networks. In Power and Energy Society General Meeting (PES), 2013 IEEE, 2013.

[17]

K. Yim, A. Castiglione, J. H. Yi, M. Migliardi, and I. You. Cyber threats to industrial control systems. In Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats, MIST '15. ACM, 2015.

Digital Library

Cited By

Makris IKarampasi ARadoglou-Grammatikis PEpiskopos NIturbe ERios EPiperigkos NLalos AXenakis CLagkas TArgyriou VSarigiannidis P(2025)A comprehensive survey of Federated Intrusion Detection Systems: Techniques, challenges and solutionsComputer Science Review10.1016/j.cosrev.2024.10071756(100717)Online publication date: May-2025
https://doi.org/10.1016/j.cosrev.2024.100717
Barsha NHubballi N(2024)Anomaly Detection in SCADA Systems: A State Transition ModelingIEEE Transactions on Network and Service Management10.1109/TNSM.2024.337388121:3(3511-3521)Online publication date: Jun-2024
https://doi.org/10.1109/TNSM.2024.3373881
Nicheporuk ASavenko OSachenko ANicheporuk A(2023)A Framework for Detection of MitM Cyberattacks in Smart Grid Networks Based on the Application of the Ensemble Process for Feature Selection2023 13th International Conference on Dependable Systems, Services and Technologies (DESSERT)10.1109/DESSERT61349.2023.10416474(1-8)Online publication date: 13-Oct-2023
https://doi.org/10.1109/DESSERT61349.2023.10416474
Show More Cited By

Index Terms

Exploiting Bro for Intrusion Detection in a SCADA System

Recommendations

Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol
CSIIRW '13: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop

When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion ...
Performance Evaluation of a Collaborative Intrusion Detection System
ICNC '09: Proceedings of the 2009 Fifth International Conference on Natural Computation - Volume 06

There are two technologies in intrusion detection systems: misuse detection and anomaly detection. Both misuse detection and anomaly detection have advantages and disadvantages. At present, the intrusion detection system is developed by using these two ...
Enhancing Intrusion Detection System with proximity information

Intrusion Detection Systems (IDSes) proposed to identify or prevent the wide spread of worms can be largely classified as signature-based or anomaly-based. Modern worms are often sufficiently intelligent to hide their activities and evade anomaly ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CPSS '16: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security

May 2016

102 pages

ISBN:9781450342889

DOI:10.1145/2899015

Program Chairs:
Jianying Zhou
I2R, Singapore
,
Javier Lopez
University of Malaga, Spain

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Vinnova
Formas
Swedish Civil Contingencies Agency (MSB)
Swedish Energy Agency

Conference

ASIA CCS '16

Sponsor:

SIGSAC

ASIA CCS '16: ACM Asia Conference on Computer and Communications Security

May 30, 2016

Xi'an, China

Acceptance Rates

CPSS '16 Paper Acceptance Rate 8 of 28 submissions, 29%;

Overall Acceptance Rate 43 of 135 submissions, 32%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

39
Total Citations
View Citations
586
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Makris IKarampasi ARadoglou-Grammatikis PEpiskopos NIturbe ERios EPiperigkos NLalos AXenakis CLagkas TArgyriou VSarigiannidis P(2025)A comprehensive survey of Federated Intrusion Detection Systems: Techniques, challenges and solutionsComputer Science Review10.1016/j.cosrev.2024.10071756(100717)Online publication date: May-2025
https://doi.org/10.1016/j.cosrev.2024.100717
Barsha NHubballi N(2024)Anomaly Detection in SCADA Systems: A State Transition ModelingIEEE Transactions on Network and Service Management10.1109/TNSM.2024.337388121:3(3511-3521)Online publication date: Jun-2024
https://doi.org/10.1109/TNSM.2024.3373881
Nicheporuk ASavenko OSachenko ANicheporuk A(2023)A Framework for Detection of MitM Cyberattacks in Smart Grid Networks Based on the Application of the Ensemble Process for Feature Selection2023 13th International Conference on Dependable Systems, Services and Technologies (DESSERT)10.1109/DESSERT61349.2023.10416474(1-8)Online publication date: 13-Oct-2023
https://doi.org/10.1109/DESSERT61349.2023.10416474
Anwar MLundberg LBorg A(2022)Improving anomaly detection in SCADA network communication with attribute extensionEnergy Informatics10.1186/s42162-022-00252-15:1Online publication date: 21-Dec-2022
https://doi.org/10.1186/s42162-022-00252-1
Sen Övan der Velde DLühman MSprünken FHacker IUlbig AAndres MHenze M(2022)On specification-based cyber-attack detection in smart gridsEnergy Informatics10.1186/s42162-022-00206-75:S1Online publication date: 7-Sep-2022
https://doi.org/10.1186/s42162-022-00206-7
Wan GGong FBarbette TDurumeric ZKuipers FOrda A(2022)RetinaProceedings of the ACM SIGCOMM 2022 Conference10.1145/3544216.3544227(530-544)Online publication date: 22-Aug-2022
https://dl.acm.org/doi/10.1145/3544216.3544227
Seng SGarcia-Alfaro JLaarouchi Y(2022)Why Anomaly-Based Intrusion Detection Systems Have Not Yet Conquered the Industrial Market?Foundations and Practice of Security10.1007/978-3-031-08147-7_23(341-354)Online publication date: 15-Jun-2022
https://doi.org/10.1007/978-3-031-08147-7_23
Rosa LCruz TFreitas MQuitério PHenriques JCaldeira FMonteiro ESimões P(2021)Intrusion and anomaly detection for the next-generation of industrial automation and control systemsFuture Generation Computer Systems10.1016/j.future.2021.01.033119(50-67)Online publication date: Jun-2021
https://doi.org/10.1016/j.future.2021.01.033
Mashima D(2021)Securing smart-grid infrastructure against emerging threatsSolving Urban Infrastructure Problems Using Smart City Technologies10.1016/B978-0-12-816816-5.00016-4(359-382)Online publication date: 2021
https://doi.org/10.1016/B978-0-12-816816-5.00016-4
Thakkar ALohiya R(2021)A survey on intrusion detection system: feature selection, model, performance measures, application perspective, challenges, and future research directionsArtificial Intelligence Review10.1007/s10462-021-10037-9Online publication date: 1-Jul-2021
https://doi.org/10.1007/s10462-021-10037-9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents