Abstract
ICS (Industrial Control System) is a computer-controlled system that monitors and controls distributed field devices for power grid, water treatment and other industrial areas. Because ICS components fulfill their own roles, the network traffic of ICS has obvious regular patterns. These patterns can be used effectively in monitoring ICS network and detecting signs of cyber-attacks. In our previous work, we proposed a burst-based anomaly detection method for DNP3 protocol using the regularity of ICS network traffic. Traffic monitoring method such as switch mirroring causes many problems; packet duplication, packet out-of-order, and packet loss. The problems cause many false alarms. Furthermore, it is hard to decide whether the alarms caused by lost packets are true or false. In this paper, we apply our burst-based approach to TCP protocol in SCADA network and propose a method to manage monitoring problems for burst-based anomaly detection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Yun, J.H., Jeon, S.H., Kim, K.H., Kim, W.N.: Burst-based anomaly detection on the DNP3 protocol. Int. J. Control Autom. 6(2), 313–324 (2013)
Barbosa, R.R., Sadre, R., Pras, A.: Difficulties in modeling SCADA traffic: a comparative analysis. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 126–135. Springer, Heidelberg (2012)
Barbosa, R.R., Sadre, R., Pras, A.: Flow whitelisting in SCADA networks. Int. J. Crit. Infrastruct. Prot. 6(3), 150–158 (2013)
Zhang, J., Moore, A.: Traffic Trace Artifacts due to Monitoring Via Port Mirroring. In: E2EMON, pp. 1–8 (2007)
Virus Disrupts Train Signal. http://www.cbsnews.com/news/virus-disrupts-train-signals
Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corp., Security Response (2011)
Lan, K., Heidemann, J.: A measurement study of correlations of internet flow characteristics. Comput. Netw. 50(1), 46–62 (2006)
Shakkottai, S., Brownlee, N., claffy, kc.: A study of burstiness in TCP flows. In: Dovrolis, C. (ed.) PAM 2005. LNCS, vol. 3431, pp. 13–26. Springer, Heidelberg (2005)
Clarke, G., Reynders, D.: Practical modern SCADA protocols: DNP3, 60870.5 and related systems. Newnes (2004)
Yoon, M.K., Ciocarlie, G.F.: Communication pattern monitoring: improving the utility of anomaly detection for industrial control systems. In: NDSS Workshop on Security of Emerging Networking Technologies (SENT 2014) (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kim, KH., Yun, JH., Chang, Y., Kim, W. (2015). Packet Loss Consideration for Burst-Based Anomaly Detection in SCADA Network. In: Rhee, KH., Yi, J. (eds) Information Security Applications. WISA 2014. Lecture Notes in Computer Science(), vol 8909. Springer, Cham. https://doi.org/10.1007/978-3-319-15087-1_28
Download citation
DOI: https://doi.org/10.1007/978-3-319-15087-1_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15086-4
Online ISBN: 978-3-319-15087-1
eBook Packages: Computer ScienceComputer Science (R0)