Abstract
This paper presents an innovative, distributed, multilayer approach for detecting known and unknown attacks on industrial control systems. The approach employs process event correlation, critical state detection and critical state aggregation. The paper also describes a prototype implementation and provides experimental results that validate the intrusion detection approach.
Chapter PDF
Similar content being viewed by others
References
A. Carcano, I. Nai Fovino, M. Masera and A. Trombetta, SCADA malware: A proof of concept, presented at the Third International Workshop on Critical Information Infrastructure Security, 2008.
F. Cuppens and A. Miege, Alert correlation in a cooperative intrusion detection framework, Proceedings of the IEEE Symposium on Security and Privacy, pp. 202–215, 2002.
D. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, vol. 13(2), pp. 222–232, 1987.
Digital Bond, Modbus TCP IDS signatures, Sunrise, Florida (www.digitalb ond.com/index.php/research/ids-signatures/modbus-tcp-ids-signatures).
G. Dondossola, J. Szanto, M. Masera and I. Nai Fovino, Effects of intentional threats to power substation control systems, International Journal of Critical Infrastructures, vol. 4(1/2), pp. 129–143, 2008.
P. Gross, J. Parekh and G. Kaiser, Secure selecticast for collaborative intrusion detection systems, Proceedings of the International Workshop on Distributed Event-Based Systems, 2004.
M. Masera and I. Nai Fovino, Modeling information assets for security risk assessment in industrial settings, Proceedings of the Fifteenth EICAR Annual Conference, 2006.
M. Masera and I. Nai Fovino, Models for security assessment and management, Proceedings of the International Workshop on Complex Network and Infrastructure Protection, 2006.
M. Masera and I. Nai Fovino, A service-oriented approach for assessing infrastructure security, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 367–379, 2007.
M. Masera, I. Nai Fovino and R. Leszczyna, Security assessment of a turbo-gas power plant, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 31–40, 2008.
Modbus IDA, MODBUS Application Protocol Specification v1.1a, North Grafton, Massachusetts (www.modbus.org/specs.php), June 4, 2004.
Modbus IDA, MODBUS Messaging on TCP/IP Implementation Guide v1.0a, North Grafton, Massachusetts (www.modbus.org/specs.php), June 4, 2004.
Modbus.org, MODBUS over Serial Line Specification and Implementation Guide v1.0, North Grafton, Massachusetts (www. modbus.org/specs.php), February 12, 2002.
I. Nai Fovino and M. Masera, Emergent disservices in interdependent systems and system-of-systems, Proceedings of the IEEE Conference on Systems, Man and Cybernetics, vol. 1, pp. 590–595, 2006.
P. Ning, Y. Cui and D. Reeves, Constructing attack scenarios through correlation of intrusion alerts, Proceedings of the Ninth ACM Conference on Computer and Communications Security, pp. 245–254, 2002.
V. Yegneswaran, P. Barford and S. Jha, Global intrusion detection in the DOMINO overlay system, Proceedings of the Network and Distributed System Security Symposium, 2004.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Fovino, I.N., Masera, M., Guglielmi, M., Carcano, A., Trombetta, A. (2010). Distributed Intrusion Detection System for SCADA Protocols. In: Moore, T., Shenoi, S. (eds) Critical Infrastructure Protection IV. ICCIP 2010. IFIP Advances in Information and Communication Technology, vol 342. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16806-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-16806-2_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16805-5
Online ISBN: 978-3-642-16806-2
eBook Packages: Computer ScienceComputer Science (R0)