research-article

Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol

Authors:

Hui Lin,

Adam Slagell,

Catello Di Martino,

Zbigniew Kalbarczyk,

Ravishankar K. IyerAuthors Info & Claims

CSIIRW '13: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop

Article No.: 5, Pages 1 - 4

https://doi.org/10.1145/2459976.2459982

Published: 08 January 2013 Publication History

Get Access

Abstract

When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols.

To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.

References

[1]

Berthier, R. and Sanders, W. H. 2011. Specification-based intrusion detection for advanced metering infrastructure. In Proceedings of 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing (Pasadena, CA, USA, Dec. 12-14, 2011), 184--193.

Digital Library

Google Scholar

[2]

Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., and Valdes, A. 2007. Using model-based intrusion detection for SCADA networks. In Proceedings of the SCADA Security Scientific Symposium 2007 (Miami Beach, FL, USA, Jan. 24--25, 2007), 127--134.

Google Scholar

[3]

Curtis, K. 2000. A DNP3 protocol primer. Technical report. DNP User's Group.

Google Scholar

[4]

Heine, E., Khurana, H., and Yardley, T. 2011. Exploring convergence for SCADA networks. In Proceedings of 2011 IEEE PES Innovative Smart Grid Technologies (Hilton Anaheim, CA, USA, Jan. 17--19, 2011), 1--8.

Google Scholar

[5]

Linda, O., Vollmer, T., and Manic, M. 2009. Neural network based intrusion detection system for critical infrastructures. In Proceedings of International Joint Conference on Neural Networks, 2009 (Atlanta, GA, USA, June 14--19, 2009), 1827--1834. IJCNN 2009.

Digital Library

Google Scholar

[6]

Pang, R., Paxson, V., Sommer, R., and Peterson, L. 2006. Binpac: A yacc for writing application protocol parsers. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (New York, NY, USA, Oct 25--27, 2006), 289--300. IMC '06.

Digital Library

Google Scholar

[7]

Paxson, V. 1999. Bro: A system for detecting network intruders in real-time. Computer Networks, 31, 23 (Dec. 1999), 2435--2463.

Digital Library

Google Scholar

[8]

The Bro Project. 2012. Bro Network Security Monitor. http://bro-ids.org.

Google Scholar

[9]

The Modbus Organization. 2006. Modbus messaging on TCP/IP implementation guide v1.0b 2006. http://modbus.org.

Google Scholar

[10]

The Wireshark Foundation. 2012. Wireshark. http://wireshark.org/.

Google Scholar

[11]

Triangle MicroWorks, Inc. 2012. Communication Protocol Test Harness. http://trianglemicroworks.com.

Google Scholar

Cited By

View all

Li ZMashima DOng WEsiner EKalbarczyk ZChang EQuek TGao DZhou JCardenas A(2024)On Practicality of Using ARM TrustZone Trusted Execution Environment for Securing Programmable Logic ControllersProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3645002(947-961)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3645002
Elbez GNahrstedt KHagenmeyer V(2024)Early Attack Detection for Securing GOOSE Network TrafficIEEE Transactions on Smart Grid10.1109/TSG.2023.327274915:1(899-910)Online publication date: Jan-2024
https://doi.org/10.1109/TSG.2023.3272749
Hotellier EBoukhobza NSicard FFrancq JMocanu S(2024)Behavior-Based Intrusion Detection Approach Deployed on a Naval Testbed2024 IEEE 29th International Conference on Emerging Technologies and Factory Automation (ETFA)10.1109/ETFA61755.2024.10710831(1-8)Online publication date: 10-Sep-2024
https://doi.org/10.1109/ETFA61755.2024.10710831
Show More Cited By

Index Terms

Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Exploiting Bro for Intrusion Detection in a SCADA System
CPSS '16: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security

Supervisory control and data acquisition (SCADA) systems that run our critical infrastructure are increasingly run with Internet-based protocols and devices for remote monitoring. The embedded nature of the components involved, and the legacy aspects ...
A Comparative study of Open Source IDSs according to their Ability to Detect Attacks
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & Security

In this paper, we focus on the important role of intrusion detection systems for detecting unauthorized actions initiated from both internal and external network by collecting and monitoring network traffic. We give a study of the open source Next-...
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CSIIRW '13: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop

January 2013

282 pages

ISBN:9781450316873

DOI:10.1145/2459976

Editors:
Frederick Sheldon
Oak Ridge National Laboratory
,
Annarita Giani
Los Alamos National Laboratory
,
Axel Krings
University of Idaho
,
Robert Abercrombie
Oak Ridge National Laboratory

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 January 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CSIIRW '13

Sponsor:

Los Alamos National Labs
Sandia National Labs
DOE
Lawrence Livermore National Lab.
BERKELEYLAB
Argonne Natl Lab
Idaho National Lab.
Nevada National Security Site

CSIIRW '13: Cyber Security and Information Intelligence

January 8 - 10, 2013

Tennessee, Oak Ridge, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

79
Total Citations
View Citations
835
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)6

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Li ZMashima DOng WEsiner EKalbarczyk ZChang EQuek TGao DZhou JCardenas A(2024)On Practicality of Using ARM TrustZone Trusted Execution Environment for Securing Programmable Logic ControllersProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3645002(947-961)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3645002
Elbez GNahrstedt KHagenmeyer V(2024)Early Attack Detection for Securing GOOSE Network TrafficIEEE Transactions on Smart Grid10.1109/TSG.2023.327274915:1(899-910)Online publication date: Jan-2024
https://doi.org/10.1109/TSG.2023.3272749
Hotellier EBoukhobza NSicard FFrancq JMocanu S(2024)Behavior-Based Intrusion Detection Approach Deployed on a Naval Testbed2024 IEEE 29th International Conference on Emerging Technologies and Factory Automation (ETFA)10.1109/ETFA61755.2024.10710831(1-8)Online publication date: 10-Sep-2024
https://doi.org/10.1109/ETFA61755.2024.10710831
Wattoo ZVitis PZhu RDepner NZhang IHein JGujarati ASeltzer M(2024)RABIT, a Robot Arm Bug Intervention Tool for Self-Driving Labs2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00043(353-361)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00043
Menzel VSpeckamp JRemke A(2024)Developing a Robust Communication Infrastructure for a Distributed Smart Grid IDS2024 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR61664.2024.10679379(01-08)Online publication date: 2-Sep-2024
https://doi.org/10.1109/CSR61664.2024.10679379
Hotellier ESicard FFrancq JMocanu S(2024)Standard specification-based intrusion detection for hierarchical industrial control systemsInformation Sciences10.1016/j.ins.2024.120102(120102)Online publication date: Jan-2024
https://doi.org/10.1016/j.ins.2024.120102
Hubballi NBarsha N(2024)Mitigating Resource Depletion and Message Sequencing Attacks in SCADA SystemsAdvanced Information Networking and Applications10.1007/978-3-031-57870-0_4(37-47)Online publication date: 10-Apr-2024
https://doi.org/10.1007/978-3-031-57870-0_4
Abdellaoui SDumitrescu EEscudero CZamaï E(2023)Cyber Threat Assessment in Monitoring Turnout Railway Systems2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA)10.1109/ETFA54631.2023.10275401(1-8)Online publication date: 12-Sep-2023
https://doi.org/10.1109/ETFA54631.2023.10275401
Menzel VGroBhanten KRemke A(2023)Evaluating a Process-Aware IDS for Smart Grids on Distributed Hardware2023 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR57506.2023.10224985(418-425)Online publication date: 31-Jul-2023
https://doi.org/10.1109/CSR57506.2023.10224985
Meshram AKarch MHaas CBeyerer J(2023)POET: A Self-learning Framework for PROFINET Industrial Operations BehaviourTools for Design, Implementation and Verification of Emerging Information Technologies10.1007/978-3-031-33458-0_1(3-19)Online publication date: 17-Jun-2023
https://doi.org/10.1007/978-3-031-33458-0_1
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Exploiting Bro for Intrusion Detection in a SCADA System

A Comparative study of Open Source IDSs according to their Ability to Detect Attacks

Enhancing byte-level network intrusion detection signatures with context