CAPTAR: Causal-Polytree-based Anomaly Reasoning for SCADA Networks

2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm) Pub Date : 2019-10-01 DOI:10.1109/SmartGridComm.2019.8909766

Wenyu Ren, Tuo Yu, Timothy M. Yardley, K. Nahrstedt

{"title":"CAPTAR: Causal-Polytree-based Anomaly Reasoning for SCADA Networks","authors":"Wenyu Ren, Tuo Yu, Timothy M. Yardley, K. Nahrstedt","doi":"10.1109/SmartGridComm.2019.8909766","DOIUrl":null,"url":null,"abstract":"The Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.","PeriodicalId":377150,"journal":{"name":"2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)","volume":"36 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SmartGridComm.2019.8909766","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

The Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.

查看原文本刊更多论文

CAPTAR:基于因果多树的SCADA网络异常推理

监控和数据采集(SCADA)系统是最常用的工业控制系统，但受到各种严重威胁。入侵检测系统是为了提高SCADA系统的安全性而部署的，但入侵检测系统不断产生大量的警报，而对这些警报却没有深入的了解。需要一个有效的系统来关联警报和发现攻击策略，为SCADA操作员提供可解释的态势感知。在本文中，我们提出了一个基于因果多树的SCADA网络异常推理框架，名为CAPTAR。CAPTAR从我们之前的异常检测框架EDMAND中获取元警报，使用朴素贝叶斯分类器将它们关联起来，并将它们与预定义的因果多树相匹配。利用因果多树上的贝叶斯推理，CAPTAR可以生成受保护的SCADA网络安全状态的高级视图。在CAPTAR原型机上的实验证明了其异常推理能力和满足实时推理要求的能力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)

自引率

0.00%

发文量