SCADA网络中服务器驱动流量的协议研究与异常检测

IF 4.1 3区工程技术 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Critical Infrastructure Protection Pub Date : 2023-09-01 DOI:10.1016/j.ijcip.2023.100612

Chih-Yuan Lin, Simin Nadjm-Tehrani

{"title":"SCADA网络中服务器驱动流量的协议研究与异常检测","authors":"Chih-Yuan Lin, Simin Nadjm-Tehrani","doi":"10.1016/j.ijcip.2023.100612","DOIUrl":null,"url":null,"abstract":"<div><p>Attacks against Supervisory Control and Data Acquisition (SCADA) systems operating critical infrastructures have largely appeared in the past decades. There are several anomaly detection systems that model the traffic of request–response mechanisms, where a client initiates a request to a server and the server sends back a response later. However, many modern SCADA protocols also allow server-driven traffic without a paired request, and anomaly detection for server-driven traffic has not been well-studied. This paper provides a comprehensive understanding of server-driven traffic across different protocols, such as MMS, Siemens S7, S7-plus, and IEC 60870-5-104 (IEC-104), with traffic analysis. The analysis results show that the common postulation of periodicity and correlation within SCADA traffic holds true for most of the analyzed datasets. The paper then proposes a Multivariate Correlation Anomaly Detection (MCAD) approach for server-driven traffic that presents complicated correlations among flows. The proposed approach is compared with a univariate correlation anomaly detection approach designed for SCADA and a general purpose anomaly detection approach based on neural network techniques. These approaches are tested with an IEC-104 dataset from a real power utility with injected timing perturbations resulting from a Stuxnet-like stealthy attack scenario. The detection accuracy of MCAD outperforms the compared methods and the time-to-detection performance is promising.</p></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"42 ","pages":"Article 100612"},"PeriodicalIF":4.1000,"publicationDate":"2023-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Protocol study and anomaly detection for server-driven traffic in SCADA networks\",\"authors\":\"Chih-Yuan Lin, Simin Nadjm-Tehrani\",\"doi\":\"10.1016/j.ijcip.2023.100612\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Attacks against Supervisory Control and Data Acquisition (SCADA) systems operating critical infrastructures have largely appeared in the past decades. There are several anomaly detection systems that model the traffic of request–response mechanisms, where a client initiates a request to a server and the server sends back a response later. However, many modern SCADA protocols also allow server-driven traffic without a paired request, and anomaly detection for server-driven traffic has not been well-studied. This paper provides a comprehensive understanding of server-driven traffic across different protocols, such as MMS, Siemens S7, S7-plus, and IEC 60870-5-104 (IEC-104), with traffic analysis. The analysis results show that the common postulation of periodicity and correlation within SCADA traffic holds true for most of the analyzed datasets. The paper then proposes a Multivariate Correlation Anomaly Detection (MCAD) approach for server-driven traffic that presents complicated correlations among flows. The proposed approach is compared with a univariate correlation anomaly detection approach designed for SCADA and a general purpose anomaly detection approach based on neural network techniques. These approaches are tested with an IEC-104 dataset from a real power utility with injected timing perturbations resulting from a Stuxnet-like stealthy attack scenario. The detection accuracy of MCAD outperforms the compared methods and the time-to-detection performance is promising.</p></div>\",\"PeriodicalId\":49057,\"journal\":{\"name\":\"International Journal of Critical Infrastructure Protection\",\"volume\":\"42 \",\"pages\":\"Article 100612\"},\"PeriodicalIF\":4.1000,\"publicationDate\":\"2023-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Critical Infrastructure Protection\",\"FirstCategoryId\":\"5\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S1874548223000252\",\"RegionNum\":3,\"RegionCategory\":\"工程技术\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Critical Infrastructure Protection","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1874548223000252","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 1

摘要

在过去的几十年里，针对运行关键基础设施的监控和数据采集（SCADA）系统的攻击在很大程度上已经出现。有几个异常检测系统对请求-响应机制的流量进行建模，其中客户端向服务器发起请求，服务器稍后发回响应。然而，许多现代SCADA协议也允许服务器驱动的流量，而无需配对请求，并且服务器驱动流量的异常检测尚未得到很好的研究。本文通过流量分析，全面了解了不同协议（如MMS、Siemens S7、S7 plus和IEC 60870-5-104（IEC-104））中服务器驱动的流量。分析结果表明，SCADA流量中周期性和相关性的常见假设适用于大多数分析数据集。然后，针对服务器驱动的流量，提出了一种多变量相关异常检测（MCAD）方法，该方法呈现了流量之间的复杂相关性。将所提出的方法与为SCADA设计的单变量相关异常检测方法和基于神经网络技术的通用异常检测方法进行了比较。这些方法用来自真实电力公司的IEC-104数据集进行了测试，该数据集具有由类似Stuxnet的隐形攻击场景引起的注入时序扰动。MCAD的检测精度优于比较方法，检测时间性能良好。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Protocol study and anomaly detection for server-driven traffic in SCADA networks

Attacks against Supervisory Control and Data Acquisition (SCADA) systems operating critical infrastructures have largely appeared in the past decades. There are several anomaly detection systems that model the traffic of request–response mechanisms, where a client initiates a request to a server and the server sends back a response later. However, many modern SCADA protocols also allow server-driven traffic without a paired request, and anomaly detection for server-driven traffic has not been well-studied. This paper provides a comprehensive understanding of server-driven traffic across different protocols, such as MMS, Siemens S7, S7-plus, and IEC 60870-5-104 (IEC-104), with traffic analysis. The analysis results show that the common postulation of periodicity and correlation within SCADA traffic holds true for most of the analyzed datasets. The paper then proposes a Multivariate Correlation Anomaly Detection (MCAD) approach for server-driven traffic that presents complicated correlations among flows. The proposed approach is compared with a univariate correlation anomaly detection approach designed for SCADA and a general purpose anomaly detection approach based on neural network techniques. These approaches are tested with an IEC-104 dataset from a real power utility with injected timing perturbations resulting from a Stuxnet-like stealthy attack scenario. The detection accuracy of MCAD outperforms the compared methods and the time-to-detection performance is promising.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

International Journal of Critical Infrastructure Protection COMPUTER SCIENCE, INFORMATION SYSTEMS-ENGINEERING, MULTIDISCIPLINARY

CiteScore

8.90

自引率

5.60%

发文量

审稿时长

>12 weeks

期刊介绍： The International Journal of Critical Infrastructure Protection (IJCIP) was launched in 2008, with the primary aim of publishing scholarly papers of the highest quality in all areas of critical infrastructure protection. Of particular interest are articles that weave science, technology, law and policy to craft sophisticated yet practical solutions for securing assets in the various critical infrastructure sectors. These critical infrastructure sectors include: information technology, telecommunications, energy, banking and finance, transportation systems, chemicals, critical manufacturing, agriculture and food, defense industrial base, public health and health care, national monuments and icons, drinking water and water treatment systems, commercial facilities, dams, emergency services, nuclear reactors, materials and waste, postal and shipping, and government facilities. Protecting and ensuring the continuity of operation of critical infrastructure assets are vital to national security, public health and safety, economic vitality, and societal wellbeing. The scope of the journal includes, but is not limited to: 1. Analysis of security challenges that are unique or common to the various infrastructure sectors. 2. Identification of core security principles and techniques that can be applied to critical infrastructure protection. 3. Elucidation of the dependencies and interdependencies existing between infrastructure sectors and techniques for mitigating the devastating effects of cascading failures. 4. Creation of sophisticated, yet practical, solutions, for critical infrastructure protection that involve mathematical, scientific and engineering techniques, economic and social science methods, and/or legal and public policy constructs.