ABSTRACT
When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols.
To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.
- Berthier, R. and Sanders, W. H. 2011. Specification-based intrusion detection for advanced metering infrastructure. In Proceedings of 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing (Pasadena, CA, USA, Dec. 12-14, 2011), 184--193. Google ScholarDigital Library
- Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., and Valdes, A. 2007. Using model-based intrusion detection for SCADA networks. In Proceedings of the SCADA Security Scientific Symposium 2007 (Miami Beach, FL, USA, Jan. 24--25, 2007), 127--134.Google Scholar
- Curtis, K. 2000. A DNP3 protocol primer. Technical report. DNP User's Group.Google Scholar
- Heine, E., Khurana, H., and Yardley, T. 2011. Exploring convergence for SCADA networks. In Proceedings of 2011 IEEE PES Innovative Smart Grid Technologies (Hilton Anaheim, CA, USA, Jan. 17--19, 2011), 1--8.Google Scholar
- Linda, O., Vollmer, T., and Manic, M. 2009. Neural network based intrusion detection system for critical infrastructures. In Proceedings of International Joint Conference on Neural Networks, 2009 (Atlanta, GA, USA, June 14--19, 2009), 1827--1834. IJCNN 2009. Google ScholarDigital Library
- Pang, R., Paxson, V., Sommer, R., and Peterson, L. 2006. Binpac: A yacc for writing application protocol parsers. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (New York, NY, USA, Oct 25--27, 2006), 289--300. IMC '06. Google ScholarDigital Library
- Paxson, V. 1999. Bro: A system for detecting network intruders in real-time. Computer Networks, 31, 23 (Dec. 1999), 2435--2463. Google ScholarDigital Library
- The Bro Project. 2012. Bro Network Security Monitor. http://bro-ids.org.Google Scholar
- The Modbus Organization. 2006. Modbus messaging on TCP/IP implementation guide v1.0b 2006. http://modbus.org.Google Scholar
- The Wireshark Foundation. 2012. Wireshark. http://wireshark.org/.Google Scholar
- Triangle MicroWorks, Inc. 2012. Communication Protocol Test Harness. http://trianglemicroworks.com.Google Scholar
Index Terms
- Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol
Recommendations
Exploiting Bro for Intrusion Detection in a SCADA System
CPSS '16: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System SecuritySupervisory control and data acquisition (SCADA) systems that run our critical infrastructure are increasingly run with Internet-based protocols and devices for remote monitoring. The embedded nature of the components involved, and the legacy aspects ...
A Comparative study of Open Source IDSs according to their Ability to Detect Attacks
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & SecurityIn this paper, we focus on the important role of intrusion detection systems for detecting unauthorized actions initiated from both internal and external network by collecting and monitoring network traffic. We give a study of the open source Next-...
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityMany network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
Comments