Critical infrastructures which are crucial to our modern life such as electricity grids and water pumps are controlled by Supervisory Control and Data Acquisition (SCADA) systems. Over the last two decades connecting these critical infrastructures to the internet has become essential. This made SCADA security an increasingly important research topic. This paper copes with two challenges: (1) SCADA systems tend to repeat themselves within a well-defined time period; then a malicious attacker can change the duration time in which the system holds a certain value without changing the order of the activities, i.e., the order in which the values appear. (2) The malicious activity may affect the data payload of the communicated SCADA packets rather than the explicit defined function codes (W/R). To face these challenges we propose two machine learning algorithms. The first algorithm is supervised. It finds first frequent temporal patterns, then these patterns are recognized in the data payload of the SCADA communication protocols, and used as features for a classification algorithm. The second algorithm is unsupervised. It learns an automaton that represents the temporal behavior of the system. Then at runtime, unknown states or events are declared as malicious. Experimental evaluation on real MODUBS-SCADA dataset from Ben-Gurion University shows that the first supervised algorithm, that uses frequent temporal patterns as features, performs better than a baseline algorithm that considers the mean and standard deviation as features. The second unsupervised algorithm performs even better than the first one.
Bibliographical notePublisher Copyright:
- Cyber-attack attack detection
- Cyber-physical security
- Pattern recognition
- SCADA systems