Temporal pattern-based malicious activity detection in SCADA systems

Amit Shlomo, Meir Kalech, Robert Moskovitch

Research output: Contribution to journalArticlepeer-review

12 Scopus citations

Abstract

Critical infrastructures which are crucial to our modern life such as electricity grids and water pumps are controlled by Supervisory Control and Data Acquisition (SCADA) systems. Over the last two decades connecting these critical infrastructures to the internet has become essential. This made SCADA security an increasingly important research topic. This paper copes with two challenges: (1) SCADA systems tend to repeat themselves within a well-defined time period; then a malicious attacker can change the duration time in which the system holds a certain value without changing the order of the activities, i.e., the order in which the values appear. (2) The malicious activity may affect the data payload of the communicated SCADA packets rather than the explicit defined function codes (W/R). To face these challenges we propose two machine learning algorithms. The first algorithm is supervised. It finds first frequent temporal patterns, then these patterns are recognized in the data payload of the SCADA communication protocols, and used as features for a classification algorithm. The second algorithm is unsupervised. It learns an automaton that represents the temporal behavior of the system. Then at runtime, unknown states or events are declared as malicious. Experimental evaluation on real MODUBS-SCADA dataset from Ben-Gurion University shows that the first supervised algorithm, that uses frequent temporal patterns as features, performs better than a baseline algorithm that considers the mean and standard deviation as features. The second unsupervised algorithm performs even better than the first one.

Original languageEnglish
Article number102153
JournalComputers and Security
Volume102
DOIs
StatePublished - Mar 2021
Externally publishedYes

Bibliographical note

Publisher Copyright:
© 2020

Funding

This research has been funded by the Cyber Security Research Center at Ben-Gurion university of the Negev.

FundersFunder number
Deutsche Telekom Innovation Laboratories

    Keywords

    • Cyber-attack attack detection
    • Cyber-physical security
    • Data-driven
    • Pattern recognition
    • SCADA systems

    Fingerprint

    Dive into the research topics of 'Temporal pattern-based malicious activity detection in SCADA systems'. Together they form a unique fingerprint.

    Cite this