Online intrusion detection design and implementation for SCADA networks

Wang, Hongrui

25 April 2017

The standardization and interconnection of supervisory control and data acquisition (SCADA) systems has exposed the systems to cyber attacks. To improve the security of the SCADA systems, intrusion detection system (IDS) design is an effective method. However, traditional IDS design in the industrial networks mainly exploits the prede fined rules, which needs to be complemented and developed to adapt to the big data scenario. Therefore, this thesis aims to design an anomaly-based novel hierarchical online intrusion detection system (HOIDS) for SCADA networks based on machine learning algorithms theoretically and implement the theoretical idea of the anomaly-based intrusion detection on a testbed. The theoretical design of HOIDS by utilizing the server-client topology while keeping clients distributed for global protection, high detection rate is achieved with minimum network impact. We implement accurate models of normal-abnormal binary detection and multi-attack identification based on logistic regression and quasi-Newton optimization algorithm using the Broyden-Fletcher-Goldfarb-Shanno approach. The detection system is capable of accelerating detection by information gain based feature selection or principle component analysis based dimension reduction. By evaluating our system using the KDD99 dataset and the industrial control system datasets, we demonstrate that our design is highly scalable, e fficient and cost effective for securing SCADA infrastructures. Besides the theoretical IDS design, a testbed is modi ed and implemented for SCADA network security research. It simulates the working environment of SCADA systems with the functions of data collection and analysis for intrusion detection. The testbed is implemented to be more flexible and extensible compared to the existing related work on the testbeds. In the testbed, Bro network analyzer is introduced to support the research of anomaly-based intrusion detection. The procedures of both signature-based intrusion detection and anomaly-based intrusion detection using Bro analyzer are also presented. Besides, a generic Linux-based host is used as the container of different network functions and a human machine interface (HMI) together with the supervising network is set up to simulate the control center. The testbed does not implement a large number of traffic generation methods, but still provides useful examples of generating normal and abnormal traffic. Besides, the testbed can be modi ed or expanded in the future work about SCADA network security. / Graduate

Intrusion detection

SCADA networks

Machine learning

Enhancing Self-Organizing Maps with numerical criteria: a case study in SCADA networks

Wei, Tianming

22 December 2016

Self-Organizing Maps (SOM) can provide a visualization for multi-dimensional data with two dimensional mappings. By applying unsupervised learning techniques to SOM representations, we can further enhance visual inspection for change detection. In order to obtain a more accurate measurement for the changes of self-organizing maps beyond simple visual inspection, we introduce the Gaussian Mixture Model (GMM) and Kullback-Leibler Divergence (KLD) on top of SOM trained maps. The main contribution in this dissertation focuses on adding numerical methods to SOM algorithms, with anomaly detection as example domain. Through extensive traced-based simulations, it is observed that our techniques can uncover anomalies with an accuracy of 100% at an anomaly mixture-rate as low as 12% from the CTU-13 dataset. Tuning of the KLD threshold further reduces the mixture-rate to 7%, significantly augmenting visual inspection to assist in detecting low-rate anomalies. Suitable hierarchical and distributed SOM-based approaches are also explored, along with other approaches in the literature. Hierarchies in SOM can show the correlations among the neural cells on the self-organizing maps. In order to obtain a higher accuracy for anomaly detection, a new dimension of labels is suggested to be added in the second layer of SOM training. Also for more general distributed SOM-based algorithms, we investigate the use of principal component analysis (PCA) for the separation of dimensions. With the transformed dataset from PCA, the inner dependencies can be reserved in a manageable scale. As a case study, this dissertation uses a SOM-based approach for anomaly detection in Supervisory Control And Data Acquisition (SCADA) networks. We further investigate the use of SOM for the Quality of Service (QoS) in the scenario of wireless SCADA networks. Solving the problem of long computing time of optimizing the cached contents, the new SOM-based approach can also learn and predict the sub-optimal locations for the caching while maintaining a prediction error of 28%. / Graduate

Self-Organizing Maps

Numerical Methods

SCADA Networks

Secure Reprogramming of a Network Connected Device : Securing programmable logic controllers

Tesfaye, Mussie

January 2012

This is a master’s thesis project entitled “Secure reprogramming of network connected devices”. The thesis begins by providing some background information to enable the reader to understand the current vulnerabilities of network-connected devices, specifically with regard to cyber security and data integrity. Today supervisory control and data acquisition systems utilizing network connected programmable logic controllers are widely used in many industries and critical infrastructures. These network-attached devices have been under increasing attack for some time by malicious attackers (including in some cases possibly government supported efforts). This thesis evaluates currently available solutions to mitigate these attacks. Based upon this evaluation a new solution based on the Trusted Computing Group (TCG’s) Trusted Platform Modules (TPM) specification is proposed. This solution utilizes a lightweight version of TPM and TCG’s Reliable Computing Machine (RCM) to achieve the desired security. The security of the proposed solution is evaluated both theoretically and using a prototype. This evaluation shows that the proposed solution helps to a great extent to mitigate the previously observed vulnerabilities when reprogramming network connected devices. The main result of this thesis project is a secure way of reprogramming these network attached devices so that only a valid user can successfully reprogram the device and no one else can reprogram the device (either to return it to an earlier state, perhaps with a known attack vector, or even worse prevent a valid user from programming the device). / Avhandlingen börjar med att ge lite bakgrundsinformation för att läsaren att förstå de nuvarande sårbarheten i nätverksanslutna enheter, särskilt när det gäller IT-säkerhet och dataintegritet. Idag övervakande kontroll och datainsamlingssystem använder nätverksanslutna programmerbara styrsystem används allmänt i många branscher och kritisk infrastruktur. Dessa nätverk anslutna enheter har under ökande attacker under en tid av illvilliga angripare (inklusive i vissa fall eventuellt regeringen stöds insatser). Denna avhandling utvärderar för närvarande tillgängliga lösningar för att minska dessa attacker. Baserat på denna utvärdering en ny lösning baserad på Trusted Computing Group (TCG) Trusted Platform Modules (TPM) specifikation föreslås. Denna lösning använder en lätt version av TPM och TCG:s pålitliga dator (RCM) för att uppnå önskad säkerhet. Säkerheten i den föreslagna lösningen utvärderas både teoretiskt och med hjälp av en prototyp. Utvärderingen visar att den föreslagna lösningen bidrar i stor utsträckning för att minska de tidigare observerade sårbarheter när omprogrammering nätverksanslutna enheter.  Huvudresultatet av denna avhandling projektet är ett säkert sätt omprogrammering dessa nätverksanslutna enheter så att endast ett giltigt användarnamn framgångsrikt kan omprogrammera enheten och ingen annan kan programmera enheten (antingen att återställa den till ett tidigare tillstånd, kanske med en känd attack vector, eller ännu värre förhindra en giltig användare från programmering av enheten).

SCADA

PLC

SCADA security

SCADA networks

PLC security

Trusted computing

TCM

TPM

Embedded security

Digital security

SCADA

PLC

SCADA säkerhet

SCADA-nätverk

PLC säkerhet

pålitlig datoranvändning

TCM

TPM

inbäddad säkerhetlösningar

datasäkerhet

Communication Systems

Kommunikationssystem