detection of cyber-attacks against scada · 2017. 10. 6. · detection of cyber-attacks against...
TRANSCRIPT
![Page 1: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/1.jpg)
Detection of Cyber-Attacks Against SCADAAn evaluation of anomaly detection techniques
Antonios GouglidisNovel Approaches in Risk and Security
Management for Critical Infrastructures
Vienna, 19th and 20th September 2017
![Page 2: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/2.jpg)
Contents
• Resilience reference framework
• Performance analysis of detection techniques
• Concluding remarks
19.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures 2
![Page 3: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/3.jpg)
Resilience and ways of achieving it…
* Sterbenz, James PG, et al. "Resilience and survivability in communication networks: Strategies, principles, and survey of disciplines." Computer Networks 54.8 (2010): 1245-1265.
• ‘… the ability of a network/system to defend against and maintain an acceptable level of service in the presence of challenges.’ *
• D2R2+DR
– Real-time control (internal) loop
– Background (external) loopResilience strategy
319.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
![Page 4: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/4.jpg)
Overall concept
419.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
![Page 5: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/5.jpg)
Resilience architecture
WP
3–
Del
iver
able
3.4
7519.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
![Page 6: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/6.jpg)
Dataset and techniques
• Dataset*– Simulated traffic on a gas pipeline
– Modbus traffic including read/write command for a PLC
– Attacks included: Response injection (naïve, complex), reconnaissance, DoS, command injection (state, parameters, function code)
• Detection techniques
– Supervised: K-Means, Naïve Bayesian
– Unsupervised: PCA – Singular value decomposition, GMM, Data Density
WP
3–
Del
iver
able
3.4
6
* Mississippi State University lab
19.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
![Page 7: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/7.jpg)
Method for evaluating techniques
• Obtain most significant features from the dataset
– Normalization of data
• Split dataset in 8 trace files
– Combined dataset (1 file)
– Attack trace plus normal data (7 files)
• Submit each trace file to the detector
• Compare the output against ground truth
WP
3–
Del
iver
able
3.4
719.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
![Page 8: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/8.jpg)
Combined dataset
819.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
0,0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1,0
K-Means NB PCA-SVD GMM DD
Comparison of techniques
Precision Accuracy
![Page 9: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/9.jpg)
Precision of techniques per attack
9
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
K-Means NB PCA-SVD GMM DD
Precision
19.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
![Page 10: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/10.jpg)
Accuracy of techniques per attack
10
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
NM
RI
CM
RI
MSC
I
MP
CI
MFC
I
Do
S
Rec
on
nai
ssan
ce
K-Means NB PCA-SVD GMM DD
Accuracy
19.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
![Page 11: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/11.jpg)
Concluding remarks
• Detection rate differs with respect to the
– Type of attack
– How different anomalous data packets are from
normal traffic, intensity of the attack
• Supervised techniques perform better
• Is a dataset always available for training?1119.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures
![Page 12: Detection of Cyber-Attacks Against SCADA · 2017. 10. 6. · Detection of Cyber-Attacks Against SCADA An evaluation of anomaly detection techniques Antonios Gouglidis Novel Approaches](https://reader035.vdocuments.mx/reader035/viewer/2022071415/610f699c4e68a76fe2101dcf/html5/thumbnails/12.jpg)
Thank you!
1219.09.2017 Novel Approaches in Risk and Security Management for Critical Infrastructures