Skip to main content
SpringerLink
Log in

Detecting Anomalies in Printed Intelligence Factory Network

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8924))

Included in the following conference series:

  • 1010 Accesses

Abstract

Network security monitoring in ICS, or SCADA, networks provides opportunities and corresponding challenges. Anomaly detection using machine learning has traditionally performed sub-optimally when brought out of the laboratory environments and into more open networks. We have proposed using machine learning for anomaly detection in ICS networks when certain prerequisites are met, e.g. predictability.

Results are reported for validation of a previously introduced ML module for Bro NSM using captures from an operational ICS network. The number of false positives and the detection capability are reported on. Parts of the used packet capture files include reconnaissance activity.

The results point to adequate initial capability. The system is functional, usable and ready for further development. Easily modified and configured module represents a proof-of-concept implementation of introduced event-driven machine learning based anomaly detection concept for single event and algorithm.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. The Self-Organizing Map Program Package. http://www.cis.hut.fi/research/som_pak/. (Accessed July 2 2013)

  2. Bro NSM. http://www.bro.org/. (Accessed February 12 2013)

  3. Denning, D.: An intrusion-detection model. IEEE Trans. Softw. Eng. SE–13(2), 222–232 (1987)

    Article  Google Scholar 

  4. Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Predicting the resource consumption of network intrusion detection systems. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 135–154. Springer, Heidelberg (2008). http://www.dx.doi.org/10.1007/978-3-540-87403-4_8

    Chapter  Google Scholar 

  5. Erwin, E., Obermayer, K., Schulten, K.: Self-organizing maps: Ordering, convergence properties and energy functions. Biol. Cybern. 67, 47–55 (1992)

    Article  MATH  Google Scholar 

  6. Fiore, U., Palmieri, F., Castiglione, A., Santis, A.D.: Network anomaly detection with the restricted boltzmann machine. Neurocomputing Adv. Cogn. Ubiquitous Comput. 122, 13–23 (2013). http://www.sciencedirect.com/science/article/pii/S0925231213005547. Advances in cognitive and ubiquitous computing

    Google Scholar 

  7. Goldenberg, N., Wool, A.: Accurate modeling of modbus/tcp for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013). http://www.sciencedirect.com/science/article/pii/S1874548213000243

    Article  Google Scholar 

  8. Gonzalez, J.M., Paxson, V.: Enhancing network intrusion detection with integrated sampling and filtering. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 272–289. Springer, Heidelberg (2006). doi:10.1007/11856214_14. http://dx.doi.org/10.1007/11856214_14

    Chapter  Google Scholar 

  9. Hadeli, H., Schierholz, R., Braendle, M., Tuduce, C.: Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. In: IEEE Conference on Emerging Technologies Factory Automation, ETFA 2009, pp. 1–8 (2009)

    Google Scholar 

  10. Hu, W., Xie, D., Tan, T., Maybank, S.: Learning activity patterns using fuzzy self-organizing neural network. IEEE Trans. Syst. Man Cybern. Part B Cybern. 34(3), 1618–1626 (2004)

    Article  Google Scholar 

  11. Kayacik, H., Zincir-Heywood, A., Heywood, M.: A hierarchical som-based intrusion detection system. Eng. Appl. Artif. Intell 20(4), 439–451 (2007). http://dx.doi.org/10.1016/j.engappai.2006.09.005

    Article  Google Scholar 

  12. Knapp, E.: Industrial network security: securing critical infrastructure networks for smart grid, SCADA, and other industrial control systems. Elsevier Science (2011). http://books.google.fi/books?id=Et9u-mxq0B4C

  13. Kohonen, T., Schroeder, M.R., Huang, T.S. (eds.): Self-Organizing Maps. Springer, New York (2001)

    MATH  Google Scholar 

  14. Lee, S., Heinbuch, D.: Training a neural-network based intrusion detector to recognize novel attacks. IEEE Trans. Syst. Man Cybern. Part A Syst. Hum. 31(4), 294–299 (2001)

    Article  Google Scholar 

  15. Lin, H., Slagell, A., Di Martino, C., Kalbarczyk, Z., Iyer, R.K.: Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol. In: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, CSIIRW 2013, pp. 5:1–5:4. ACM, New York (2013). http://doi.acm.org/10.1145/2459976.2459982

  16. Linda, O., Vollmer, T., Manic, M.: Neural network based intrusion detection system for critical infrastructures. In: Proceedings of the 2009 International Joint Conference on Neural Networks, IJCNN 2009, pp. 102–109. IEEE Press, Piscataway (2009). http://dl.acm.org/citation.cfm?id=1704175.1704190

  17. Mantere, M., Uusitalo, I., Sailio, M., Noponen, S.: Challenges of machine learning based monitoring for industrial control system networks. In: 2012 26th International Conference on Advanced Information Networking and Applications Workshops, March 2012

    Google Scholar 

  18. Mantere, M., Sailio, M., Noponen, S.: Network traffic features for anomaly detection in specific industrial control system network. Future Internet 5(4), 460–473 (2013). http://www.mdpi.com/1999-5903/5/4/460

    Article  Google Scholar 

  19. Mantere, M., Sailio, M., Noponen, S.: A module for anomaly detection in ics networks. In: Proceedings of the 3rd International Conference on High Confidence Networked Systems, HiCoNS 2014, pp. 49–56. ACM, New York (2014). http://doi.acm.org/10.1145/2566468.2566478

  20. Nessus Vulnerability Scanner. http://www.tenable.com/products/nessus/. Accessed 2 January 2014

  21. Nikto2 Web Server Scanner. https://www.cirt.net/nikto2/. Accessed 3 February 2014

  22. Nmap Network Security Scanner. http://www.nmap.org/. Accessed 2 July 2013

  23. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999). http://www.sciencedirect.com/science/article/pii/S1389128699001127

    Article  Google Scholar 

  24. PrintoCent. http://www.printocent.net. (Accessed 6 January 2013)

  25. Ramadas, M., Ostermann, S., Tjaden, B.C.: Detecting anomalous network traffic with self-organizing maps. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 36–54. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  26. Sarasamma, S., Zhu, Q., Huff, J.: Hierarchical kohonenen net for anomaly detection in network security. IEEE Trans. Syst. Man Cybern. Part B: Cybern. 35(2), 302–312 (2005)

    Article  Google Scholar 

  27. Sommer, R., Paxson, V.: Exploiting independent state for network intrusion detection. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC 2005, pp. 59–71. IEEE Computer Society, Washington, DC (2005). http://dx.doi.org/10.1109/CSAC.2005.24

  28. Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316, May 2010

    Google Scholar 

  29. Tcpdump. http://www.tcpdump.org/. (Accessed 6 July 2013)

  30. Thottan, M., Ji, C.: Anomaly detection in ip networks. IEEE Trans. Sig. Process. 51(8), 2191–2204 (2003)

    Article  Google Scholar 

  31. Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  32. Weaver, N., Paxson, V., Sommer, R.: Work in progress: Bro-lan pervasive network inspection and control for lan traffic. In: Securecomm and Workshops, pp. 1–2 August 28–September 1 2006 (2006)

    Google Scholar 

  33. Wireshark. http://www.wireshark.org/. (Accessed 5 February 2013)

  34. Yang, D., Usynin, A., Hines, J.: Anomaly-based intrusion detection for scada systems. In: Proceedings of the 5th International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies. NPIC&HMIT 05 (2006)

    Google Scholar 

Download references

Acknowledgments

The research presented in this paper was mainly done as a collaborative effort in two research projects at VTT: VTT funded project called INCYSE or Industrial Cyber Security Endeavour and SASER, which is a Celtic+ project funded by TEKES in Finland.

Author information

Authors and Affiliations

  1. VTT Technical Research Centre of Finland, Kaitoväylä 1, 90570, Oulu, Finland

    Matti Mantere, Mirko Sailio & Sami Noponen

Authors
  1. Matti Mantere
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mirko Sailio
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sami Noponen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sami Noponen .

Editor information

Editors and Affiliations

  1. University of Málaga, Malaga, Spain

    Javier Lopez

  2. Colorado State University, Fort Collins, Colorado, USA

    Indrajit Ray

  3. University of Trento, Trento, Italy

    Bruno Crispo

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Mantere, M., Sailio, M., Noponen, S. (2015). Detecting Anomalies in Printed Intelligence Factory Network. In: Lopez, J., Ray, I., Crispo, B. (eds) Risks and Security of Internet and Systems. CRiSIS 2014. Lecture Notes in Computer Science(), vol 8924. Springer, Cham. https://doi.org/10.1007/978-3-319-17127-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17127-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17126-5

  • Online ISBN: 978-3-319-17127-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation