Abstract
Network security monitoring in ICS, or SCADA, networks provides opportunities and corresponding challenges. Anomaly detection using machine learning has traditionally performed sub-optimally when brought out of the laboratory environments and into more open networks. We have proposed using machine learning for anomaly detection in ICS networks when certain prerequisites are met, e.g. predictability.
Results are reported for validation of a previously introduced ML module for Bro NSM using captures from an operational ICS network. The number of false positives and the detection capability are reported on. Parts of the used packet capture files include reconnaissance activity.
The results point to adequate initial capability. The system is functional, usable and ready for further development. Easily modified and configured module represents a proof-of-concept implementation of introduced event-driven machine learning based anomaly detection concept for single event and algorithm.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
The Self-Organizing Map Program Package. http://www.cis.hut.fi/research/som_pak/. (Accessed July 2 2013)
Bro NSM. http://www.bro.org/. (Accessed February 12 2013)
Denning, D.: An intrusion-detection model. IEEE Trans. Softw. Eng. SE–13(2), 222–232 (1987)
Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Predicting the resource consumption of network intrusion detection systems. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 135–154. Springer, Heidelberg (2008). http://www.dx.doi.org/10.1007/978-3-540-87403-4_8
Erwin, E., Obermayer, K., Schulten, K.: Self-organizing maps: Ordering, convergence properties and energy functions. Biol. Cybern. 67, 47–55 (1992)
Fiore, U., Palmieri, F., Castiglione, A., Santis, A.D.: Network anomaly detection with the restricted boltzmann machine. Neurocomputing Adv. Cogn. Ubiquitous Comput. 122, 13–23 (2013). http://www.sciencedirect.com/science/article/pii/S0925231213005547. Advances in cognitive and ubiquitous computing
Goldenberg, N., Wool, A.: Accurate modeling of modbus/tcp for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013). http://www.sciencedirect.com/science/article/pii/S1874548213000243
Gonzalez, J.M., Paxson, V.: Enhancing network intrusion detection with integrated sampling and filtering. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 272–289. Springer, Heidelberg (2006). doi:10.1007/11856214_14. http://dx.doi.org/10.1007/11856214_14
Hadeli, H., Schierholz, R., Braendle, M., Tuduce, C.: Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. In: IEEE Conference on Emerging Technologies Factory Automation, ETFA 2009, pp. 1–8 (2009)
Hu, W., Xie, D., Tan, T., Maybank, S.: Learning activity patterns using fuzzy self-organizing neural network. IEEE Trans. Syst. Man Cybern. Part B Cybern. 34(3), 1618–1626 (2004)
Kayacik, H., Zincir-Heywood, A., Heywood, M.: A hierarchical som-based intrusion detection system. Eng. Appl. Artif. Intell 20(4), 439–451 (2007). http://dx.doi.org/10.1016/j.engappai.2006.09.005
Knapp, E.: Industrial network security: securing critical infrastructure networks for smart grid, SCADA, and other industrial control systems. Elsevier Science (2011). http://books.google.fi/books?id=Et9u-mxq0B4C
Kohonen, T., Schroeder, M.R., Huang, T.S. (eds.): Self-Organizing Maps. Springer, New York (2001)
Lee, S., Heinbuch, D.: Training a neural-network based intrusion detector to recognize novel attacks. IEEE Trans. Syst. Man Cybern. Part A Syst. Hum. 31(4), 294–299 (2001)
Lin, H., Slagell, A., Di Martino, C., Kalbarczyk, Z., Iyer, R.K.: Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol. In: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, CSIIRW 2013, pp. 5:1–5:4. ACM, New York (2013). http://doi.acm.org/10.1145/2459976.2459982
Linda, O., Vollmer, T., Manic, M.: Neural network based intrusion detection system for critical infrastructures. In: Proceedings of the 2009 International Joint Conference on Neural Networks, IJCNN 2009, pp. 102–109. IEEE Press, Piscataway (2009). http://dl.acm.org/citation.cfm?id=1704175.1704190
Mantere, M., Uusitalo, I., Sailio, M., Noponen, S.: Challenges of machine learning based monitoring for industrial control system networks. In: 2012 26th International Conference on Advanced Information Networking and Applications Workshops, March 2012
Mantere, M., Sailio, M., Noponen, S.: Network traffic features for anomaly detection in specific industrial control system network. Future Internet 5(4), 460–473 (2013). http://www.mdpi.com/1999-5903/5/4/460
Mantere, M., Sailio, M., Noponen, S.: A module for anomaly detection in ics networks. In: Proceedings of the 3rd International Conference on High Confidence Networked Systems, HiCoNS 2014, pp. 49–56. ACM, New York (2014). http://doi.acm.org/10.1145/2566468.2566478
Nessus Vulnerability Scanner. http://www.tenable.com/products/nessus/. Accessed 2 January 2014
Nikto2 Web Server Scanner. https://www.cirt.net/nikto2/. Accessed 3 February 2014
Nmap Network Security Scanner. http://www.nmap.org/. Accessed 2 July 2013
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999). http://www.sciencedirect.com/science/article/pii/S1389128699001127
PrintoCent. http://www.printocent.net. (Accessed 6 January 2013)
Ramadas, M., Ostermann, S., Tjaden, B.C.: Detecting anomalous network traffic with self-organizing maps. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 36–54. Springer, Heidelberg (2003)
Sarasamma, S., Zhu, Q., Huff, J.: Hierarchical kohonenen net for anomaly detection in network security. IEEE Trans. Syst. Man Cybern. Part B: Cybern. 35(2), 302–312 (2005)
Sommer, R., Paxson, V.: Exploiting independent state for network intrusion detection. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC 2005, pp. 59–71. IEEE Computer Society, Washington, DC (2005). http://dx.doi.org/10.1109/CSAC.2005.24
Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316, May 2010
Tcpdump. http://www.tcpdump.org/. (Accessed 6 July 2013)
Thottan, M., Ji, C.: Anomaly detection in ip networks. IEEE Trans. Sig. Process. 51(8), 2191–2204 (2003)
Vallentin, M., Sommer, R., Lee, J., Leres, C., Paxson, V., Tierney, B.: The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 107–126. Springer, Heidelberg (2007)
Weaver, N., Paxson, V., Sommer, R.: Work in progress: Bro-lan pervasive network inspection and control for lan traffic. In: Securecomm and Workshops, pp. 1–2 August 28–September 1 2006 (2006)
Wireshark. http://www.wireshark.org/. (Accessed 5 February 2013)
Yang, D., Usynin, A., Hines, J.: Anomaly-based intrusion detection for scada systems. In: Proceedings of the 5th International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies. NPIC&HMIT 05 (2006)
Acknowledgments
The research presented in this paper was mainly done as a collaborative effort in two research projects at VTT: VTT funded project called INCYSE or Industrial Cyber Security Endeavour and SASER, which is a Celtic+ project funded by TEKES in Finland.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Mantere, M., Sailio, M., Noponen, S. (2015). Detecting Anomalies in Printed Intelligence Factory Network. In: Lopez, J., Ray, I., Crispo, B. (eds) Risks and Security of Internet and Systems. CRiSIS 2014. Lecture Notes in Computer Science(), vol 8924. Springer, Cham. https://doi.org/10.1007/978-3-319-17127-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-17127-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17126-5
Online ISBN: 978-3-319-17127-2
eBook Packages: Computer ScienceComputer Science (R0)