International Journal of Information Security

, Volume 11, Issue 4, pp 231–251 | Cite as

A log mining approach for process monitoring in SCADA

  • Dina HadžiosmanovićEmail author
  • Damiano Bolzoni
  • Pieter H. Hartel
Open Access
Regular Contribution


SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.


ICS SCADA Security SCADA log Log analysis Frequent pattern mining Process related threat HAZOP PHEA MELISSA 


Open Access

This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.


  1. 1.
    Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Bocca, J.B., Jarke, M., Zaniolo, C. (eds.) In: Proceedings of the 20th International Conference on VLDB, pp. 487–499. Morgan Kaufmann (1994)Google Scholar
  2. 2.
    Balducelli C., Lavalle L., Vicoli G.: Novelty detection and management to safeguard information-intensive critical infrastructures. Int. J. Emerg. Manag. 4(1), 88–103 (2007)CrossRefGoogle Scholar
  3. 3.
    Begnum K., Burgess M.: Principle components and importance ranking of distributed anomalies. Mach. Learn. 58, 217–230 (2005)zbMATHCrossRefGoogle Scholar
  4. 4.
    Bellettini, C., Rrushi, J.: Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness. In: John Hill, L.T.C. (ed.) Proceedings of 8th IEEE SMC Information Assurance Workshop, pp. 341–348. IEEE Press (2007)Google Scholar
  5. 5.
    Bigham J., Gamez D., Lu, N.: Safeguarding SCADA systems with anomaly detection. In: Proceedings of 2nd International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security, LNCS 2776, pp. 171–182. Springer (2003)Google Scholar
  6. 6.
    Brijs, T., Geurts, K., Wets, G., Vanhoof, K.: Profiling high frequency accident locations using association rules. In: Proceedings of 82nd Annual Transportation Research Board, Washington DC (USA), pp. 123–130. Transportation Research Board (2003)Google Scholar
  7. 7.
    Burdick D., Calimlim M., Flannick J., Gehrke J., Yiu T.: MAFIA: A maximal frequent itemset algorithm. IEEE Trans. Knowl. Data Eng. 17, 1490–1504 (2005)CrossRefGoogle Scholar
  8. 8.
    Burns, L., Hellerstein, J.L., Ma, S., Perng, C.S., Rabenhorst, D.A., Taylor, D.J.: Towards discovery of event correlation rules. In: Proceedings of IEEE/IFIP International Symposium on Integrated Network Management, pp. 345–359 (2001)Google Scholar
  9. 9.
    Control Systems Security Program. Common cybersecurity vulnerabilities in industrial control systems. U.S. Department of Homeland Security (2011)Google Scholar
  10. 10.
    Goethals, B., Zaki, M. (eds.): FIMI ’03, Frequent itemset mining implementations, Florida, USA, vol. 90 of CEUR Workshop Proceedings (2003)Google Scholar
  11. 11.
    Grahne G., Zhu J.: Fast algorithms for frequent itemset mining using FP-Trees. IEEE Trans. Knowl. Data Eng. 17, 1347–1362 (2005)CrossRefGoogle Scholar
  12. 12.
    Han J., Kamber M.: Data mining concepts and techniques, 2 pap edn. Morgan Kaufmann, San Francisco, CA (2006)Google Scholar
  13. 13.
    Hellerstein J.L., Ma S., Perng C.-S.: Discovering actionable patterns in event data. IBM Syst. J. 41, 475–493 (2002)CrossRefGoogle Scholar
  14. 14.
    Hieb J., Graham J., Guan J.: An ontology for identifying cyber intrusion induced faults in process control systems. In: Palmer, C., Shenoi, S. (eds.) Critical Infrastructure Protection III, vol. 311 of IFIP Advances in Information and Communication Technolog, pp. 125–138. Springer, Boston (2009)Google Scholar
  15. 15.
    Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’02, pp. 366–375. ACM, New York, NY, USA (2002)Google Scholar
  16. 16.
    Lee, W., Stolfo, S.: Data mining approaches for intrusion detection. In: Proceedings of 7th Conference on USENIX Security Symposium—vol. 7, pp. 6–6. Berkeley, CA, USA, USENIX Association (1998)Google Scholar
  17. 17.
    Lim, N., Singh, N., Yajnik, S.: A log mining approach to failure analysis of enterprise telephony systems. In: Proceedings of the IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, pp. 398–403. (2008)Google Scholar
  18. 18.
    Lees F.P.: Less’ Loss Prevention in the Process Industries. 3rd edn. Butterworth-Heinemann, Guildford (2005)Google Scholar
  19. 19.
    Liu, Y., Ning, P., Reiter, M.: False data injection attacks against state estimation in electric power grids. In: Proceedings of 16th ACM Conference on Computer and Communications Security, CCS ’09, pp. 21–32. ACM, New York, NY, USA (2009)Google Scholar
  20. 20.
    Manganaris S., Christensen M., Zerkle D., Hermiz K.: A data mining analysis of RTID alarms. Comput. Netw. 34, 571–577 (2000)CrossRefGoogle Scholar
  21. 21.
    Naedele, M., Biderbost, O.: Human-assisted intrusion detection for process control systems. Accepted for 2nd Int. Conf. on Applied Cryptography and Network Security (ACNS) (2004)Google Scholar
  22. 22.
    Narayanan N.H., Viswanadham N.: A methodology for knowledge acquisition and reasoning in failure analysis of systems. IEEE Trans. Syst. Man Cybern. 17(2), 274–288 (1987)CrossRefGoogle Scholar
  23. 23.
    Oliner, A., Stearley, J.: What supercomputers say: a study of five system logs. In: Proceedings of 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 575–584. (2007)Google Scholar
  24. 24.
    Paxson V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)CrossRefGoogle Scholar
  25. 25.
    Ponemon Institute.: State of it security: Study of utilities and energy companies, 2011.
  26. 26.
    Rantala, R.: Cybercrime against businesses. Technical report, U.S. Dept. of Justice, Office of Justice Programs, Bureau of Justice Statistics, Washington, DC (2004)Google Scholar
  27. 27.
    Rege-Patwardhan A.: Cybercrimes against critical infrastructures: a study of online criminal organization and techniques. Crim. Justice Stud. 22(3), 261–271 (2009)CrossRefGoogle Scholar
  28. 28.
    Rouillard, J.: Real-time log file analysis using the simple event correlator (sec). In: Proceedings of 18th USENIX conference on System administration, pp. 133–150. USENIX Association, Berkeley, CA, USA (2004)Google Scholar
  29. 29.
    Salfner, F., Tschirpke, S.: Error log processing for accurate failure prediction. In: Proceedings of 1st USENIX conference on Analysis of system logs, WASL’08, pp. 4–4. USENIX Association, Berkeley, CA, USA (2008)Google Scholar
  30. 30.
    Salfner, F., Tschirpke, S., Malek, M.: Comprehensive logfiles for autonomic systems. In: Proceedings of 18th International Symposium on Parallel and Distributed Processing, p. 211 (2004)Google Scholar
  31. 31.
    Shaw, W.T.: Cybersecurity for SCADA Systems. PennWell Corp. Tulsa (2006)Google Scholar
  32. 32.
    Slay J., Miller M.: Lessons learned from the maroochy water breach. In: Goetz, E., Shenoi, S. (eds.) Critical Infrastructure Protection, vol. 253 of IFIP International Federation for Information Processing, pp. 73–82. Springer, Boston (2007)Google Scholar
  33. 33.
    Srivatanakul, T., Clark, J., Polack, F.: Effective security requirements analysis: Hazop and use cases. In: Information Security: 7th International Conference, LNCS 3225, pp. 416–427. Springer (2004)Google Scholar
  34. 34.
    Stouffer, K., Falco, J., Scarfone, K.: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82. National Institute of Standards and Technology (2011)Google Scholar
  35. 35.
    Vaarandi, R.: Tools and technigues for event log analysis. PhD thesis, Tallinn University of Technology (2005)Google Scholar
  36. 36.
    Winther, R., Johnsen, O., Gran, B.: Security assessments of safety critical systems using hazops. In: SAFECOMP ’01: Proceedings of 20th International Conference on Computer Safety, Reliability and Security, LNCS 2187, pp. 14–24. Springer, London, UK (2001)Google Scholar
  37. 37.
    Xu, W., Huang, L., Fox, A., Patterson, D., Jordan, M.: Mining console logs for large-scale system problem detection. In: Proceedings of 3rd Conference on Tackling Computer Systems Problems with Machine Learning Techniques, SysML’08, pp. 4–4. USENIX Association, Berkeley, CA, USA (2008)Google Scholar

Copyright information

© The Author(s) 2012

Authors and Affiliations

  • Dina Hadžiosmanović
    • 1
    Email author
  • Damiano Bolzoni
    • 1
  • Pieter H. Hartel
    • 1
  1. 1.University of TwenteEnschedeThe Netherlands

Personalised recommendations