Skip to main content
SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Go to cart
  1. Home
  2. International Journal of Information Security
  3. Article
A log mining approach for process monitoring in SCADA
Download PDF
Your article has downloaded

Similar articles being viewed by others

Slider with three articles shown per slide. Use the Previous and Next buttons to navigate the slides or the slide controller buttons at the end to navigate through each slide.

An experimental mining and analytics for discovering proportional process patterns from workflow enactment event logs

20 December 2018

Kyoungsook Kim, Young-Koo Lee, … Kwanghoon Pio Kim

A Systematic Review of Anomaly Detection for Business Process Event Logs

10 March 2023

Jonghyeon Ko & Marco Comuzzi

Dynamic Access Control to Semantics-Aware Streamed Process Logs

24 July 2019

Marcello Leida, Paolo Ceravolo, … Maurizio Colombo

Process mining on machine event logs for profiling abnormal behaviour and root cause analysis

16 September 2020

Jonas Maeyens, Annemie Vorstermans & Mathias Verbeke

A uniformization-based approach to preserve individuals’ privacy during process mining analyses

16 January 2021

Edgar Batista & Agusti Solanas

Data-driven dynamic causality analysis of industrial systems using interpretable machine learning and process mining

11 May 2022

Karim Nadim, Ahmed Ragab & Mohamed-Salah Ouali

Semi-supervised and unsupervised anomaly detection by mining numerical workflow relations from system logs

03 December 2022

Bo Zhang, Hongyu Zhang, … Aozhong Zhang

OrgMiner: A Framework for Discovering User-Related Process Intelligence from Event Logs

08 April 2020

Amit V. Deokar & Jie Tao

Event abstraction in process mining: literature review and taxonomy

27 May 2020

Sebastiaan J. van Zelst, Felix Mannhardt, … Agnes Koschmider

Download PDF
  • Regular Contribution
  • Open Access
  • Published: 21 April 2012

A log mining approach for process monitoring in SCADA

  • Dina Hadžiosmanović1,
  • Damiano Bolzoni1 &
  • Pieter H. Hartel1 

International Journal of Information Security volume 11, pages 231–251 (2012)Cite this article

  • 4094 Accesses

  • 49 Citations

  • 1 Altmetric

  • Metrics details

Abstract

SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.

Download to read the full article text

Working on a manuscript?

Avoid the common mistakes

References

  1. Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Bocca, J.B., Jarke, M., Zaniolo, C. (eds.) In: Proceedings of the 20th International Conference on VLDB, pp. 487–499. Morgan Kaufmann (1994)

  2. Balducelli C., Lavalle L., Vicoli G.: Novelty detection and management to safeguard information-intensive critical infrastructures. Int. J. Emerg. Manag. 4(1), 88–103 (2007)

    Article  Google Scholar 

  3. Begnum K., Burgess M.: Principle components and importance ranking of distributed anomalies. Mach. Learn. 58, 217–230 (2005)

    Article  MATH  Google Scholar 

  4. Bellettini, C., Rrushi, J.: Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness. In: John Hill, L.T.C. (ed.) Proceedings of 8th IEEE SMC Information Assurance Workshop, pp. 341–348. IEEE Press (2007)

  5. Bigham J., Gamez D., Lu, N.: Safeguarding SCADA systems with anomaly detection. In: Proceedings of 2nd International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security, LNCS 2776, pp. 171–182. Springer (2003)

  6. Brijs, T., Geurts, K., Wets, G., Vanhoof, K.: Profiling high frequency accident locations using association rules. In: Proceedings of 82nd Annual Transportation Research Board, Washington DC (USA), pp. 123–130. Transportation Research Board (2003)

  7. Burdick D., Calimlim M., Flannick J., Gehrke J., Yiu T.: MAFIA: A maximal frequent itemset algorithm. IEEE Trans. Knowl. Data Eng. 17, 1490–1504 (2005)

    Article  Google Scholar 

  8. Burns, L., Hellerstein, J.L., Ma, S., Perng, C.S., Rabenhorst, D.A., Taylor, D.J.: Towards discovery of event correlation rules. In: Proceedings of IEEE/IFIP International Symposium on Integrated Network Management, pp. 345–359 (2001)

  9. Control Systems Security Program. Common cybersecurity vulnerabilities in industrial control systems. U.S. Department of Homeland Security (2011)

  10. Goethals, B., Zaki, M. (eds.): FIMI ’03, Frequent itemset mining implementations, Florida, USA, vol. 90 of CEUR Workshop Proceedings (2003)

  11. Grahne G., Zhu J.: Fast algorithms for frequent itemset mining using FP-Trees. IEEE Trans. Knowl. Data Eng. 17, 1347–1362 (2005)

    Article  Google Scholar 

  12. Han J., Kamber M.: Data mining concepts and techniques, 2 pap edn. Morgan Kaufmann, San Francisco, CA (2006)

    Google Scholar 

  13. Hellerstein J.L., Ma S., Perng C.-S.: Discovering actionable patterns in event data. IBM Syst. J. 41, 475–493 (2002)

    Article  Google Scholar 

  14. Hieb J., Graham J., Guan J.: An ontology for identifying cyber intrusion induced faults in process control systems. In: Palmer, C., Shenoi, S. (eds.) Critical Infrastructure Protection III, vol. 311 of IFIP Advances in Information and Communication Technolog, pp. 125–138. Springer, Boston (2009)

    Google Scholar 

  15. Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’02, pp. 366–375. ACM, New York, NY, USA (2002)

  16. Lee, W., Stolfo, S.: Data mining approaches for intrusion detection. In: Proceedings of 7th Conference on USENIX Security Symposium—vol. 7, pp. 6–6. Berkeley, CA, USA, USENIX Association (1998)

  17. Lim, N., Singh, N., Yajnik, S.: A log mining approach to failure analysis of enterprise telephony systems. In: Proceedings of the IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, pp. 398–403. (2008)

  18. Lees F.P.: Less’ Loss Prevention in the Process Industries. 3rd edn. Butterworth-Heinemann, Guildford (2005)

    Google Scholar 

  19. Liu, Y., Ning, P., Reiter, M.: False data injection attacks against state estimation in electric power grids. In: Proceedings of 16th ACM Conference on Computer and Communications Security, CCS ’09, pp. 21–32. ACM, New York, NY, USA (2009)

  20. Manganaris S., Christensen M., Zerkle D., Hermiz K.: A data mining analysis of RTID alarms. Comput. Netw. 34, 571–577 (2000)

    Article  Google Scholar 

  21. Naedele, M., Biderbost, O.: Human-assisted intrusion detection for process control systems. Accepted for 2nd Int. Conf. on Applied Cryptography and Network Security (ACNS) (2004)

  22. Narayanan N.H., Viswanadham N.: A methodology for knowledge acquisition and reasoning in failure analysis of systems. IEEE Trans. Syst. Man Cybern. 17(2), 274–288 (1987)

    Article  Google Scholar 

  23. Oliner, A., Stearley, J.: What supercomputers say: a study of five system logs. In: Proceedings of 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 575–584. (2007)

  24. Paxson V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)

    Article  Google Scholar 

  25. Ponemon Institute.: State of it security: Study of utilities and energy companies, 2011. http://q1labs.com/resource-center/white-papers.aspx

  26. Rantala, R.: Cybercrime against businesses. Technical report, U.S. Dept. of Justice, Office of Justice Programs, Bureau of Justice Statistics, Washington, DC (2004)

  27. Rege-Patwardhan A.: Cybercrimes against critical infrastructures: a study of online criminal organization and techniques. Crim. Justice Stud. 22(3), 261–271 (2009)

    Article  Google Scholar 

  28. Rouillard, J.: Real-time log file analysis using the simple event correlator (sec). In: Proceedings of 18th USENIX conference on System administration, pp. 133–150. USENIX Association, Berkeley, CA, USA (2004)

  29. Salfner, F., Tschirpke, S.: Error log processing for accurate failure prediction. In: Proceedings of 1st USENIX conference on Analysis of system logs, WASL’08, pp. 4–4. USENIX Association, Berkeley, CA, USA (2008)

  30. Salfner, F., Tschirpke, S., Malek, M.: Comprehensive logfiles for autonomic systems. In: Proceedings of 18th International Symposium on Parallel and Distributed Processing, p. 211 (2004)

  31. Shaw, W.T.: Cybersecurity for SCADA Systems. PennWell Corp. Tulsa (2006)

  32. Slay J., Miller M.: Lessons learned from the maroochy water breach. In: Goetz, E., Shenoi, S. (eds.) Critical Infrastructure Protection, vol. 253 of IFIP International Federation for Information Processing, pp. 73–82. Springer, Boston (2007)

    Google Scholar 

  33. Srivatanakul, T., Clark, J., Polack, F.: Effective security requirements analysis: Hazop and use cases. In: Information Security: 7th International Conference, LNCS 3225, pp. 416–427. Springer (2004)

  34. Stouffer, K., Falco, J., Scarfone, K.: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82. National Institute of Standards and Technology (2011)

  35. Vaarandi, R.: Tools and technigues for event log analysis. PhD thesis, Tallinn University of Technology (2005)

  36. Winther, R., Johnsen, O., Gran, B.: Security assessments of safety critical systems using hazops. In: SAFECOMP ’01: Proceedings of 20th International Conference on Computer Safety, Reliability and Security, LNCS 2187, pp. 14–24. Springer, London, UK (2001)

  37. Xu, W., Huang, L., Fox, A., Patterson, D., Jordan, M.: Mining console logs for large-scale system problem detection. In: Proceedings of 3rd Conference on Tackling Computer Systems Problems with Machine Learning Techniques, SysML’08, pp. 4–4. USENIX Association, Berkeley, CA, USA (2008)

Download references

Open Access

This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Dina Hadžiosmanović, Damiano Bolzoni & Pieter H. Hartel

Authors
  1. Dina Hadžiosmanović
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Damiano Bolzoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pieter H. Hartel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dina Hadžiosmanović.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and Permissions

About this article

Cite this article

Hadžiosmanović, D., Bolzoni, D. & Hartel, P.H. A log mining approach for process monitoring in SCADA. Int. J. Inf. Secur. 11, 231–251 (2012). https://doi.org/10.1007/s10207-012-0163-8

Download citation

  • Published: 21 April 2012

  • Issue Date: August 2012

  • DOI: https://doi.org/10.1007/s10207-012-0163-8

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Keywords

  • ICS
  • SCADA
  • Security
  • SCADA log
  • Log analysis
  • Frequent pattern mining
  • Process related threat
  • HAZOP
  • PHEA
  • MELISSA
Download PDF

Working on a manuscript?

Avoid the common mistakes

Advertisement

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

Not affiliated

Springer Nature

© 2023 Springer Nature