Finding Anomalies in SCADA Logs Using Rare Sequential Pattern Mining

  • Anisur RahmanEmail author
  • Yue Xu
  • Kenneth Radke
  • Ernest Foo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9955)


Pattern mining is a branch of data mining used to discover hidden patterns or correlations among data. We use rare sequential pattern mining to find anomalies in critical infrastructure control networks such as supervisory control and data acquisition (SCADA) networks. As anomalous events occur rarely in a system and SCADA systems’ topology and actions do not change often, we argue that some anomalies can be detected using rare sequential pattern mining. This anomaly detection would be useful for intrusion detection or erroneous behaviour of a system. Although research into rare itemsets mining previously exists, neither research into rare sequential pattern mining nor its applicability to SCADA system anomaly detection has previously been completed. Moreover, since there is no consideration to events order, the applicability to intrusion detection in SCADA is minimal. By ensuring the events’ order is maintained, in this paper, we propose a novel Rare Sequential Pattern Mining (RSPM) technique which is a useful anomaly detection system for SCADA. We compared our algorithm with a rare itemset mining algorithm and found anomalous events in SCADA logs.


Frequent pattern Rare pattern SCADA Generator pattern 


  1. 1.
    Pederson, P., Dudenhoeffer, D., Hartley, S., Permann, M.: Critical infrastructure interdependency modeling: a survey of US and international research. Idaho Natl. Lab. 25, 27 (2006)Google Scholar
  2. 2.
    Cheminod, M., Durante, L., Valenzano, A.: Review of security issues in industrial networks. IEEE Trans. Ind. Inform. 9(1), 277–293 (2013)CrossRefGoogle Scholar
  3. 3.
    Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using model-based intrusion detection for SCADA networks. In: Proceedings of the SCADA Security Scientific Symposium, vol. 46, pp. 1–12 (2007)Google Scholar
  4. 4.
    Hadžiosmanovič, D., Bolzoni, D., Hartel, P.H.: A log mining approach for process monitoring in SCADA. Int. J. Inf. Secur. 11(4), 231–251 (2012)CrossRefGoogle Scholar
  5. 5.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of RTID alarms. Comput. Netw. 34(4), 571–577 (2000)CrossRefGoogle Scholar
  6. 6.
    Clifton, C., Gengo, G.: Developing custom intrusion detection filters using data mining. In: IEEE Proceedings 21st Century Military Communication, vol. 1, pp. 440–443 (2000)Google Scholar
  7. 7.
    Barbara, D., Wu, N., Jajodia, S.: Detecting novel network intrusions using Bayes estimators. In: 1st SIAM Conference on Data Mining, pp. 1–17 (2001)Google Scholar
  8. 8.
    Szathmary, L., Napoli, A., Valtchev, P.: Towards rare itemset mining. In: 19th IEEE International Conference on Tools with Artificial Intelligence (ICTAI 2007), vol. 1, pp. 305–312 (2007)Google Scholar
  9. 9.
    Agrawal, R., Srikant, R.: Mining sequential patterns. In: Proceedings of the 11th International Conference on Data Engineering, pp. 3–14. IEEE (1995)Google Scholar
  10. 10.
    Fournier-Viger, P., Gomariz, A., Šebek, M., Hlosta, M.: VGEN: fast vertical mining of sequential generator patterns. In: Bellatreche, L., Mohania, M.K. (eds.) DaWaK 2014. LNCS, vol. 8646, pp. 476–488. Springer, Heidelberg (2014)Google Scholar
  11. 11.
    Fournier-Viger, P., Gomariz, A., Gueniche, T., Soltani, A., Wu, C., Tseng, V.S.: SPMF: a Java open-source pattern mining library. J. Mach. Learn. Res. (JMLR) 15, 3389–3393 (2014)zbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Anisur Rahman
    • 1
    Email author
  • Yue Xu
    • 1
  • Kenneth Radke
    • 1
  • Ernest Foo
    • 1
  1. 1.Queensland University of TechnologyBrisbaneAustralia

Personalised recommendations