Detecting Process-Aware Attacks in Sequential Control Systems

  • Oualid KouchamEmail author
  • Stéphane Mocanu
  • Guillaume Hiet
  • Jean-Marc Thiriet
  • Frédéric Majorczyk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10014)


Industrial control systems (ICS) can be subject to highly sophisticated attacks which may lead the process towards critical states. Due to the particular context of ICS, protection mechanisms are not always practical, nor sufficient. On the other hand, developing a process-aware intrusion detection solution with satisfactory alert characterization remains an open problem. This paper focuses on process-aware attacks detection in sequential control systems. We build on results from runtime verification and specification mining to automatically infer and monitor process specifications. Such specifications are represented by sets of temporal safety properties over states and events corresponding to sensors and actuators. The properties are then synthesized as monitors which report violations on execution traces. We develop an efficient specification mining algorithm and use filtering rules to handle the large number of mined properties. Furthermore, we introduce the notion of activity and discuss its relevance to both specification mining and attack detection in the context of sequential control systems. The proposed approach is evaluated in a hardware-in-the-loop setting subject to targeted process-aware attacks. Overall, due to the explicit handling of process variables, the solution provides a better characterization of the alerts and a more meaningful understanding of false positives.


Intrusion Detection Linear Temporal Logic Safety Property Execution Trace Attack Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Common cyber security vulnerabilities in ICS. Technical report, U.S DHS (2011)Google Scholar
  2. 2.
    Bauer, A.: Monitorability of omega-regular languages. CoRR abs/1006.3638 (2010)Google Scholar
  3. 3.
    Bauer, N., Huuck, R., Lukoschus, B., Engell, S.: A unifying semantics for sequential function charts. In: Ehrig, H., Damm, W., Desel, J., Große-Rhode, M., Reif, W., Schnieder, E., Westkämper, E. (eds.) Integration of Software Specification Techniques for Applications in Engineering. LNCS, vol. 3147, pp. 400–418. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-27863-4_22 CrossRefGoogle Scholar
  4. 4.
    Carcano, A., Coletta, A., et al.: A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans. Ind. Inf. 7(2), 179–186 (2011)CrossRefGoogle Scholar
  5. 5.
    Cárdenas, A., Amin, S., et al.: Challenges for securing cyber physical systems. In: Workshop on Future Directions in Cyber-physical Systems Security, July 2009Google Scholar
  6. 6.
    Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop CPSS, pp. 13–24 (2015)Google Scholar
  7. 7.
    Cheung, S., Skinner, K.: Using model-based intrusion detection for SCADA networks. In: Proceedings of SCADA Security Scientific Symposium, pp. 127–134 (2007)Google Scholar
  8. 8.
    d’Amorim, M., Roşu, G.: Efficient monitoring of \({\omega }\)-languages. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 364–378. Springer, Heidelberg (2005). doi: 10.1007/11513988_36 CrossRefGoogle Scholar
  9. 9.
    De Giacomo, G., Masellis, R.D., Montali, M.: Reasoning on LTL on finite traces: insensitivity to infiniteness. In: Proceedings of AAAI 2014, pp. 1027–1033 (2014)Google Scholar
  10. 10.
    Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: Proceedings of ICSE (1999)Google Scholar
  11. 11.
    Dzung, D., Naedele, M., Von Hoff, T.P., Crevatin, M.: Security for industrial communication systems. Proc. IEEE 93, 1152–1177 (2005)CrossRefGoogle Scholar
  12. 12.
    Falliere, N., Murchu, L.O., et al.: W32.Stuxnet Dossier-Symantec security response. Accessed June 2016
  13. 13.
    Foulard, C., Flaus, J.M., Jacomino, M.: Automatique pour les classes préparatoires, 1st edn. Hermés-Lavoisier, Paris (1997)Google Scholar
  14. 14.
    Hadziosmanovic, D., Sommer, R., et al.: Through the eye of the PLC: towards semantic security monitoring for industrial control systems. In: Proceedings of ACSAC (2014)Google Scholar
  15. 15.
    ISO/IEC 29192 - Information technology - Security techniques - Lightweight cryptography. Standard, ISO, Geneva, Switzerland (2012)Google Scholar
  16. 16.
    John, K.H., Tiegelkamp, M.: IEC 61131–3: Programming Industrial Automation, 2nd edn. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Larsen, J.: Breakage-Black Hat (2008). Accessed June 2016
  18. 18.
    Lemieux, C., Park, D., Beschastnikh, I.: General LTL specification mining. In: Proceedings fo ASE 2015, pp. 81–92 (2015)Google Scholar
  19. 19.
    Leucker, M., Schallhart, C.: A brief account of runtime verification. J. Logic Algebraic Program. 78(5), 293–303 (2009)CrossRefzbMATHGoogle Scholar
  20. 20.
    Li, W., Forin, A., Seshia, S.A.: Scalable specification mining for verification and diagnosis. In: 47th ACM/IEEE DAC, pp. 755–760 (2010)Google Scholar
  21. 21.
    Lin, H., Slagell, A., Di Martino, C., et al.: Adapting bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. In: Proceedings of CSIIRW 2013, pp. 1–4 (2013)Google Scholar
  22. 22.
    Mitchell, R., Chen, I.R.: Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems. IEEE Trans Depend. Sec. Comp. 12(1), 16–30 (2014)CrossRefGoogle Scholar
  23. 23.
    Pnueli, A.: The temporal logic of programs. In: Proceedings of SFCS 1977, pp. 46–57. IEEE Computer Society, Washington, DC (1977)Google Scholar
  24. 24.
    Puaun, D.O., Chechik, M.: On closure under stuttering. FAC 14, 342–368 (2003)zbMATHGoogle Scholar
  25. 25.
    Schumann, J., Moosbrugger, P., Rozier, K.Y.: R2U2: monitoring and diagnosis of security threats for unmanned aerial systems. In: Bartocci, E., Majumdar, R. (eds.) RV 2015. LNCS, vol. 9333, pp. 233–249. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-23820-3_15 CrossRefGoogle Scholar
  26. 26.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE S&P, pp. 305–316 (2010)Google Scholar
  27. 27.
    Stouffer, K., Falco, J., Scarfone, K.: Spp. 800–82 Rev 2. Guide to Industrial Control Systems (ICS) Security. NIST (2015)Google Scholar
  28. 28.
    Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Banff Higher Order Workshop 1995 (1996)Google Scholar
  29. 29.
    Yoon, M.k., Ciocarlie, G.F.: Communication pattern monitoring: improving the utility of anomaly detection for industrial control systems. In: SENT (2014)Google Scholar
  30. 30.
    Zimmer, C., Bhat, B., et al.: Time-based intrusion detection in cyber-physical systems. In: Proceedings of First ACM/IEEE International Conference on CPS, pp. 109–118 (2010)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Oualid Koucham
    • 1
    Email author
  • Stéphane Mocanu
    • 1
  • Guillaume Hiet
    • 2
  • Jean-Marc Thiriet
    • 1
  • Frédéric Majorczyk
    • 3
  1. 1.Univ. Grenoble Alpes, CNRS, Gipsa-labGrenobleFrance
  2. 2.CIDRE/Inria, CentraleSupélecCesson-sévignéFrance
  3. 3.DGA/InriaRennesFrance

Personalised recommendations