Timing-Based Anomaly Detection in SCADA Networks

  • Chih-Yuan LinEmail author
  • Simin Nadjm-TehraniEmail author
  • Mikael Asplund
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10707)


Supervisory Control and Data Acquisition (SCADA) systems that operate our critical infrastructures are subject to increased cyber attacks. Due to the use of request-response communication in polling, SCADA traffic exhibits stable and predictable communication patterns. This paper provides a timing-based anomaly detection system that uses the statistical attributes of the communication patterns. This system is validated with three datasets, one generated from real devices and two from emulated networks, and is shown to have a False Positive Rate (FPR) under 1.4%. The tests are performed in the context of three different attack scenarios, which involve valid messages so they cannot be detected by whitelisting mechanisms. The detection accuracy and timing performance are adequate for all the attack scenarios in request-response communications. With other interaction patterns (i.e. spontaneous communications), we found instead that 2 out of 3 attacks are detected.


SCADA Industrial Control System (ICS) Anomaly detection Traffic periodicity 



This work was completed within RICS: the research centre on Resilient Information and Control Systems ( financed by Swedish Civil Contingencies Agency (MSB). The authors would also like to thank the support by Modio.


  1. 1.
    Bhatia, S., Kush, N., Djamaludin, C., Akane, J., Foo, E.: Practical Modbus flooding attack and detection. In: Proceedings of the Twelfth Australasian Information Security Conference, AISC (2014)Google Scholar
  2. 2.
    Valdes, A., Cheung S.: Communication pattern anomaly detection in process control systems. In: IEEE Conference on Technologies for Homeland Security, HST (2009)Google Scholar
  3. 3.
    Sayegh, N., Elhajj, H.I., Kayssi, A., Chehab, A.: SCADA Intrusion Detection System based on temporal behavior of frequent patterns. In: 17th IEEE Mediterranean Electrotechnical Conference (2014)Google Scholar
  4. 4.
    Barbosa, R.R.R., Sadre, R., Pras, A.: A first look into SCADA network traffic. In: IEEE Network Operations and Management Symposium, NOMS (2012)Google Scholar
  5. 5.
    Barbosa, R.R.R., Sadre, R., Pras, A.: Towards periodicity based anomaly detection in SCADA networks. In: IEEE Conference on Emerging Technologies & Factory Automation (2012)Google Scholar
  6. 6.
    Udd, R., Asplund, M., Nadjm-Tehrani, S., Kazemtabrizi, M., Ekstedt, M.: Exploiting Bro for intrusion detection in a SCADA system. In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, CPSS (2016)Google Scholar
  7. 7.
    Barbosa, R.R.R., Sadre, R., Pras, A.: Exploiting traffic periodicity in industrial control networks. Int. J. Crit. Infrastruct. Prot. 13, 52–62 (2016)CrossRefGoogle Scholar
  8. 8.
    Yang, Y., McLaughlin, K., Sezer, S., Yuan, Y., Huang, W.: Stateful intrusion detection for IEC 60870-5-104 SCADA security. In: IEEE PES General Meeting (2014)Google Scholar
  9. 9.
    Goldenberg, N., Wool, A.: Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–7 (2013)CrossRefGoogle Scholar
  10. 10.
    Kleinmann, A., Wool, A.: Accurate modeling of the siemens S7 SCADA protocol for intrusion detection and digital forensic. J. Digit. Forensics Secur. Law 9(2), 4 (2014)Google Scholar
  11. 11.
    Kleinmann, A., Wool, A.: A statechart-based anomaly detection model for multi-threaded SCADA systems. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 132–144. Springer, Cham (2016). Scholar
  12. 12.
    Kleinmann, A., Wool, A.: Automatic construction of statechart-based anomaly detection models for multi-threaded SCADA via spectral analysis. In: Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy (2016)Google Scholar
  13. 13.
    Caselli, M., Zambon, E., Kargl F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, CPSS (2015)Google Scholar
  14. 14.
    Morris, T.H., Gao, W.: Industrial control system cyber attacks. In: Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of Computer and Information ScienceLinköping UniversityLinköpingSweden

Personalised recommendations