Statistical Similarity of Critical Infrastructure Network Traffic Based on Nearest Neighbor Distances

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)


Industrial control systems (ICSs) operate a variety of critical infrastructures such as waterworks and power plants using cyber physical systems (CPSs). Abnormal or malicious behavior in these critical infrastructures can pose a serious threat to society. ICS networks tend to be configured such that specific tasks are performed repeatedly. Further, for a specific task, the resulting pattern in the ICS network traffic does not vary significantly. As a result, most traffic patterns that are caused by tasks that are normally performed in a specific ICS have already occurred in the past, unless the ICS is performing a completely new task. In such environments, anomaly-based intrusion detection system (IDS) can be helpful in the detection of abnormal or malicious behaviors. An anomaly-based IDS learns a statistical model of the normal activities of an ICS. We use the nearest-neighbor search (NNS) to learn patterns caused by normal activities of an ICS and identify anomalies. Our method learns the normal behavior in the overall traffic pattern based on the number of network packets transmitted and received along pairs of devices over a certain time interval. The method uses a geometric noise model with lognormal distribution to model the randomness on ICS network traffic and learns solutions through cross-validation on random samples. We present a fast algorithm, along with its theoretical time complexity analysis, in order to apply our method in real-time on a large-scale ICS. We provide experimental results tested on various types of large-scale traffic data that are collected from real ICSs of critical infrastructures.


  1. 1.
    Shodan search engine for internet-connected devices.
  2. 2.
    Barbosa, R.R.R., Sadre, R., Pras, A.: A first look into SCADA network traffic. In: Network Operations and Management Symposium (NOMS), pp. 518–521. IEEE (2012)Google Scholar
  3. 3.
    Barbosa, R.R.R., Sadre, R., Pras, A.: Difficulties in modeling SCADA traffic: a comparative analysis. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 126–135. Springer, Heidelberg (2012). Scholar
  4. 4.
    Berthier, R., et al.: On the practicality of detecting anomalies with encrypted traffic in AMI. In: International Conference on Smart Grid Communications (SmartGridComm), pp. 890–895. IEEE (2014)Google Scholar
  5. 5.
    Bishop, C.M.: Pattern recognition. Mach. Learn. 128, 1–58 (2006)Google Scholar
  6. 6.
    Black, F., Scholes, M.: The pricing of options and corporate liabilities. J. Polit. Econ. 81(3), 637–654 (1973)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st Workshop on Cyber-Physical System Security, pp. 13–24. ACM (2015)Google Scholar
  8. 8.
    Downey, A.B.: Lognormal and Pareto distributions in the Internet. Comput. Commun. 28(7), 790–801 (2005)CrossRefGoogle Scholar
  9. 9.
    Feng, X., Li, Q., Wang, H., Sun, L.: Characterizing industrial control system devices on the internet. In: 24th International Conference on Network Protocols (ICNP), pp. 1–10. IEEE (2016)Google Scholar
  10. 10.
    Formby, D., Srinivasan, P., Leonard, A., Rogers, J., Beyah, R.: Who’s in control of your control system? Device fingerprinting for cyber-physical systems. In: Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
  11. 11.
    Goh, J., Adepu, S., Junejo, K.N., Mathur, A.: A dataset to support research in the design of secure water treatment systems. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds.) CRITIS 2016. LNCS, vol. 10242, pp. 88–99. Springer, Cham (2017). Scholar
  12. 12.
    Gong, W.B., Liu, Y., Misra, V., Towsley, D.: Self-similarity and long range dependence on the internet: a second look at the evidence, origins and implications. Comput. Netw. 48(3), 377–399 (2005)CrossRefGoogle Scholar
  13. 13.
    Krotofil, M., Larsen, J., Gollmann, D.: The process matters: ensuring data veracity in cyber-physical systems. In: Proceedings of the 10th Symposium on Information, Computer and Communications Security, pp. 133–144. ACM (2015)Google Scholar
  14. 14.
    Kwon, H., Kim, T., Yu, S.J., Kim, H.K.: Self-similarity based lightweight intrusion detection method for cloud computing. In: Nguyen, N.T., Kim, C.-G., Janiak, A. (eds.) ACIIDS 2011. LNCS (LNAI), vol. 6592, pp. 353–362. Springer, Heidelberg (2011). Scholar
  15. 15.
    Leland, W.E., Taqqu, M.S., Willinger, W., Wilson, D.V.: On the self-similar nature of ethernet traffic (extended version). IEEE/ACM Trans. Netw. 2(1), 1–15 (1994)CrossRefGoogle Scholar
  16. 16.
    Lemay, A., Fernandez, J.M.: Providing SCADA network data sets for intrusion detection research. In: Workshop on Cyber Security Experimentation and Test (CSET). USENIX Association (2016)Google Scholar
  17. 17.
    Lin, C.Y., Nadjm-Tehrani, S., Asplund, M.: Timing-based anomaly detection in SCADA networks. In: International Conference on Critical Infrastructures Security (CRITIS) (2017)Google Scholar
  18. 18.
    Rawat, S., Sastry, C.S.: Network intrusion detection using wavelet analysis. In: Das, G., Gulati, V.P. (eds.) CIT 2004. LNCS, vol. 3356, pp. 224–232. Springer, Heidelberg (2004). Scholar
  19. 19.
    Rodofile, N.R., Schmidt, T., Sherry, S.T., Djamaludin, C., Radke, K., Foo, E.: Process control cyber-attacks and labelled datasets on S7Comm critical infrastructure. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 452–459. Springer, Cham (2017). Scholar
  20. 20.
    Urbina, D.I., et al.: Limiting the impact of stealthy attacks on industrial control systems. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1092–1105. ACM (2016)Google Scholar
  21. 21.
    Welch, G., Bishop, G.: An introduction to the Kalman filter (1995)Google Scholar
  22. 22.
    Willinger, W., Taqqu, M.S., Sherman, R., Wilson, D.V.: Self-similarity through high-variability: statistical analysis of ethernet LAN traffic at the source level. IEEE/ACM Trans. Netw. (ToN) 5(1), 71–86 (1997)CrossRefGoogle Scholar
  23. 23.
    Yu, S.J., Koh, P., Kwon, H., Kim, D.S., Kim, H.K.: Hurst parameter based anomaly detection for intrusion detection system. In: International Conference on Computer and Information Technology (CIT), pp. 234–240. IEEE (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.The Affiliated Institute of ETRIDaejeonRepublic of Korea
  2. 2.Department of Computer Science and EngineeringPOSTECHPohangRepublic of Korea

Personalised recommendations