An HMM-Based Anomaly Detection Approach for SCADA Systems

  • Kyriakos Stefanidis
  • Artemios G. Voyiatzis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9895)


We describe the architecture of an anomaly detection system based on the Hidden Markov Model (HMM) for intrusion detection in Industrial Control Systems (ICS) and especially in SCADA systems interconnected using TCP/IP. The proposed system exploits the unique characteristics of ICS networks and protocols to efficiently detect multiple attack vectors. We evaluate the proposed system in terms of detection accuracy using as reference datasets made available by other researchers. These datasets refer to real industrial networks and contain a variety of identified attack vectors. We benchmark our findings against a large set of machine learning algorithms and demonstrate that our proposal exhibits superior performance characteristics.


Hide Markov Model Anomaly Detection Machine Learning Algorithm Normal Traffic Protocol Data Unit 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was partially supported by the GSRT Action “KRIPIS” of Greece with national and EU funds in the context of the research project “ISRTDI” and the COMET K1-Centres programme line of the Austrian Research Promotion Agency (FFG).


  1. 1.
    Accord.NET: Accord.NET Machine Learning Framework (2016).
  2. 2.
    Ali, M.Q., Al-Shaer, E.: Randomization-based intrusion detection system for advanced metering infrastructure. ACM Trans. Inf. Syst. Secur. 18(2), 7:1–7:30 (2015). CrossRefGoogle Scholar
  3. 3.
    Almalawi, A., Yu, X., Tari, Z., Fahad, A., Khalil, I.: An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems. Comput. Secur. 46, 94–110 (2014). CrossRefGoogle Scholar
  4. 4.
    Ariu, D., Tronci, R., Giacinto, G.: HMMPayl: An intrusion detection system based on Hidden Markov Models. Comput. Secur. 30(4), 221–241 (2011). CrossRefGoogle Scholar
  5. 5.
    Barbosa, R.R.R.: Anomaly detection in SCADA systems: a network based approach. Ph.D. thesis, University of Twente, Enschede, April 2014.
  6. 6.
    Beaver, J.M., Borges-Hink, R.C., Buckner, M.A.: An evaluation of machine learning methods to detect malicious SCADA communications. In: 2013 12th International Conference on Machine Learning and Applications, vol. 2, pp. 54–59 (2013).
  7. 7.
    Caselli, M., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, CPSS 2015, pp. 13–24 (2015)Google Scholar
  8. 8.
    Cisco: Snort (2015).
  9. 9.
    Erez, N., Wool, A.: Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems. Int. J. Crit. Infrastruct. Prot. 10, 59–70 (2015). CrossRefGoogle Scholar
  10. 10.
    Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 126–135 (2014).
  11. 11.
    Hsu, J., Mudd, D., Thornton, Z.: Mississippi state university project report - SCADA anomaly detection project summary. Technical report, Mississippi State University (2014).
  12. 12.
    Martí, L., Sanchez-Pi, N., Molina, J., Garcia, A.: Anomaly detection based on sensor data in petroleum industry applications. Sensors 15, 2774–2797 (2015). CrossRefGoogle Scholar
  13. 13.
    Morris, T., Srivastava, A., Reaves, B., Gao, W., Pavurapu, K., Reddi, R.: A control system testbed to validate critical infrastructure protection concepts. Int. J. Crit. Infrastruct. Prot. 4(2), 88–103 (2011). CrossRefGoogle Scholar
  14. 14.
    Ntalampiras, S., Soupionis, Y., Giannopoulos, G.: A fault diagnosis system for interdependent critical infrastructures based on HMMs. Reliab. Eng. Syst. Saf. 138, 73–81 (2015). CrossRefGoogle Scholar
  15. 15.
    Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. 53(6), 864–881 (2009). CrossRefzbMATHGoogle Scholar
  16. 16.
    Raciti, M., Nadjm-Tehrani, S.: Embedded cyber-physical anomaly detection in smart meters. In: Hämmerli, B.M., Kalstad Svendsen, N., Lopez, J. (eds.) CRITIS 2012. LNCS, vol. 7722, pp. 34–45. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Schuster, F., Paul, A.: Potentials of using one-class SVM for detecting protocol-specific anomalies in industrial networks. In: 2015 IEEE Symposium Series on Computational Intelligence, pp. 83–90 (2015)Google Scholar
  18. 18.
    Voyiatzis, A., Katsigiannis, K., Koubias, S.: A Modbus/TCP fuzzer for testing internetworked industrial systems. In: 20th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA 2015), Luxembourg, 8–11 September 2015Google Scholar
  19. 19.
    Yasakethu, S., Jiang, J.: Intrusion detection via machine learning for SCADA system protection. In: The 1st International Symposium for ICS & SCADA Cyber Security Research, pp. 101–105 (2013)Google Scholar
  20. 20.
    Yoon, M.k., Ciocarlie, G.F.: Communication pattern monitoring: improving the utility of anomaly detection for industrial control systems. In: NDSS Workshop on Security of Emerging Networking Technologies (SENT) (2014)Google Scholar
  21. 21.
    Zhu, B.X.: Resilient control and intrusion detection for SCADA systems. Ph.D. thesis, EECS Department, University of California, Berkeley, May 2014.

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Industrial Systems Institute/RC ‘Athena’PatrasGreece
  2. 2.SBA ResearchViennaAustria

Personalised recommendations