State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept

  • Andrea Carcano
  • Igor Nai Fovino
  • Marcelo Masera
  • Alberto Trombetta
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6027)


We present a novel Intrusion Detection System able to detect complex attacks to SCADA systems. By complex attack, we mean a set of commands (carried in Modbus packets) that, while licit when considered in isolation on a single-packet basis, interfere with the correct behavior of the system. The proposed IDS detects such attacks thanks to an internal representation of the controlled SCADA system and a corresponding rule language, powerful enough to express the system’s critical states. Furthermore, we detail the implementation and provide experimental comparative results.


Security SCADA systems critical infrastructures IDS 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Nai Fovino, I., Masera, M., Leszczyna, R.: ICT Security Assessment of a Power Plant, a Case Study. In: Proceeding of the Second Int. Conference on Critical Infrastructure Protection, Arlington, USA (March 2008)Google Scholar
  2. 2.
    Carcano, A., Nai Fovino, I., Masera, M., Trombetta, A.: Scada Malware, a proof of Concept. In: Proceeding of the 3rd International Workshop on Critical Information Infrastructures Security, Rome, October 2008, pp. 13–15 (2008)Google Scholar
  3. 3.
    East, S., Butts, J., Papa, M., Shenoi, S.: A Taxonomy of Attacks on the DNP3 Protocol. In: Proceeding of the Third Int. Conference on Critical Infrastructure Protection, Hannover, NH, USA (March 2009)Google Scholar
  4. 4.
    Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)CrossRefGoogle Scholar
  5. 5.
    Roesch, M.: Snort -Lightweight Intrusion Detection for Networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference, Seattle, Washington, USA, November 1999, pp. 7–12 (1999)Google Scholar
  6. 6.
  7. 7.
    Gross, P., Parekh, J., Kaiser, G.: Secure Selecticast for collaborative Intrusion Detection systems. In: Proceedings of the International Workshops on DEBS (2004)Google Scholar
  8. 8.
    Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the Domino Overlay System. In: Proceedings of the 11th ANDSSS Conference (2004)Google Scholar
  9. 9.
    Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proc. Security and Privacy (2002)Google Scholar
  10. 10.
    Nai Fovino, I., Masera, M.: A service oriented approach to the assessment of Infrastructure Security. In: Proceeding of the First Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Dartmouth College, Hanover, New Hampshire, USA, March 2007, pp. 19–21 (2007)Google Scholar
  11. 11.
    Nai Fovino, I., Masera, M.: Emergent Disservices in Interdependent Systems and System-of-Systems. In: Proceeding of the IEEE Conference on Systems, Man and Cybernetics, Taipei, October 2006, pp. 8–11 (2006)Google Scholar
  12. 12.
    Masera, M., Nai Fovino, I.: Models for security assessment and management. In: Proceeding of the International Workshop on Complex Network and Infrastructure Protection (2006)Google Scholar
  13. 13.
    Nai Fovino, I., Masera, M.: Modelling Information Assets for Security Risk Assessment in Industrial settings. In: Proceeding of the 15th EICAR Annual Conference, Hambourg (2006)Google Scholar
  14. 14.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proceedings of the ACM Conference on Computer and Communications Security, Washington, D.C, November 2002, pp. 245–254 (2002)Google Scholar
  15. 15.

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Andrea Carcano
    • 2
  • Igor Nai Fovino
    • 1
  • Marcelo Masera
    • 1
  • Alberto Trombetta
    • 2
  1. 1.Joint Research CentreInstitute for the Protection and Security of the CitizenIspraItaly
  2. 2.University of InsubriaVareseItaly

Personalised recommendations