State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept

Carcano, Andrea; Fovino, Igor Nai; Masera, Marcelo; Trombetta, Alberto

doi:10.1007/978-3-642-14379-3_12

State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept

Andrea Carcano¹⁹,
Igor Nai Fovino¹⁸,
Marcelo Masera¹⁸ &
Alberto Trombetta¹⁹

Conference paper

1791 Accesses
22 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 6027)

Abstract

We present a novel Intrusion Detection System able to detect complex attacks to SCADA systems. By complex attack, we mean a set of commands (carried in Modbus packets) that, while licit when considered in isolation on a single-packet basis, interfere with the correct behavior of the system. The proposed IDS detects such attacks thanks to an internal representation of the controlled SCADA system and a corresponding rule language, powerful enough to express the system’s critical states. Furthermore, we detail the implementation and provide experimental comparative results.

Keywords

Security
SCADA systems
critical infrastructures
IDS

This is a preview of subscription content, access via your institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 74.99; Price excludes VAT (USA)

Softcover Book: USD 99.00; Price excludes VAT (USA)

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Nai Fovino, I., Masera, M., Leszczyna, R.: ICT Security Assessment of a Power Plant, a Case Study. In: Proceeding of the Second Int. Conference on Critical Infrastructure Protection, Arlington, USA (March 2008)
Google Scholar
Carcano, A., Nai Fovino, I., Masera, M., Trombetta, A.: Scada Malware, a proof of Concept. In: Proceeding of the 3rd International Workshop on Critical Information Infrastructures Security, Rome, October 2008, pp. 13–15 (2008)
Google Scholar
East, S., Butts, J., Papa, M., Shenoi, S.: A Taxonomy of Attacks on the DNP3 Protocol. In: Proceeding of the Third Int. Conference on Critical Infrastructure Protection, Hannover, NH, USA (March 2009)
Google Scholar
Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)
CrossRef Google Scholar
Roesch, M.: Snort -Lightweight Intrusion Detection for Networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference, Seattle, Washington, USA, November 1999, pp. 7–12 (1999)
Google Scholar
http://www.digitalbond.com/index.php/research/ids-signatures/modbus-tcp-ids-signatures/ (last access 9/04/2009)
Gross, P., Parekh, J., Kaiser, G.: Secure Selecticast for collaborative Intrusion Detection systems. In: Proceedings of the International Workshops on DEBS (2004)
Google Scholar
Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the Domino Overlay System. In: Proceedings of the 11th ANDSSS Conference (2004)
Google Scholar
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proc. Security and Privacy (2002)
Google Scholar
Nai Fovino, I., Masera, M.: A service oriented approach to the assessment of Infrastructure Security. In: Proceeding of the First Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Dartmouth College, Hanover, New Hampshire, USA, March 2007, pp. 19–21 (2007)
Google Scholar
Nai Fovino, I., Masera, M.: Emergent Disservices in Interdependent Systems and System-of-Systems. In: Proceeding of the IEEE Conference on Systems, Man and Cybernetics, Taipei, October 2006, pp. 8–11 (2006)
Google Scholar
Masera, M., Nai Fovino, I.: Models for security assessment and management. In: Proceeding of the International Workshop on Complex Network and Infrastructure Protection (2006)
Google Scholar
Nai Fovino, I., Masera, M.: Modelling Information Assets for Security Risk Assessment in Industrial settings. In: Proceeding of the 15th EICAR Annual Conference, Hambourg (2006)
Google Scholar
Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proceedings of the ACM Conference on Computer and Communications Security, Washington, D.C, November 2002, pp. 245–254 (2002)
Google Scholar
http://www.modbus.org/

Download references

Author information

Authors and Affiliations

Joint Research Centre, Institute for the Protection and Security of the Citizen, via E.Fermi 1, 21027, Ispra, Italy
Igor Nai Fovino & Marcelo Masera
University of Insubria, via A.Dunant, 21100, Varese, Italy
Andrea Carcano & Alberto Trombetta

Authors

Andrea Carcano
View author publications
You can also search for this author in PubMed Google Scholar
Igor Nai Fovino
View author publications
You can also search for this author in PubMed Google Scholar
Marcelo Masera
View author publications
You can also search for this author in PubMed Google Scholar
Alberto Trombetta
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Fraunhofer IAIS, Sankt Augustin, Germany
Erich Rome
Centre for Software Reliability, Northampton Square, City University, London, EC1V 0HB, London, UK
Robin Bloomfield

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

Carcano, A., Fovino, I.N., Masera, M., Trombetta, A. (2010). State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept. In: Rome, E., Bloomfield, R. (eds) Critical Information Infrastructures Security. CRITIS 2009. Lecture Notes in Computer Science, vol 6027. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14379-3_12

Download citation

DOI: https://doi.org/10.1007/978-3-642-14379-3_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14378-6
Online ISBN: 978-3-642-14379-3
eBook Packages: Computer ScienceComputer Science (R0)