Cyber-Critical Infrastructure Protection Using Real-Time Payload-Based Anomaly Detection

  • Patrick Düssel
  • Christian Gehl
  • Pavel Laskov
  • Jens-Uwe Bußer
  • Christof Störmann
  • Jan Kästner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6027)


With an increasing demand of inter-connectivity and protocol standardization modern cyber-critical infrastructures are exposed to a multitude of serious threats that may give rise to severe damage for life and assets without the implementation of proper safeguards. Thus, we propose a method that is capable to reliably detect unknown, exploit-based attacks on cyber-critical infrastructures carried out over the network. We illustrate the effectiveness of the proposed method by conducting experiments on network traffic that can be found in modern industrial control systems. Moreover, we provide results of a throughput measuring which demonstrate the real-time capabilities of our system.


Intrusion Detection Detection Accuracy Intrusion Detection System Control System Network Process Control System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Security concept pcs6 and wincc-basic document. White paper, Siemens AG, A5E02128732-01 (April 2008)Google Scholar
  2. 2.
    Bigham, J., Gamez, D., Lu, N.: Safeguarding scada systems with anomaly detection. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 171–182. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Bolzoni, D., Zambon, E., Etalle, S., Hartel, P.H.: Poseidon: a 2-tier anomaly-based network intrusion detection system. In: 4th IEEE Int. Information Assurance Workshop (IWIA 2006), pp. 144–156 (2006)Google Scholar
  4. 4.
    D’Antonio, S., Oliviero, F., Setola, R.: High-speed intrusion detection in support of critical infrastructure protection. In: Proc. 1st International Workshop on Critical Information Infrastructures Security (2006)Google Scholar
  5. 5.
    Düssel, P., Gehl, C., Laskov, P., Rieck, K.: Incorporation of application layer protocol syntax into anomaly detection. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 188–202. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Jin, X., Bigham, J., Rodaway, J., Gamez, D., Phillips, C.: Anomaly detection in electricity cyber infrastructures. In: Proceedings of the International Workshop on Complex Networks and Infrastructure Protection, CNIP 2006 (2006)Google Scholar
  7. 7.
    Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proc. of ACM Symposium on Applied Computing, pp. 201–208 (2002)Google Scholar
  8. 8.
    Lee, W., Stolfo, S.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information Systems Security 3, 227–261 (2000)CrossRefGoogle Scholar
  9. 9.
    Mahoney, M., Chan, P.: Learning nonstationary models of normal network traffic for detecting novel attacks. In: Proc. of ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pp. 376–385 (2002)Google Scholar
  10. 10.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proc. of USENIX Security Symposium, pp. 31–51 (1998)Google Scholar
  11. 11.
    Rieck, K., Laskov, P.: Language models for detection of unknown attacks in network traffic. Journal in Computer Virology 2(4), 243–256 (2007)CrossRefGoogle Scholar
  12. 12.
    Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of USENIX Large Installation System Administration Conference LISA, pp. 229–238 (1999)Google Scholar
  13. 13.
    Wang, K., Parekh, J., Stolfo, S.: Anagram: A content anomaly detector resistant to mimicry attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Patrick Düssel
    • 1
  • Christian Gehl
    • 1
  • Pavel Laskov
    • 1
    • 2
  • Jens-Uwe Bußer
    • 3
  • Christof Störmann
    • 3
  • Jan Kästner
    • 4
  1. 1.Fraunhofer Institute FIRSTIntelligent Data AnalysisBerlinGermany
  2. 2.Siemens AGUniversity of Tübingen Wilhelm-Schickard-Institute for Computer ScienceTübingenGermany
  3. 3.Information and CommunicationsCorporate TechnologyMünchenGermany
  4. 4.Industrial Automation Systems, Research & DevelopmentKarlsruheGermany

Personalised recommendations