Distributed Intrusion Detection System for SCADA Protocols

  • Igor Nai Fovino
  • Marcelo Masera
  • Michele Guglielmi
  • Andrea Carcano
  • Alberto Trombetta
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 342)


This paper presents an innovative, distributed, multilayer approach for detecting known and unknown attacks on industrial control systems. The approach employs process event correlation, critical state detection and critical state aggregation. The paper also describes a prototype implementation and provides experimental results that validate the intrusion detection approach.


Industrial control systems SCADA protocols intrusion detection 


  1. 1.
    A. Carcano, I. Nai Fovino, M. Masera and A. Trombetta, SCADA malware: A proof of concept, presented at the Third International Workshop on Critical Information Infrastructure Security, 2008.Google Scholar
  2. 2.
    F. Cuppens and A. Miege, Alert correlation in a cooperative intrusion detection framework, Proceedings of the IEEE Symposium on Security and Privacy, pp. 202–215, 2002.Google Scholar
  3. 3.
    D. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, vol. 13(2), pp. 222–232, 1987.CrossRefGoogle Scholar
  4. 4.
    Digital Bond, Modbus TCP IDS signatures, Sunrise, Florida (www.digitalb ond.com/index.php/research/ids-signatures/modbus-tcp-ids-signatures).Google Scholar
  5. 5.
    G. Dondossola, J. Szanto, M. Masera and I. Nai Fovino, Effects of intentional threats to power substation control systems, International Journal of Critical Infrastructures, vol. 4(1/2), pp. 129–143, 2008.CrossRefGoogle Scholar
  6. 6.
    P. Gross, J. Parekh and G. Kaiser, Secure selecticast for collaborative intrusion detection systems, Proceedings of the International Workshop on Distributed Event-Based Systems, 2004.Google Scholar
  7. 7.
    M. Masera and I. Nai Fovino, Modeling information assets for security risk assessment in industrial settings, Proceedings of the Fifteenth EICAR Annual Conference, 2006.Google Scholar
  8. 8.
    M. Masera and I. Nai Fovino, Models for security assessment and management, Proceedings of the International Workshop on Complex Network and Infrastructure Protection, 2006.Google Scholar
  9. 9.
    M. Masera and I. Nai Fovino, A service-oriented approach for assessing infrastructure security, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 367–379, 2007.CrossRefGoogle Scholar
  10. 10.
    M. Masera, I. Nai Fovino and R. Leszczyna, Security assessment of a turbo-gas power plant, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 31–40, 2008.Google Scholar
  11. 11.
    Modbus IDA, MODBUS Application Protocol Specification v1.1a, North Grafton, Massachusetts (www.modbus.org/specs.php), June 4, 2004.Google Scholar
  12. 12.
    Modbus IDA, MODBUS Messaging on TCP/IP Implementation Guide v1.0a, North Grafton, Massachusetts (www.modbus.org/specs.php), June 4, 2004.Google Scholar
  13. 13.
    Modbus.org, MODBUS over Serial Line Specification and Implementation Guide v1.0, North Grafton, Massachusetts (www. modbus.org/specs.php), February 12, 2002.Google Scholar
  14. 14.
    I. Nai Fovino and M. Masera, Emergent disservices in interdependent systems and system-of-systems, Proceedings of the IEEE Conference on Systems, Man and Cybernetics, vol. 1, pp. 590–595, 2006.Google Scholar
  15. 15.
    P. Ning, Y. Cui and D. Reeves, Constructing attack scenarios through correlation of intrusion alerts, Proceedings of the Ninth ACM Conference on Computer and Communications Security, pp. 245–254, 2002.Google Scholar
  16. 16.
    V. Yegneswaran, P. Barford and S. Jha, Global intrusion detection in the DOMINO overlay system, Proceedings of the Network and Distributed System Security Symposium, 2004.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2010

Authors and Affiliations

  • Igor Nai Fovino
  • Marcelo Masera
  • Michele Guglielmi
  • Andrea Carcano
  • Alberto Trombetta

There are no affiliations available

Personalised recommendations