Skip to main content
SpringerLink
Log in

Detecting Abnormal Behavior in SCADA Networks Using Normal Traffic Pattern Learning

  • Conference paper
Computer Science and its Applications

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 330))

Abstract

SCADA systems have been upgraded from the standard serial bus systems to modern TCP/IP based systems. The Modbus protocol is one of the most widely used protocols in SCADA networks. However, it provides no inherent security mechanisms. Therefore, the Modbus protocol is susceptible to the type of attack that injects false Modbus commands by fabrication or modification. In this paper, we propose an abnormal behavior detection method by using normal traffic pattern learning on Modbus/TCP transactions. Our approach is based on the characteristics of SCADA networks that are likely to have a regular traffic pattern. Most of all, the proposed method is performed according to the analysis of only Modbus/TCP request messages. Therefore, it has the benefit of detecting abnormal behavior on even with the simple traffic pattern learning.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 329.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 329.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Fovino, I.N., et al.: Critical State-Based Filtering System for Securing SCADA Network Protocols. IEEE Transactions on Industrial Electronics 59(10), 3943–3950 (2012)

    Article  Google Scholar 

  2. Huitsing, P., et al.: Attack Taxonomies for the Modbus Protocols. International Journal of Critical Infrastructure Protection 1, 37–44 (2008)

    Article  Google Scholar 

  3. Bhatia, S., et al.: Practical Modbus Flooding Attack and Detection. In: ACSW-AISC 2014, vol. 149, pp. 20–23. Australian Computer Society Inc. (2014)

    Google Scholar 

  4. Miron, Y.: SCADA Dismal, or Bang-bang SCADA. In: Power of Community (POC 2011), pp. 3–4 (2011)

    Google Scholar 

  5. MODBUS Messaging on TCP/IP Implementation Guide v1.0b (2006)

    Google Scholar 

  6. Valdes, A., Cheung, S.: Communication Pattern Anomaly Detection in Process Control Systems. In: HST 2009, pp. 22–29 (2009)

    Google Scholar 

  7. Morris, T.H., et al.: Deterministic Intrusion Detection Rules for MODBUS Protocols. In: 46th HICSS, pp. 1773–1781 (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Electronics and Telecommunications Research Instritute (ETRI), Daejeon, Korea

    Byoung-Koo Kim, Dong-Ho Kang & Jung-Chan Na

  2. Sungkyunkwan University, Seoul, Korea

    Byoung-Koo Kim & Tai-Myoung Chung

Authors
  1. Byoung-Koo Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dong-Ho Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jung-Chan Na
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tai-Myoung Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Byoung-Koo Kim .

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Seoul University of Science and Technology (SeoulTech), Seoul, Korea, Republic of (South Korea)

    James J. (Jong Hyuk) Park

  2. School of IT and Engineering, University of Ottawa, Ottawa, Ontario, Canada

    Ivan Stojmenovic

  3. Humanitas College, Kyung Hee University, Seoul, Korea, Republic of (South Korea)

    Hwa Young Jeong

  4. Computer Science & Engineering, Gangneung-Wonju Natioanl University, Wonju, Korea, Republic of (South Korea)

    Gangman Yi

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kim, BK., Kang, DH., Na, JC., Chung, TM. (2015). Detecting Abnormal Behavior in SCADA Networks Using Normal Traffic Pattern Learning. In: Park, J., Stojmenovic, I., Jeong, H., Yi, G. (eds) Computer Science and its Applications. Lecture Notes in Electrical Engineering, vol 330. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45402-2_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-45402-2_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-45401-5

  • Online ISBN: 978-3-662-45402-2

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation