Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | eleanor-noreen-thornton |
View: | 213 times |
Download: | 0 times |
1st SCS Workshop KTH
April 12th, 2010
EECS, UC Berkeley
Bonnie Zhu Shankar Sastry
SCADA-specific Intrusion Detection/Prevention Systems - a Survey & Taxonomy
u SCADA-specific IDS 3
What is IDS
An intrusion alarm coupled with a security response.
“Prevention is best combined with detection and response.”
u SCADA-specific IDS 4
Why SCADA-specific IDS
Hard real-time, 24 X 7, timeliness Legacy systems without fully retrofitting Field knowledge
u SCADA-specific IDS 5
SCADA System Abstraction
one center, one communication network, data
Plant
Controller
Sensor n
Sensor 1
Sensor 2
Actuator1
Actuator2
Actuatorm
Communication Links
Communication Links u1 u2 um yn y2 y1
SCADA center
u SCADA-specific IDS 6
Definitions
Fault Anomaly Misuse Noise False alarm Missed detection
u SCADA-specific IDS 7
Taxonomy on IDS
Approach Knowledge-based or Behavioral-based
Basis Attacks Detected
Generalization
Signature Knowledge Misuse Known No
Anomaly Knowledge Learned models of normal
Must appear anomalous
Yes
Probabilistic Knowledge Model learning Match patterns of misuse
Some
Specification Hybrid Construct normal model
Must violate specs
Yes
Behavioral Behavioral Capture behavioral pattern
Match patterns of behavior
Yes
u SCADA-specific IDS 8
What has been done – the Survey
9 systems comparedPVAEB Probabilistic validation of attack-effect bindings
IBM NADS Network Based Anomaly Solution
SRI Modbus Model based
WFBNI Workflow-Based Non-Intrusive
SHARP Security-Hardened Attack Resistant Platform
IDEM Intrusion Detection and Event Monitoring
AAKRSPRT Auto-Associative Kernel Regression SPRT
EMISDS Embedded Middleware-level Intrusion Detection System
MAACEFE Multi-Agent using Ant Clustering Effective Feature Extraction
u SCADA-specific IDS 9
Detection Method Comparison
Name Type Intrusion only Method
PVAEB Anomaly Fault + Intrusion SEM, BBN,SAN
IBM NADS Anomaly, behavioral,
Specification
N/A Net flow matching
SRI Modbus Specification, probabilistic
Extensible Descriptive statistics,
Simple rule based
WFBNI Signature Fault + Intrusion Matching fault model
SHARP Specification Extensible N/A
IDEM Signature Yes N/A
AAKRSPRT Anomaly Yes AAKR, SPRT, pattern matching
EMISDS Anomaly, specification, signature
Yes Simple rule based, sliding window
MAACUFE Anomaly Yes AACM, PCA
u SCADA-specific IDS 10
Metrics for SCADA-suitability
Proposed a set of 16 variables– Self-security – Fallacy analysis– Data set– Unit of analysis– …
u SCADA-specific IDS 11
Evaluation highlight
Name Self-security
Fallacy analysis
Data set Threat Model
PVAEB low No Testbed No
IBM NADS Low No N/A Outsider, not explicit
SRI Modbus Medium No Testbed Outsider
WFBNI Low No Simulation Not explicit
SHARP High No N/A One side only
IDEM Low No Testbed Unauthorized access
AAKRSPRT Low No Testbed Insider & outsider
EMISDS Low No Simulation no
MAACUFE N/A yes KDD cup Insider & outsider
u SCADA-specific IDS 12
Discussion
Voids & deficits – well-considered threat model – false alarm/negative rates
Future directions– Reachability analysis, safety sets – Protocol analysis, cyber-physical interaction
Our work-in-progress– Judicious Intelligent Executive
u SCADA-specific IDS 15
Key Characteristics
Real-time : deadline Distributed: synchronization Embedded: interaction Software <=>Hardware
u SCADA-specific IDS 18
Generic Control System
Human-MachineInterface (HMI)
Set points,Control algorithms,
Parameter constraints,Process Data
Remote DiagnosticsAnd Maintenance
Controller
Actuators Sensors
Controlled Process Process
Inputs Process
Outputs
Disturbances