Behavior-based approach to misuse detection of a simulated SCADA system - 339
- Department of Nuclear Engineering, University of Tennessee, Knoxville, TN 38996 (United States)
- Oracle Physical Sciences Research Center, San Diego, CA 92121 (United States)
This paper presents the initial findings in applying a behavior-based approach for detection of unauthorized activities in a simulated Supervisory Control and Data Acquisition (SCADA) system. Misuse detection of this type utilizes fault-free system telemetry to develop empirical models that learn normal system behavior. Future monitored telemetry sources that show statistically significant deviations from this learned behavior may indicate an attack or other unwanted actions. The experimental test bed consists of a set of Linux based enterprise servers that were isolated from a larger university research cluster. All servers are connected to a private network and simulate several components and tasks seen in a typical SCADA system. Telemetry sources included kernel statistics, resource usages and internal system hardware measurements. For this study, the Auto Associative Kernel Regression (AAKR) and Auto Associative Multivariate State Estimation Technique (AAMSET) are employed to develop empirical models. Prognostic efficacy of these methods for computer security used several groups of signals taken from available telemetry classes. The Sequential Probability Ratio Test (SPRT) is used along with these models for intrusion detection purposes. The different intrusion types shown include host/network discovery, DoS, brute force login, privilege escalation and malicious exfiltration actions. For this study, all intrusion types tested displayed alterations in the residuals of much of the monitored telemetry and were able to be detected in all signal groups used by both model types. The methods presented can be extended and implemented to industries besides nuclear that use SCADA or business-critical networks. (authors)
- Research Organization:
- American Nuclear Society - ANS, 555 North Kensington Avenue, La Grange Park, IL 60526 (United States)
- OSTI ID:
- 23035433
- Resource Relation:
- Conference: NPIC and HIMIT 2017: 10. International Conference on Nuclear Plant Instrumentation, Control, and Human-Machine Interface Technologies, San Francisco, CA (United States), 11-15 Jun 2017; Other Information: Country of input: France; 14 refs.; available from American Nuclear Society - ANS, 555 North Kensington Avenue, La Grange Park, IL 60526 (US)
- Country of Publication:
- United States
- Language:
- English
Similar Records
On-Line Monitoring to Detect Sensor and Process Degradation under Normal Operational Transients - 327
Distributed Intrusion Detection System using Semantic-based Rules for SCADA in Smart Grid