Anomaly Detection in SCADA Network Traffic
Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Critical infrastructure provides us with the most important parts of modern society, electricity, water and transport. To increase efficiency and to meet new demands from the customer remote monitoring and control of the systems is necessary. This opens new ways for an attacker to reach the Supervisory Control And Data Acquisition (SCADA) systems that control and monitors the physical processes involved. This also increases the need for security features specially designed for these settings. Anomaly-based detection is a technique suitable for the more deterministic SCADA systems. This thesis uses a combination of two techniques to detect anomalies. The first technique is an automatic whitelist that learns the behavior of the network flows. The second technique utilizes the differences in arrival times of the network packets. A prototype anomaly detector has been developed in Bro. To analyze the IEC 60870-5-104 protocol a new parser for Bro was also developed. The resulting anomaly detector was able to achieve a high detection rate for three of the four different types of attacks evaluated. The studied methods of detection are promising when used in a highly deterministic setting, such as a SCADA system.
Place, publisher, year, edition, pages
2015. , 53 p.
IdentifiersURN: urn:nbn:se:liu:diva-122680ISRN: LIU-IDA/LITH-EX-A--15/062—SEOAI: oai:DiVA.org:liu-122680DiVA: diva2:871439
Sectra Communications AB
Subject / course
Asplund, Mikael, Universitetslektor
Nadjm-Tehrani, Simin, Professor