Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Exploiting bro for intrusion detection in a SCADA system
KTH, School of Electrical Engineering (EES), Electric power and energy systems.
Show others and affiliations
2016 (English)In: CPSS 2016 - Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, Co-located with Asia CCS 2016, Association for Computing Machinery (ACM), 2016, p. 44-51Conference paper, Published paper (Refereed)
Abstract [en]

Supervisory control and data acquisition (SCADA) systems that run our critical infrastructure are increasingly run with Internet-based protocols and devices for remote monitoring. The embedded nature of the components involved, and the legacy aspects makes adding new security mechanisms in an efficient manner far from trivial. In this paper we study an anomaly detection based approach that enables detecting zero-day malicious threats and benign malconfigurations and mishaps. The approach builds on an existing platform (Bro) that lends itself to modular addition of new protocol parsers and event handling mechanisms. As an example we have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector with mixed results. The detection accuracy and false positive rate, as well as real-time response was adequate for 3 of our 4 created attacks. We also discovered some additional work that needs to be done to an existing protocol parser to extend its reach.

Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2016. p. 44-51
Keywords [en]
Anomaly detection, Bro, IDS, IEC 60870-5-104, SCADA
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:kth:diva-194572DOI: 10.1145/2899015.2899028Scopus ID: 2-s2.0-84978924817ISBN: 978-145034288-9 (print)OAI: oai:DiVA.org:kth-194572DiVA, id: diva2:1043932
Conference
2nd ACM International Workshop on Cyber-Physical System Security, CPSS 2016 Xi'an China 30 May 2016 through
Funder
Swedish Energy Agency
Note

QC 20161101

Available from: 2016-11-01 Created: 2016-10-31 Last updated: 2016-11-01Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Kazemtabrizi, MehrdadEkstedt, Mathias
By organisation
Electric power and energy systems
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 108 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf