NDLI: Accurate modeling of modbus/tcp for intrusion detection in scada systems (extended abstract) (2013).

Please wait, while we are loading the content...

Accurate modeling of modbus/tcp for intrusion detection in scada systems (extended abstract) (2013).

Content Provider	CiteSeerX
Author	Goldenberg, Niv Wool, Avishai
Abstract	Modbus/TCP is used in SCADA networks to communicate between the Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). Therefore, deploying Intrusion Detection Sys-tems (IDS) on Modbus networks is an important security measure. In this paper we introduce a model-based IDS specifically built for Modbus/TCP. Our approach is based on a key observation: Modbus traffic to and from a specific PLC is highly periodic. As a result, we can model each HMI-PLC channel by its own unique deterministic finite automaton (DFA). Our IDS looks deep into the Modbus packets and produces a very detailed model of the traffic. Thus, our method is very sensitive, and is able to flag anomalies such as a message appearing out of its position in the normal sequence, or a message referring to a single unexpected bit. We designed an algorithm to automatically construct the channel's DFA based on about 100 captured messages. A significant contribution is that we tested our approach on a production Modbus system. Despite its high sensitivity, the system enjoyed a super-low false-positive rate: on 5 out of the 7 PLCs we observed a perfect match of the model to the traffic, without a single false alarm for 111 hours. Further, our system successfully flagged real anomalies that were caused by techni-cians troubleshooting the HMI systemand the system also helped uncover one incorrectly configured PLC. 1
File Format	PDF
Publisher Date	2013-01-01
Access Restriction	Open
Subject Keyword	Modbus Tcp Intrusion Detection Scada System Extended Abstract Accurate Modeling Important Security Measure Scada Network Super-low False-positive Rate Key Observation High Sensitivity Modbus Network Real Anomaly Captured Message Single False Alarm Unique Deterministic Finite Automaton Model-based Id Intrusion Detection Sys-tems Human Machine Interface Single Unexpected Bit Specific Plc Production Modbus System Hmi-plc Channel Detailed Model Significant Contribution Programmable Logic Controller Normal Sequence Perfect Match Modbus Packet Modbus Traffic
Content Type	Text
Resource Type	Article

Central Library (ISO-9001:2015 Certified)
Indian Institute of Technology Kharagpur
Kharagpur, West Bengal, India | PIN - 721302

See location in the Map
03222 282435
Mail: support@ndl.gov.in

Sl.	Authority	Responsibilities	Communication Details
1	Ministry of Education (GoI), Department of Higher Education	Sanctioning Authority	https://www.education.gov.in/ict-initiatives
2	Indian Institute of Technology Kharagpur	Host Institute of the Project: The host institute of the project is responsible for providing infrastructure support and hosting the project	https://www.iitkgp.ac.in
3	National Digital Library of India Office, Indian Institute of Technology Kharagpur	The administrative and infrastructural headquarters of the project	Dr. B. Sutradhar bsutra@ndl.gov.in
4	Project PI / Joint PI	Principal Investigator and Joint Principal Investigators of the project	Dr. B. Sutradhar bsutra@ndl.gov.in Prof. Saswat Chakrabarti will be added soon
5	Website/Portal (Helpdesk)	Queries regarding NDLI and its services	support@ndl.gov.in
6	Contents and Copyright Issues	Queries related to content curation and copyright issues	content@ndl.gov.in
7	National Digital Library of India Club (NDLI Club)	Queries related to NDLI Club formation, support, user awareness program, seminar/symposium, collaboration, social media, promotion, and outreach	clubsupport@ndl.gov.in
8	Digital Preservation Centre (DPC)	Assistance with digitizing and archiving copyright-free printed books	dpc@ndl.gov.in
9	IDR Setup or Support	Queries related to establishment and support of Institutional Digital Repository (IDR) and IDR workshops	idr@ndl.gov.in